Please note: The program is subject to last minute changes. The times are subject to change.
All times below are in German Winter Time. For clarity, the current time in Germany:
Monday, March 20, 2023
Co-located event: Women in Forensic Computing. Please see https://www.cybercrime.fau.de/winfc2023 for more information and to register. Please note this is not part of the DFRWS registration and separate registration is necessary.
Tuesday, March 21, 2023
| Time | Title | ||
|---|---|---|---|
| 08:00 | Registration | ||
| 08:45 | Introduction + On-site logistics | ||
| 09:00 | Workshop Session I - Part I | ||
| Room 1: Providing digital forensics as a service with code notebooks Hans Henseler, Job Becht and Harm Van Beek | Room 2: Medical Device Forensic Primer Veronica Schmitt and Emlyn Butterfield | Room 3: Hands-on with Dissect: the open-source framework for large-scale host investigations Erik Schamper and Stefan de Reuver | |
| 11:00 | Break | ||
| 11:10 | Workshop Session I - Part II | ||
| Room 1: Providing digital forensics as a service with code notebooks (continued) Hans Henseler, Job Becht and Harm Van Beek | Room 2: Medical Device Forensic Primer (continued) Veronica Schmitt and Emlyn Butterfield | Room 3: Hands-on with Dissect: the open-source framework for large-scale host investigations (continued) Erik Schamper and Stefan de Reuver | |
| 13:00 | Lunch Break | ||
| 14:00 | Workshop Session II - Part I | ||
| Room 1: Forensic Analysis of eBPF based Linux Rootkits Valentin Obst and Martin Clauß | Room 2: Malware analysis with Ghidra Paul Rascagneres | Room 3: AI in Forensic Science Zeno Geradts, Adi Stoykova, Harm van Beek and Jan William Johnsen | |
| 16:00 | Break | ||
| 16:10 | Workshop Session II - Part II | ||
| Room 1: Forensic Analysis of eBPF based Linux Rootkits (continued) Valentin Obst and Martin Clauß | Room 2: Malware analysis with Ghidra (continued) Paul Rascagneres | Room 3: Investigating a Case of IP Theft in a Cyber Physical Environment John Sheppard, Simon Malik, Jimmy McGibney, Pavel Laskov, Ondrej Rysavy, Hranický Radek, Rodion Vladimirov, Jan Polišenský | |
| 18:00 | Welcome Reception Location: Havanna, Clemens-August-Straße 1, 53115 Bonn-Poppelsdorf (Approximately five minutes to walk) | ||
Wednesday, March 22, 2023
| Time | Title | |
|---|---|---|
| 8:00 | Registration | |
| 9:00 | Welcome Address | |
| 9:15 | Keynote: Challenges during the forensic analysis of an underground data center Christoph Einzinger | Officer of the German Federal Police Abstract: The criminal case “Cyberbunker” has had some media attention and was a one of a kind case for the justice system in Germany. This Keynote will give a look behind the curtain of the different phases of the criminal case. Starting with the covert phase and the police or judicial measures, covering the planning phase of the raid itself and will show the needed expertise to seize all the IT-Infrastructure and analyze about two Petabytes of data. Christoph will give you an internal look into the police work needed to uncover the crimes committed in this underground data center. | |
| 10:15 | Break with Posters and Networking | |
| 10:30 | Paper Session I: Encryption, Cracking and Hashing Session Chair: Jens-Petter Sandvik (Norwegian University of Technology and Science) | |
| Forensic Method for decrypting TPM-protected BitLocker volumes using Intel DCI | Matheus Bichara de Assumpcão, Marcos Roberto Marcondes, Pedro Monteiro da Silva Eleuterio, Marcelo Abdalla dos Reis and Victor Hugo Vieira | |
| Harder, Better, Faster, Stronger: Optimising the Performance of Context-Based Password Cracking Dictionaries | Aikaterini Kanta, Iwen Coisel and Mark Scanlon | |
| Hamming Distributions of Popular Perceptual Hashing Techniques | Sean Mckeown and William J. Buchanan | |
| 12:00 | Lunch Break | |
| 13:00 | Paper Session II: Verification and Validation Session Chair: Christian Riess (Friedrich-Alexander-Universität Erlangen-Nürnberg) | |
| Contamination of Digital Evidence: Understanding an Underexposed Risk | Jan Gruber, Christopher Hargreaves and Felix Freiling | |
| Discovering spoliation of evidence through identifying traces on deleted files in macOS | Jihun Joun, Sangjin Lee and Jungheum Park | |
| Formal Verification of Necessary and Sufficient Evidence in Forensic Event Reconstruction | Jan Gruber, Merlin Humml, Lutz Schröder and Felix Freiling | |
| 14:30 | Break with Posters and Networking | |
| 14:50 | Paper Session III: Mobile Forensics Session Chair: Mark Scanlon (University College Dublin) | |
| A Likelihood Ratio Approach for the Evaluation of Single Point Device Locations | Hannes Spichiger | |
| Interpreting the location data extracted from the Apple Health database | Luke Jennings, Matthew Sorell and Hugo G. Espinosa | |
| 15:50 | Presentation Session: Mobile Forensics Session Chair: Mark Scanlon (University College Dublin) | |
| Systematic Evaluation of Forensic Data Acquisition using Smartphone Local Backup | Julian Geus, Jenny Ottmann and Felix Freiling | |
