Please note: The program is subject to last minute changes. The times are subject to change.
All times below are in Central European Time. For clarity, the current time in Zaragoza:
Monday, March 18, 2024
Co-located event: Women in Forensic Computing. Please see https://www.cybercrime.fau.de/winfc2024 for more information and to register. Please note this is not part of the DFRWS registration and separate registration is necessary.
Tuesday, March 19, 2024
| Time | Title | ||
|---|---|---|---|
| 08:00 | Registration | ||
| 08:45 | Workshop Session I (Part I) | ||
| Room 1: Ada Byron Bldg, Ground Floor (Aula A.02) | Room 2: Ada Byron Bldg, Ground Floor (Aula A.04) | Room 3: Ada Byron Bldg, Ground Floor (Aula A.05) | |
| Python toolbox for mobile forensics Johan Wallengren (Halmstad University) | 2024 CASEWorks! Eoghan Casey, Gaëtan Michelet (University of Lausanne, Switzerland) | Live SOCMINT with social media apps on Android Rens de Wolf (Volto Labs, NL) | |
| 10:45 | Break | ||
| 11:00 | Workshop Session I (Part II) | ||
| Room 1: Ada Byron Bldg, Ground Floor (Aula A.02) | Room 2: Ada Byron Bldg, Ground Floor (Aula A.04) | Room 3: Ada Byron Bldg, Ground Floor (Aula A.05) | |
| Aardwolf project: App Analyses and Reference Database Solution Abdul Boztas, Christos Hadjigeorghiou, Angelina Claij, Bouke Timbermont (NFI, NL) | Large Language Models for Digital Forensics Hans Henseler, Gaëtan Michelet (University of Applied Sciences Leiden & NFI; University of Lausanne, Switzerland) | Forensic deepfake analysis: make your own and detect if it is real? Zeno Geradts, Merel de Leeuw den Bouter (University of Amsterdam, NL) | |
| 13:00 | Lunch (on-site) | ||
| 14:00 | Workshop Session II (Part I) | ||
| Room 1: Betancourt Bldg, 1st Floor (Aula B1.03) | Room 2: Betancourt Bldg, 2nd Floor (Aula B2.01) | Room 3: Ada Byron Bldg, Ground Floor (Aula A.07) | |
| Third-Party App Analysis Methodologies in Mobile Forensic Investigations Dominique Calder, Frank Adelstein (Hexordia, USA) | Footsteps in the dark: Feeling our way to IoT device takeover via NVRAM forensics Anthony Andreoli, Anis Lounis (Concordia University, Canada) | Incident response with DFIR-ORC Blanche Lagny, Sébastien Chapiron (ANSSI, France) | |
| 16:00 | Break | ||
| 16:15 | Workshop Session II (Part II) | ||
| Room 1: Betancourt Bldg, 1st Floor (Aula B1.03) | Room 2: Betancourt Bldg, 2nd Floor (Aula B2.01) | Room 3: Ada Byron Bldg, Ground Floor (Aula A.07) | |
| Third-Party App Analysis Methodologies in Mobile Forensic Investigations Dominique Calder, Frank Adelstein (Hexordia, USA) | Footsteps in the dark: Feeling our way to IoT device takeover via NVRAM forensics Anthony Andreoli, Anis Lounis (Concordia University, Canada) | Incident response with DFIR-ORC Blanche Lagny, Sébastien Chapiron (ANSSI, France) | |
| 18:00 | End of Workshops | ||
| 19:00 | Welcome Reception Location: Paraninfo Building (Sala Trece Heroínas), University of Zaragoza Pl. de Basilio Paraíso 4, 50004, Zaragoza | ||
Wednesday, March 20, 2024
| Time | Title | |
|---|---|---|
| 8:00 | Registration | |
| 9:00 | Welcome Address | |
| 9:10 | Keynote: Unlocking Screens to Unveil Scenes: Overcoming Obstacles in a Police Investigation Marcos González | Digital Forensics Unit | Guardia Civil Abstract: In the dynamic world of digital forensics, we constantly face new challenges that demand innovative and collaborative solutions. This presentation immerses the audience in a police case, providing a practical and entertaining insight into the challenges and successes experienced in the Guardia Civil's Digital Forensics Unit. We will explore different real-life challenges that a police forensics unit faces on a day-to-day basis, and the strategies used to solve these problems. This presentation not only highlights the relevance of digital forensics in modern police investigations but also offers an inside look at the technical challenges and interdisciplinary collaboration that define this exciting and crucial discipline. | |
