Please note: All times below are in Irish/British Summer Time. Daylight savings time begins on 28th March. For clarity, the current time in Ireland/UK:
Day 1 - Monday, 29th March, 2021
| Time | Title |
|---|---|
| 13:00-16:00 | Women in Forensics Workshop This is a co-located event with this year's DFRWS EU. Separate (and free) registration is required for this event. Further information and registration details are available here: https://www.cybercrime.fau.de/women-in-forensic-computing-2021/ |
| 16:00-16:30 | Break |
| 16:30-18:45 | Workshop: Digital forensic research: the challenges of the next 10 years Graeme Horsman, Teesside University and Virginia Franqueira, University of Kent |
Day 2 - Tuesday, 30th March, 2021
| Time | Title | |
|---|---|---|
| 13:00 | Welcome Address Dr. Mark Scanlon, Conference Chair | |
| 13:15 | Keynote: The encryption challenge: an eternal search for the light switch in the dark? Dr. Nicole S. van der Meulen | |
| 14:00 | Break | |
| 14:10 | Paper Session I - Novel Device Forensics Chair: John Sheppard | |
| Dead Man's Switch: Forensic Autopsy of the Nintendo Switch | Frederick Barr-Smith, Danny Rigby, Sash Rigby, Tom Farrant, Benjamin Leonard-Lagarde and Frederick Sibley-Calder | |
| A Generalized Approach to Automotive Forensics | Kevin Klaus Gomez Buquerin, Christopher Corbett, and Hans-Joachim Hof | |
| 15:00 | Break | |
| 15:10 | Paper Session II - Flash Memory Forensics Chair: Chris Hargreaves | |
| In Search of Lost Data: A Study of Flash Sanitization Practices | Janine Schneider, Immanuel Lautner, Denise Moussa, Julian Wolf, Nicole Scheler, Felix Freiling, Jaap Haasnoot, Hans Henseler, Simon Malik, Holger Morgenstern and Martin Westman | |
| One Key to Rule Them All: Recovering the Master Key from RAM to break Android's File-Based Encryption | Tobias Groß, Marcel Busch and Tilo Müller | |
| 16:00 | Break | |
| 16:10 | Presentation Session Chair: Jan-Niclas Hilgert | |
| Digital traces of walking, driving and other movements on iPhones | Jan Peter van Zandwijk and Abdul Boztas | |
| Implementing a Software System for Comparing an Incident Timeline with Known Indicators of Compromise | Cagatay Yürekli | |
| Forensic Analysis of the Raspberry PI 400 | Mattia Epifani | |
| Glitching the KeepKey hardware wallet | Erwin Intveld and Peter Zuijdervliet | |
| 17:10 | Lightning Talks Chair: Daryl Pfeif | |
| 17:30 | Tool Demo Session | |
| 18:00 | Birds of a Feather Chair: Frank Adelstein | |
| 18:30 | Break | |
| 19:00 | Rodeo Further information: https://www.cybercrime.fau.de/dfrws-eu-2021-forensic-rodeo/ | |
Day 3 - Wednesday, 31st March, 2021
| Time | Title | |
|---|---|---|
| 13:00 | Welcome Address Dr. Mark Scanlon | |
| 13:05 | Keynote: Emotet: The “king“ is dead – is he? Linda Bertram – Public Prosecutor at the Prosecutor General's Office Frankfurt am Main – Center for Combatting Cybercrime (ZIT) and Andre Dornbusch | Team Leader Cybercrime Investigations with the Federal Criminal Police Office (BKA) Abstract: Emotet has been challenging cybersecurity for more than half a decade, not only causing millions and millions worth of damage, but even paralyzing hospitals and other parts of the so-called critical infrastructure by opening doors for other types of malware. After two and a half years of intensive investigations the infrastructure of the Emotet malware was taken over and dismantled in a joint international operation on January 26, 2021. For the first time in the history of cybercrime investigations, this team of international experts has been able to not only “pull the plug“, but to gain control over the whole bot net – and to maintain it up to now. The dismantling of the Emotet infrastructure represents a significant blow against internationally organized cybercrime and, at the same time, a major improvement in cybersecurity. Join us for a ride through the investigations and find out how something as small as a ladybird can make a difference. | |