| Have you been upstairs? On the accuracy of registrations of ascended and descended floors in iPhones | Jan Peter van Zandwijk and Abdul Boztas | |
| 17:00 | Boarding the Boat and Poster Session Location: Rheinprinzessin Anlegestelle Nr. 17, 53111 Bonn Location URL | |
| 18:00 | Ship Tour amd Lightning Talks I Location: Rheinprinzessin | |
| 19:30 | Banquet and Best Paper Awards Location: Rheinprinzessin | |
| 21:00 | Forensic Rodeo Please register and download the material at dfrws-eu-2023.ctfd.io Location: Rheinprinzessin | |
Thursday, March 23, 2023
| Time | Title | |
|---|---|---|
| 8:00 | Registration | |
| 09:00 | Keynote: 10 years of CTI Paul Rascagneres | Principal Threat Researcher at Volexity Abstract: During this keynote, Paul will present feedback from more than ten years of working in the fields of malware analysis, incident response, and threat intelligence. The cyberwar word has been used more and more often over the years. Paul will describe his vision of the current cyber landscape. Why we are not in the cyberwar era – yet – but we are moving closer campaign after campaign… The presentation will include several examples of cyber espionage campaigns and cybersabotage campaigns. Paul will present cases he was involved in and the lessons learned from them. We will see how virtual sabotage and espionage can impact real life. The last part of the keynote will be about the future and in which direction the threat actors are moving. What did they learn during these years of offensive campaigns? | |
| 10:00 | Digital Investigation Journal Talk | |
| 10:10 | Break with Posters and networking | |
| 10:30 | Paper Session IV: Malware analysis Session Chair: Maike Raphael (Leibniz University Hannover) | |
| Adversarial superiority in android malware detection: Lessons from reinforcement learning based evasion attacks and defenses | Hemant Rathore, Adarsh Nandanwar, Sanjay K. Sahay and Mohit Sewak | |
| On the Prevalence of Software Supply Chain Attacks: Empirical Study and Investigative Framework | Anthony Andreoli, Anis Lounis, Mourad Debbabi and Aiman Hanna | |
| Module extraction and DLL hijacking detection via single or multiple memory dumps | Pedro Fernández-Álvarez and Ricardo J. Rodríguez | |
| 12:00 | Lunch Break | |
| 13:00 | Paper Session V: Novel Device Forensics Session Chair: Edita Bajramovic (Siemens Energy) | |
| FRoMEPP: Digital Forensic Readiness Framework for Material Extrusion based 3D Printing Process | Muhammad Haris Rais, Muhammad Ahsan and Irfan Ahmed | |
| Evidence in the fog - Triage in fog computing systems | Jens-Petter Sandvik, Katrin Franke, Habtamu Abie and Andre Årnes | |
| Analysis of real-time operating systems’ file systems: Built-in cameras from vehicles | Junghwan Lee, Bumsu Hyeon, Oc-Yeub Jeon and Nam In Park | |
| 14:30 | Networking and Posters | |
| 14:50 | Paper Session VI: Memory Forensics Session Chair: Ruud Schramp (Netherlands Forensic Institute) | |
| Towards generic memory forensic framework for programmable logic controllers | Rima Asmar Awad, Muhammad Haris Rais, Michael Rogers, Irfan Ahmed and Vincent Paquit | |
| Database memory forensics: A machine learning approach to reverse-engineer query activity | Mahfuzul I. Nissan, James Wagner and Sharmin Aktar | |
| Presentation: An Experimental Assessment of Inconsistencies in Memory Forensics | Jenny Ottmann | |
| 16:10 | Break | |
| 16:20 | Presentation Session Session Chair: Frank Adelstein (NFA Digital) | |
| A discussion of sources and quality/reliability of events for timelines | Céline Vanini, Frank Breitinger and Christopher Hargreaves | |
| Activities, interactions, and obstacles in the digital forensic service of a swiss police. | Elénore Ryser | |
| 17:00 | Lightning Talks II | |
| 17:20 | Closing Comments | |
| 18:00 | Networking Event at Tresor Location: Wolfstrasse 11, 53111 Bonn | |
Friday, March 24, 2023
DFRWS Field Expedition
| Time | Title |
|---|---|
| 8:45 | Boarding Busses at Hofgarten / Adenauerallee |
| 9:00 | Busses leave |
| 10:30 | From cold war to cyber warfare A guided tour at the Regierungsbunker explaining physical security measures and precautions during the cold war in Germany |
| 12:30 | Walk from the Regierungsbunker to Weingut Kloster Marienthal (approximately 2,5 kilometers). Alternatively, there is the opportunity to go there by bus |
| 13:15 | Lunch Location: Weingut Kloster Marienthal |
| 14:00 | DFRWS EU 2024 Discussion Round and DFRWS EU 2023 Closing |
| 17:00 | Busses leave back to Bonn |
| 17:50 | Drop people at Bonn Central Station |
| 18:00 | Return at Hofgarten / Adenauerallee |
Posters:
- friTap – DECRYPTING TLS TRAFFIC ON THE FLY
Daniel Baier, Francois Egner, Max J. Ufer - How can network traffic lie?
Milan Cermak and Petr Velan - A Bibliometric Analysis and Review of a Blockchain-based Chain of Custody for Digital Evidence Management
Belinda I Onyeashie, Petra Leimich, Sean McKeown & Gordon Russell - Flashback: Extending a Study of Flash Sanitization Practices
Janine Schneider - Open SESAME – Fighting Botnets with Seed Reconstructions of Domain Generation Algorithms
N. Weissgerber, E. Padilla, T. Jenke, S. Zemanek, L. Bruckschen