| 10:10 | Paper Session I: Digital Forensics Process, Trends, and Future Directions (Part 1) Session Chair: Ricardo J. Rodríguez | |
| DFRWS EU 10-Year Review and Future Directions in Digital Forensic Research | Frank Breitinger (University of Lausanne), Jan-Niclas Hilgert (Fraunhofer FKIE), Chris Hargreaves (University of Oxford), John Sheppard (South East Technological University), Rebekah Overdorf (University of Lausanne) and Mark Scanlon (University College Dublin) | |
| 10:35 | Coffee Break with Networking | |
| 11:05 | Paper Session I: Digital Forensics Process, Trends, and Future Directions (Part 2) Session Chair: John Sheppard | |
| An Abstract Model for Digital Forensic Tools - A Foundation for Systematic Error Mitigation Analysis | Christopher Hargreaves (University of Oxford), Alex Nelson (US National Institute of Standards and Technology) and Eoghan Casey (University of Lausanne) | |
| ChatGPT, Llama, can you write my report? An experiment on assisted digital forensic reports written using (Local) Large Language Models | Gaëtan Michelet and Frank Breitinger (both University of Lausanne) | |
| Presentation The high volatility of Digital Forensic Science - Impacts on Teaching and Research | Hannes Spichiger (Hochschule Luzern HSLU) | |
| 12:15 | Lunch (on-site) | |
| 13:15 | Paper Session II: Mobile Device Forensics Session Chair: Jan Peter van Zandwijk | |
| Exploiting RPMB authentication in a closed source TEE implementation | Aya Fukami (Netherlands Forensic Institute and University of Amsterdam), Richard Buurke (Netherlands Forensic Institute) and Zeno Geradts (Netherlands Forensic Institute and University of Amsterdam) | |
| Well Played, Suspect! – Forensic Examination of the Handheld Gaming Console “Steam Deck” | Maximilian Eichhorn, Janine Schneider and Gaston Pugliese (all Friedrich-Alexander-Universität Erlangen-Nürnberg, Germany) | |
| Ensuring Cross-Device Portability of Electromagnetic Side-Channel Analysis for Digital Forensics | Lojenaa Navanesan (University of Vavuniya and University of Colombo School of Computing - UCSC), Nhien-An Le-Khac (University College Dublin), Mark Scanlon (University College Dublin), Kasun De Zoysa and Asanka Sayakkara (both UCSC) | |
| 14:35 | Short Presentations of Poster authors Session Chair: Jens-Petter Sandvik & Pavel Gladyshev | |
| 15:00 | Break with Poster Session | |
| 15:50 | Paper Session III: Image Forensics Session Chair: Jan-Niclas Hilgert | |
| Problem solved: a reliable, deterministic method for JPEG fragmentation point detection | Vincent van der Meer (Zuyd University of Applied Sciences), Jeroen van den Bos (Infix Technologies), Hugo Jonker (Open University of the Netherlands) and Laurent Dassen (Zuyd University of Applied Sciences) | |
| PHASER: Perceptual Hashing Algorithms Evaluation and Results - a Forensic Framework | Sean McKeown, Peter Aaby and Andreas Steyven (all Edinburgh Napier University) | |
| 16:40 | Lightning Talks I | |
| 16:50 | Closing Words | |
| 17:00 | Time on your own | |
| 19:30 | Banquet with DFRWS Awards Ceremony & Digital Forensics Rodeo Location: NH Collection Gran Hotel de Zaragoza C. Joaquín Costa, 5, Casco Antiguo, 50001 Zaragoza | |
Thursday, March 21, 2024
