DFIR Review

DFIR Review responds to the need for a focal point for up-to-date community-reviewed applied research and testing in digital forensics and incident response. DFIR Review concentrates on targeted studies of specific devices, digital traces, analysis methods, and criminal activities to help digital forensic practitioners deal with real-world issues.


Rapid review and dissemination of up-to-date results of applied research and testing is necessary to keep pace with changes in technology and cybercrime. The Internet-of-Things (IoT) and smartphone applications are prime examples of the unprecedented proliferation of new devices and digital traces. New versions of operating systems can also have data structures that contain valuable information from a forensic perspective. When a new type of digital trace is found to be relevant to a legal matter, it may be the first time it has been studied from a forensic perspective. New approaches to analysing digital traces can help develop insights in an investigation. Often this type of material is shared via blogs by active practitioners who are the first to tackle new devices, uncover new digital traces, and encounter new forms of criminal activity. Currently, these posts do not undergo community review or vetting, and are not presented or published in a formalized forum for long term reference. The faster this knowledge can be produced, reviewed, and shared among the DFIR community, the better able we will be to deal with new devices, digital traces, and criminal activities. DFIR Review aims to take the up-to-date rapid content created by practitioners and distributed regularly via blogs and provide review such that the findings can be cited and stored in a referenceable format so that it may be used by others including for reference in legal and other matters while crediting the originating source such as a practitioner blog.


Submissions to DFIR Review will be reviewed rapidly by a panel of qualified members of the community to include practitioners, researchers, graduate students and others working in the digital forensics field. Submissions will either be accepted or rejected on the basis of reviewer responses. For accepted submissions, reviewers will provide a detailed response including comments, further research concepts that may not have been explored, as well as validation and/or verification of initial research. The intent is that this response material will be presented along with the submission on DFIR Review.


Accepted submissions will be made available on the DFRWS website open access under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). Accepted submissions will be organized along with reviewer response materials. Although authors can revise accepted materials on the basis of reviewer feedback, this is not a requirement for publication, taking into account that practitioners may not have time to rework a submission or perform additional research. Authors can post their work on their personal website or blog with a reference to the publication in DFIR Review. In this way, DFIR Review is the system of record for the work, and authors can disseminate their work with a reference to the publication in DFIR Review.


DFIR Review welcomes submissions that provide up-to-date knowledge in digital forensics and incident response, as well as test results that validate or update prior studies. The DFIR Review community will actively encourage authors to submit their work, and will assist authors throughout the submission process as needed. Topics of interest include:

  • Forensic treatment of new devices, including Internet-of-Things.
  • Forensic analysis of new smartphone apps or updated versions (inclusion of open
    source tools encouraged)
  • Forensic analysis of new data structures on operating systems
  • New methods of analyzing digital traces to find patterns, links and other insights.
  • Insights into new ways that criminals are using technology, emphasizing technical elements and potential solutions
  • Validation and testing of new forensic tool features (inclusion of test data preferred),

Submit via EasyChair: https://easychair.org/conferences/?conf=dfirr2020

Submission implies that the work will not have been published elsewhere (except in as an abstract, academic thesis, preprint or personal blog), and publication in a virtual proceeding is approved by all authors and tacitly or explicitly by the responsible authorities where the work was carried out. Authors of high impact work will be encouraged to further develop their work and submit it to DFRWS conferences and other DFIR community events and publications. Inquiries can be directed to DFIR@dfrwsbackup.0452fd5.netsolhost.com

Organizers and Reviewers

ChairJessica Hyde (George Mason University & Magnet Forensics)
Vice ChairEoghan Casey (University of Lausanne & Digital Forensics Solutions)
Program ChairJoshua James (Hallym University)
Program Vice ChairGraeme Horsman (Teesside University)
Industry Practitioner LiaisonsBrett Shavers (DFIR Training) / Tony Knutson (SANS Institute, Medtronic)
Government Practitioner LiaisonMitch Kajzer (University of Notre Dame)
Communications ChairScar de Courcier (Forensic Focus)
Academia Practitioner LiaisonAli Hadi (Champlain College)


  • Harlan Carvey (Crowdstrike)
  • Vico Marziale (BlackBag Technologies)
  • Phill Moore (This Week in 4n6)
  • Daryl Pfeif (Digital Forensics Solutions & DFRWS)
  • Bradley Schatz (Schatz Forensic)
  • Joe Sylve (BlackBag Technologies)
  • Andrew White (SecureWorks)

Graduate Students

Timothy BolléUniversity of LausanneEoghan Casey
Elénore RyserUniversity of LausanneDavid-Olivier Jaquet-Chiffelle
Francesco ServidaUniversity of LausanneThomas Souvignet
Hannes SpichigerUniversity of LausanneEoghan Casey

Copyright and Rights

Authors will retain copyright of their work in DFIR Review. Authors will grant DFRWS the non-exclusive right to include the material in any form throughout the world, in all languages, for all time, effective when and if the work is accepted for publication.