Please note: All times below are in Irish/British Summer Time. Daylight savings time begins on 28th March. For clarity, the current time in Ireland/UK:

Day 1 - Monday, 29th March, 2021

TimeTitle
13:00-16:00Women in Forensics Workshop

This is a co-located event with this year's DFRWS EU. Separate (and free) registration is required for this event. Further information and registration details are available here: https://www.cybercrime.fau.de/women-in-forensic-computing-2021/
16:00-16:30Break
16:30-18:45Workshop: Digital forensic research: the challenges of the next 10 years

Graeme Horsman, Teesside University and Virginia Franqueira, University of Kent

Day 2 - Tuesday, 30th March, 2021

TimeTitle
13:00Welcome Address
Dr. Mark Scanlon, Conference Chair
13:15Keynote: The encryption challenge: an eternal search for the light switch in the dark?

Dr. Nicole S. van der Meulen
14:00Break
14:10Paper Session I - Novel Device Forensics

Chair: John Sheppard
Dead Man's Switch: Forensic Autopsy of the Nintendo SwitchFrederick Barr-Smith, Danny Rigby, Sash Rigby, Tom Farrant, Benjamin Leonard-Lagarde and Frederick Sibley-Calder
A Generalized Approach to Automotive ForensicsKevin Klaus Gomez Buquerin, Christopher Corbett, and Hans-Joachim Hof
15:00Break
15:10Paper Session II - Flash Memory Forensics

Chair: Chris Hargreaves
In Search of Lost Data: A Study of Flash Sanitization PracticesJanine Schneider, Immanuel Lautner, Denise Moussa, Julian Wolf, Nicole Scheler, Felix Freiling, Jaap Haasnoot, Hans Henseler, Simon Malik, Holger Morgenstern and Martin Westman
One Key to Rule Them All: Recovering the Master Key from RAM to break Android's File-Based EncryptionTobias Groß, Marcel Busch and Tilo Müller
16:00Break
16:10Presentation Session

Chair: Jan-Niclas Hilgert
Digital traces of walking, driving and other movements on iPhonesJan Peter van Zandwijk and Abdul Boztas
Implementing a Software System for Comparing an Incident Timeline with Known Indicators of CompromiseCagatay Yürekli
Forensic Analysis of the Raspberry PI 400Mattia Epifani
Glitching the KeepKey hardware walletErwin Intveld and Peter Zuijdervliet
17:10Lightning Talks

Chair: Daryl Pfeif
17:30Tool Demo Session
18:00Birds of a Feather

Chair: Frank Adelstein
18:30Break
19:00Rodeo

Further information: https://www.cybercrime.fau.de/dfrws-eu-2021-forensic-rodeo/

Day 3 - Wednesday, 31st March, 2021

TimeTitle
13:00Welcome Address
Dr. Mark Scanlon
13:05Keynote: Emotet: The “king“ is dead – is he?

Linda Bertram – Public Prosecutor at the Prosecutor General's Office Frankfurt am Main – Center for Combatting Cybercrime (ZIT)

and

Andre Dornbusch | Team Leader Cybercrime Investigations with the Federal Criminal Police Office (BKA)

Abstract: Emotet has been challenging cybersecurity for more than half a decade, not only causing millions and millions worth of damage, but even paralyzing hospitals and other parts of the so-called critical infrastructure by opening doors for other types of malware. After two and a half years of intensive investigations the infrastructure of the Emotet malware was taken over and dismantled in a joint international operation on January 26, 2021. For the first time in the history of cybercrime investigations, this team of international experts has been able to not only “pull the plug“, but to gain control over the whole bot net – and to maintain it up to now. The dismantling of the Emotet infrastructure represents a significant blow against internationally organized cybercrime and, at the same time, a major improvement in cybersecurity. Join us for a ride through the investigations and find out how something as small as a ladybird can make a difference.

13:50Break
14:00Paper Session III - Instant Messenger Forensics

Chair: Jessica Hyde
Ghost Protocol – Snapchat as a Method of SurveillanceRichard Matthews, Kieren Lovell and Matthew Sorell
Forensic Analysis of Artifacts in the Matrix Protocol and Riot.IM applicationGuido Schipper, Rudy Seelt and Nhien-An Le-Khac
14:50Break
15:00Paper Session IV - Digital Forensics Concepts

Chair: Bruce Nikkel
Bringing Forensic Readiness to Modern Computer FirmwareTobias Latzo, Florian Hantke, Lukas Kotschi and Felix Freiling
Bringing Order to Approximate Matching: Classification and Attacks on Similarity Digest AlgorithmsMiguel Martín-Pérez, Ricardo J. Rodríguez and Frank Breitinger
15:50Break
16:00Paper Session V - AI for Digital Forensics

Chair: Frank Breitinger
A Comparative Study of Support Vector Machine and Neural Networks for File Type Identification using n-gram analysisJoachim Sester, Darren Hayes, Mark Scanlon and Nhien-An Le-Khac
Vec2UAge: Enhancing Underage Age Estimation Performance through Facial EmbeddingsFelix Anda, Edward Dixon, Elias Bou-Harb, Nhien-An Le-Khac and Mark Scanlon
16:50Break
17:00Extended Abstracts Presentations

Chair: Thomas Souvignet
Developing an IoT Forensic Methodology. A Practical Concept ProposalJuan Manuel Castelo Gómez, Javier Carrillo Mondéjar, José Roldán Gómez and José Luis Martínez Martínez
Selective Imaging of File System Data on Live SystemsFabian Faust, Aurélien Thierry, Tilo Müller and Felix Freiling
Phishing Detection on Tor Hidden ServicesMartin Steinebach
17:45Lightning Talks

Chair: Daryl Pfeif
18:00Birds of a Feather

Chair: Frank Adelstein
18:45Break
19:15Best Paper Awards

Pub Quiz

Quizmaster: Chris Hargreaves

Day 4 - Thursday, 1st April, 2021

TimeTitle
13:00-13:50Keynote: An Investigation of the Microsoft Exchange Vulnerability Used by Hafnium

Steven Adair, President, Volexity

Abstract: While many organizations—and the information security community as a whole—were still reeling from the impact of the the SolarWinds Orion breach, another catastrophic event was already underway. In early January 2021, a Chinese APT actor was taking aim at organizations running Microsoft Exchange with a critical zero-day exploit that allowed them to download e-mails at will. As bad that sounds, it was actually just the beginning. The initial flaw would soon be combined with other zero-day exploits to allow full remote code execution on Exchange servers around world. This talk will review Volexity’s initial discovery of the main vulnerability that allowed these events to happen, and the actions of the threat actor known as Hafnium. It will cover the initial stealthy activities of the group; the later targeted exploitation and lateral movement; and the resulting widespread exploitation that compromised tens of thousands of servers around the world.
13:50-14:00Break
14:00-16:15Workshop: Digging Deeper with Velociraptor

Mike Cohen, Velocidex Enterprises
16:15-16:30Break
16:30-18:45Workshop: CASE Adoption - Lessons, Solutions, and Roadmap Updates

Eoghan Casey, University of Lausanne

Please join us on Discord!