Please note: All times below are in Irish/British Summer Time. Daylight savings time begins on 27th March. For clarity, the current time in Ireland/UK:

Monday, March 28, 2022

Co-located event: Women in Forensic Computing. Please see for more information and to register. Please note this is not part of the DFRWS registration and separate registration is necessary.

Women in Forensic Computing Workshop Logo and the text March 28, 2022.

Tuesday, March 29, 2022

09:30 Workshop Session I - Part I
Room 1: Level up with YARA! Tom Lancaster (Hybrid)
Room 2: The Future of Digital Forensics as a Service Harm van Beek, and Hans Henseler (Hybrid)
11:30 Workshop Session I - Part II
Room 1: Level up with YARA! Tom Lancaster (Hybrid)
Room 2: The Future of Digital Forensics as a Service Harm van Beek, and Hans Henseler (Hybrid)
13:00Lunch Break
14:00 Workshop Session II - Part I
Room 1: Network Forensics of Industrial Control Systems

Google Form Link

Second Google Form Link

Feedback Form
Adeen Ayub, and Irfan Ahmed (Hybrid)
Room 2: Cloud Application ForensicsRadek Hranický, Ondřej Ryšavý, Nelson Mutua (Hybrid)
16:00 Workshop Session II - Part II
Room 1: Network Forensics of Industrial Control Systems

Google Form Link

Second Google Form Link

Feedback Form
Adeen Ayub, and Irfan Ahmed (Hybrid)
Room 2: Cloud Application Forensics Radek Hranický, Ondřej Ryšavý, Nelson Mutua (Hybrid)
18:00Welcome Drinks (In Person)
Location: The Royal Oak
42-44 Woodstock Road

Wednesday, March 30, 2022

09:00Meet and Greet
09:15 Welcome Address
09:30 Keynote: Global Incident Response

Serge Droz | Director, Board Forum of Incident Response and Security Teams (FIRST) (In Person)

Abstract: Security incidents happen, and they seem to get bigger: Yet the internet does not stop. In fact the internet keeps growing and providing a positive impact to an ever increasing number of people.

The reason that the internet has not become a crime ridden place people avoid has two main reasons: Tech companies have invested a lot in making their products more secure. At the same time incident responders have been working quietly over the years to make sure the internet stays safe for users. The success of this is not obvious in an environment like the internet with thousands of independent participants.

Today it seems incident response is more affected by political issues than by technical challenges. We will look at how incident responders work together globally, what challenges they face and they need to be successful in the future.
11:00 Paper Session I: File System Forensics
Session Chair: Bruce Nikkel (Bern University of Applied Sciences (BFH))
A Systematic Approach to Understanding MACB Timestamps on Unix-like SystemsAurélien Thierry and Tilo Müller (In Person)
Quantifying data volatility for IoT forensics with examples from Contiki OSJens-Petter Sandvik, Katrin Franke, Habtamu Abie and Andre Årnes (In Person)
12:00 Short Presentations I
Session Chair: Erisa Karafili (University of Southampton)
Towards a working definition and classification for automation in digital forensicGaëtan Michelet, Frank Breitinger and Graeme Horsman (Virtual)
What can you tell us about your password? A Contextual ApproachAikaterini Kanta, Iwen Coisel and Mark Scanlon (In Person)
Bridging the Gap: Standardizing Representation of Inferences in Diverse Digital Forensic ContextsTimothy Bollé, Eoghan Casey and Hannes Spichiger (Virtual)
13:00Lunch Break
14:00 Paper Session II: Memory Forensics
Session Chair: Maike Raphael (Friedrich-Alexander-Universität Erlangen-Nürnberg​)
Extraction and Analysis of Retrievable Memory Artifacts from Windows Telegram Desktop ApplicationPedro Fernández-Álvarez and Ricardo J. Rodríguez (Virtual)
Defining Atomicity (and Integrity) for Snapshots of Storage in Forensic ComputingJenny Ottmann, Frank Breitinger and Felix Freiling (In Person)
15:30 Paper Session III: Programmable Logic Controller Forensics
Session Chair: Hans Henseler (University of Applied Sciences Leiden)
PEM: Remote Forensic Acquisition of PLC Memory in Industrial Control SystemsNauman Zubair, Adeen Ayub, Hyunguk Yoo and Irfan Ahmed (Virtual)
Memory Forensic Analysis of a Programmable Logic Controller in Industrial Control Systems
Muhammad Haris Rais, Rima Asmar Awad, Juan Lopez Jr and Irfan Ahmed (TBC)
16:30Lightning Talks (Hybrid)
17:00Poster Session (Hybrid)
19:30Pre-Dinner Drinks (In Person)