| Time | Title | |
|---|---|---|
| 8:00 | Registration | |
| 09:00 | Keynote: Beyond the Hype: Research on how Cybercriminals are Really Using GenAI David Sancho | Senior Threat Researcher at Trend Micro Abstract: Cybercriminals were abusing AI well before the recent hype around generative AI took the IT industry by storm. This session delves into the criminal underground forums in order to determine how AI is actually being used, how they are adopting this technology to further their goals and what kind of AI-powered criminal services there are on offer. First, David will provide an overview of the underground conversations on AI and how the interest in generative AI there has followed the general market trends. David will highlight examples of forums dedicated to AI, such as Hack Forums’ "Dark AI" section. We will also cover LLM offerings by criminals for criminals with features and prices. As part of previous, David has seen FraudGPT, DarkBARD, DarkBERT, DarkGPT sharing many features that make him believe that these most likely work as wrapper services to the legitimate ChatGPT or Google BARD. David will also look at other possibly fake criminal LLM offerings: WolfGPT, XXXGPT, and Evil-GPT. He will share descriptions and speculation as to whether they are legitimate tools or also just wrappers of ChatGPT AI or OpenAI. Finally, David will discuss deepfake services for criminals. While there has been a lot of hype around these services, he notes that the creation process is labor-intensive and expensive, and it is still very difficult to create convincing deepfake videos. Audio deepfakes, however, are a lot easier to create – and David will demonstrate why and how these will become mainstream in the criminal market much sooner than video deepfakes. | |
| 10:00 | Coffe Break with Networking | |
| 10:30 | Paper Session IV: Filesystem Forensics Session Chair: Sean McKeown | |
| Forensic Implications of Stacked File Systems | Jan-Niclas Hilgert, Martin Lambertz and Daniel Baier (all Fraunhofer FKIE) | |
| Ubi est indicium? On Forensic Analysis of the UBI File System | Matthias Deutschmann and Harald Baier (both University of the Bundeswehr Munich) | |
| Presentation Decode: Anomaly Detection for PE Files on Microsoft Windows Systems | Lucie Helcmanocki, Corentin Larroche, Roger Guignard and Rémi Chauchat (all ANSSI) | |
| 11:40 | Coffee Break | |
| 11:55 | Presentation Session Session Chair: Radek Hranický | |
| The Provenance of Apple Health Data: A Timeline of Update | Luke Jennings (The University of Adelaide), Matthew Sorell (The University of Adelaide) and Hugo G. Espinosa (Griffith University) | |
| Beyond Timestamps: Integrating Implicit Timing Information into Digital Forensic Timelines | Lisa Marie Dreier (Friedrich-Alexander-Universität Erlangen-Nürnberg) | |
| Using Offline LLMs for Evidence Triage | Kilian Hoffmeyer, Francesco Servida and Francisco Nunes (all UNITAD: United Nations Investigative Team to Promote Accountability for Crimes Committed by Da'esh/ISIL) | |
| AI-assisted Binary Similarity for ARM64 | Judith van de Wetering, Anne Fleur van Luenen and Jeffrey Rongen (all Netherlands Forensic Institute) | |
| 13:00 | Lunch (on-site) | |
| 14:00 | Paper Session V: IoT and Embedded Systems Forensics Session Chair: Mark Scanlon | |
| So Fresh, So Clean: Cloud Forensic Analysis of the Amazon iRobot Roomba Vacuum | Abdur Rahman Onik, Ruba Alsmadi, Ibrahim Baggili and Andrew M. Webb (all Louisiana State University) | |
| Nyon Unchained: Forensic Analysis of Bosch's eBike Board Computers | Marcel Stachak, Julian Geus, Gaston Pugliese and Felix Freiling (all Friedrich-Alexander-Universität Erlangen-Nürnberg) | |