| 13:50 | Break | |
| 14:00 | Paper Session III - Instant Messenger Forensics Chair: Jessica Hyde | |
| Ghost Protocol – Snapchat as a Method of Surveillance | Richard Matthews, Kieren Lovell and Matthew Sorell | |
| Forensic Analysis of Artifacts in the Matrix Protocol and Riot.IM application | Guido Schipper, Rudy Seelt and Nhien-An Le-Khac | |
| 14:50 | Break | |
| 15:00 | Paper Session IV - Digital Forensics Concepts Chair: Bruce Nikkel | |
| Bringing Forensic Readiness to Modern Computer Firmware | Tobias Latzo, Florian Hantke, Lukas Kotschi and Felix Freiling | |
| Bringing Order to Approximate Matching: Classification and Attacks on Similarity Digest Algorithms | Miguel Martín-Pérez, Ricardo J. Rodríguez and Frank Breitinger | |
| 15:50 | Break | |
| 16:00 | Paper Session V - AI for Digital Forensics Chair: Frank Breitinger | |
| A Comparative Study of Support Vector Machine and Neural Networks for File Type Identification using n-gram analysis | Joachim Sester, Darren Hayes, Mark Scanlon and Nhien-An Le-Khac | |
| Vec2UAge: Enhancing Underage Age Estimation Performance through Facial Embeddings | Felix Anda, Edward Dixon, Elias Bou-Harb, Nhien-An Le-Khac and Mark Scanlon | |
| 16:50 | Break | |
| 17:00 | Extended Abstracts Presentations Chair: Thomas Souvignet | |
| Developing an IoT Forensic Methodology. A Practical Concept Proposal | Juan Manuel Castelo Gómez, Javier Carrillo Mondéjar, José Roldán Gómez and José Luis Martínez Martínez | |
| Selective Imaging of File System Data on Live Systems | Fabian Faust, Aurélien Thierry, Tilo Müller and Felix Freiling | |
| Phishing Detection on Tor Hidden Services | Martin Steinebach | |
| 17:45 | Lightning Talks Chair: Daryl Pfeif | |
| 18:00 | Birds of a Feather Chair: Frank Adelstein | |
| 18:45 | Break | |
| 19:15 | Best Paper Awards Pub Quiz Quizmaster: Chris Hargreaves | |
Day 4 - Thursday, 1st April, 2021
| Time | Title |
|---|---|
| 13:00-13:50 | Keynote: An Investigation of the Microsoft Exchange Vulnerability Used by Hafnium Steven Adair, President, Volexity Abstract: While many organizations—and the information security community as a whole—were still reeling from the impact of the the SolarWinds Orion breach, another catastrophic event was already underway. In early January 2021, a Chinese APT actor was taking aim at organizations running Microsoft Exchange with a critical zero-day exploit that allowed them to download e-mails at will. As bad that sounds, it was actually just the beginning. The initial flaw would soon be combined with other zero-day exploits to allow full remote code execution on Exchange servers around world. This talk will review Volexity’s initial discovery of the main vulnerability that allowed these events to happen, and the actions of the threat actor known as Hafnium. It will cover the initial stealthy activities of the group; the later targeted exploitation and lateral movement; and the resulting widespread exploitation that compromised tens of thousands of servers around the world. |
| 13:50-14:00 | Break |
| 14:00-16:15 | Workshop: Digging Deeper with Velociraptor Mike Cohen, Velocidex Enterprises |
| 16:15-16:30 | Break |
| 16:30-18:45 | Workshop: CASE Adoption - Lessons, Solutions, and Roadmap Updates Eoghan Casey, University of Lausanne |
Please join us on Discord!