DFRWS EU 2023 Workshop: Providing digital forensics as a service with code notebooks

Date and Time:
Tuesday, March 21, 09:00 – 13:00

Workshop organiser:
Hans Henseler, Netherlands, Leiden University of Applied Sciences
Job Becht, Netherlands, Netherlands Forensic Science Institute
Harm Van Beek, Netherlands, Netherlands Forensic Institute

Description:
In this workshop, you will experience how easy it can be to develop programming solutions for processing, visualizing and reporting data under investigation and share these solutions accross investigators, cases and organizations. To solve cases, investigators need detailed insight in data under investigation. To support these investigators, digital forensic data from multiple forensic images needs to be processed, resulting in reports and visualizations. This is typically done by digital experts on the actual case data, building on academic research documented in papers or as proof-of-concept code. Reuse of such case specific operations is not easy. Hansken is a Digital Forensics as a Service (DFaaS) platform that has been designed to give access to and insight in data under investigation. It is an open digital forensic platform that features a variety of APIs to let you automate and extend its capabilities. The browser-based expert user interface supports the development of code notebooks that operate on case data using for example Python or JavaScript. You can use these code notebooks to deliver custom software packages to non-technical investigators.

In this workshop, you get access to an online Hansken exercising environment. You learn more about the Hansken trace model, the Hansken query language (HQL) and Hansken.py, the Hansken Python API. You are taught how to write a Python notebook that extracts and visualizes pattern-of-life data from an iPhone. We also introduce the other APIs in the Hansken Software Development Kit (SDK) that is available to law enforcement and academia under the Hansken R&D license.

Workshop Preparation:
The workshop participants will get access to an AWS EC2 instance containing the Hansken SDK version 1.0. Participants will need a laptop with a browser, internet and an IDE environment capable of running Jupyter notebooks (e.g. Visual Code Studio). Exercies will be carried out in the web browser and in the IDE running Jupyter notebooks with Python code. The IP adresses of the AWC instances be provided after the introduction in hands-on part of the workshop. Some understanding of Python and digital forensics is useful but is not strictly necessary.