| Grand Theft API: A Forensic Analysis of Vehicle Cloud Data | Simon Ebbers, Stefan Gense, Mouad Bakkouch (Münster University of Applied Sciences), Felix Freiling (Friedrich-Alexander-Universität Erlangen–Nürnberg) and Sebastian Schinzel (Münster Uni. of Applied Sciences) | |
| WARNE: A Stalkerware Evidence Collection Tool | Philippe Mangeard, Bhaskar Tejaswi, Amr Youssef and Mohammad Mannan (all Concordia University) | |
| 15:45 | Coffe Break with Networking | |
| 16:15 | Paper Session VI: Datasets and Metadata Session Chair: Hannes Spichiger | |
| FAIRness in digital forensics datasets’ metadata – and how to improve it | Samuele Mombelli (University of Lausanne), James R. Lyle (National Institute of Standards and Technology) and Frank Breitinger (University of Lausanne) | |
| Hypervisor-based Data Synthesis: On its Potential to Tackle the Curse of Client-side Agent Remnants in Forensic Image Generation | Dennis Wolf (Zentrale Stelle für Informationstechnik im Sicherheitsbereich), Thomas Göbel and Harald Baier (both University of the Bundeswehr Munich) | |
| Presentation Digital Forensic for Humanitarian Work: Supporting Victim Localization and Identification with an Integrated Approach | Francesco Servida, Kilian Hoffmeyer, Francisco Nunes (all UNITAD: United Nations Investigative Team to Promote Accountability for Crimes Committed by Da'esh/ISIL) | |
| 17:25 | Lightning Talks II | |
| 17:35 | Closing Words | |
| 17:45 | Time on your own | |
| 19:30 | Networking Event Location: CIERZO Brewing Co. C. de Josefa Amar y Borbón 8, Casco Antiguo, 50001 Zaragoza | |
Friday, March 22, 2023
DFRWS Field Expedition
| Time | Title |
|---|---|
| 09:45 | Visit to La Aljafería Meeting Point: Parking lot in front of the Palace |
| 11:00 | Visit to the Historical Center Meeting Point: Parking lot in front of the Palace |
| 13:30 | Lunch (not covered in registration) Ceck out the Tapas Guide! |
| 15:30 | End of DFRWS EU 2024 |
Posters:
- Validation of Step Count Logs in Apple Health
Luke Jennings, Hugo G Espinosa and Matthew Sorell - Apotheosis: Bringing Approximate K-NN and Similarity Digest Algorithms to Digital Forensics
Haula Sani Galadima, Cormac Doherty and Rob Brennan - Enhancing Organisational Cyber Resilience with a Machine-Readable Knowledge Base of Cyber Incident Response Communications and Response Activities
Haula Sani Galadima, Cormac Doherty and Rob Brennan - FACT: Forensic Acquisition & Criminal investigation Tool
Byeongchan Jeong, Jieon Kim, Junho Kim, Jewan Bang, Jungheum Park, Sangjin Lee and Geunyeong Choi - Where is the Potential for Large Language Models in Digital Forensic Investigation?
Akila Shamendra Wickramasekara and Mark Scanlon - Automated DFIR in Windows operating system
Eva Marková, Sophia Petra Krišáková and Pavol Sokol - The Effects of Voice Disguise, Made by Raising or Lowering Fundamental Frequency, on Other Formant Frequencies
Muharrem Davulcu and Ayşe Zeynep Aydin - Unified Cybercrime Investigations: Cross-Organizational Investigative Readiness
Odin Heitmann - TLExport – GENERATING DECRYPTED TLS PCAPS
Daniel Baier, Jannis Finn Borg-Olivier and Lars Morkovsky - Quantifying uniformity within forensic tools
Luuk van Campen and Harm van Beek - Investigation of Cloud-Based Mobile Applications Within the Scope of Online Data Acquisition Method
Mustafa Güngör - User activity characterization using iOS forensic artifacts
Sebastien Kanj Bongard, Josep Pegueroles and Daniel Lopez Álamo - When is a synthetic disk image realistic?
Lena L. Voigt