Location: St Hughs College Dining Hall, St Margaret's Road
20:00Banquet (In Person)
Location: St Hughs College Dining Hall
St Margaret's Road

* We endeavour to start on time, but ask for some flexibility from online attendees should the banquet run slightly over.
Rodeo (Hybrid)
For details and info on how to prepare see

Thursday, March 31, 2022

09:00 Keynote II: Enterprise Forensics: Traditions vs Reality in modern DFIR

Emre Tınaztepe | Founder / CEO, Binalyze (Virtual)

Abstract: Digital Forensics is 40-years old, so are the methods. Cyber attacks are happening every second while we are waiting for hours to complete for a disk duplicator to finish. A single disk from a single workstation that will be investigated by a single investigator. Is it the correct way of doing forensics in 2022? Should we keep using the traditional methods or find alternative solutions? If yes, where is the line? In this talk, we will be discussing the history of Digital Forensics and try to understand it better so that both strengths and weaknesses are highlighted. Then we will introduce the next era of digital forensics that is now called Enterprise Forensics.
10:30 Paper Session IV: Network Forensics
Session Chair: John Sheppard (Waterford Institute of Technology (WIT))
SSHKex: Leveraging virtual machine introspection for extracting SSH keys and decrypting SSH network trafficStewart Sentanoe and Hans P. Reiser (Virtual)
Knock, Knock, Log: Threat Analysis, Detection & Mitigation of Covert Channels in Syslog using Port Scans as CoverKevin Lamshöft, Tom Neubert, Jonas Hielscher, Claus Vielhauer and Prof. Dr. Jana Dittmann (In Person)
11:30 Short Presentations II
Session Chair: Jan-Niclas Hilgert (Fraunhofer FKIE)
Toward Graph-Based Network Traffic Analysis and Incident InvestigationMilan Cermak (In Person)
Distant traces and their use in crime scene investigationServida Francesco, Fischer Manon, Souvignet Thomas (In Person)
The Wisdom of the Heap - Mesh It up by Weaving Data StructuresAaron Hartel, Christian Müller (Virtual)
12:30Lunch Break
Birds of a Feather (Virtual )
14:00 Paper Session V: Forensic Methods
Session Chair: Mark Scanlon (University College Dublin (UCD))
Prudent design principles for digital tampering experimentsJanine Schneider, Linus Düsel, Benedikt Lorch, Julia Drafz and Felix Freiling (In Person)
ForTrace - A Holistic Forensic Data Set Synthesis FrameworkThomas Göbel, Jan Türr, Stephan Maltan, Florian Mann and Harald Baier (In Person)
Identifying document similarity using a fast estimation of the Levenshtein Distance based on compression and signatures

Peter Coates and Frank Breitinger (In Person)
16:00 Paper Session VI: Emerging Areas
Session Chair: Frank Breitinger (University of Lausanne)
A Live Digital Forensics Approach for Quantum Mechanical ComputersDayton Closser and Elias Bou-Harb (In Person)
BlockQuery: Toward Forensically Sound Cryptocurrency InvestigationTyler Thomas, Tiffanie Edwards and Ibrahim Baggili (Virtual)
17:15Informal 2023 planning session & Wrap Party (In Person)
Location: Freud
119 Walton Street

Friday, April 1, 2022

Trip to Bletchley Park. See for information. Included for In-person registrations. Details to follow.

09:30Gather to Board Hired Bus for Bletchley Park
11:00Tour Bletchley Park
15:15Board Bus to return to Oxford
(or request stop at BP railway station or downtown Oxford bus stations)
15:30Depart Bletchley Park
17:00Arrive Oxford Mathmatics Institute