DFRWS Online

DFRWS 2006 Program and Proceedings

The DFRWS 2006 Agenda below summarizes the program of discussion and research.

Sunday, August 13, 2006
5:00pm	Registration and Welcome Reception Sponsored by Stroz Friedberg, LLC
Monday, August 14, 2006
8:00am	Registration
9:00am	Opening Remarks
9:10am	Keynote Address Ted Lindsey, FBI: Current Cyber Investigation Challenges in Digital Forensics (slides) Abstract: "The challenges facing cyber investigators and forensic examiners have never been greater. Our tools are unable to keep pace with the exponential growth in storage device capacity and distributed network environments. How do we find the needle in the haystack when the haystack is 10 stories tall? In addition, the advent of whole drive encryption may render our traditional image acquisition methods useless. Wireless technology has enabled an entirely new attack vector that can be launched from nearly anywhere and leaves little or no trace. More ominously, our opponents are actively taking steps to thwart our examination techniques. These are just a handful on the problems facing us as we enter the 21st century. I'll cover some of the problems that I've encountered as a cyber investigator and forensic examiner as well as some of the challenges I see from the perspective of a software engineer and independent software development firm."
10:00am	Break
10:15am	SESSION 1: Physical Devices Chair: Frank Adelstein James Lyle, NIST, USA: A Strategy for Testing Hardware Write Block Devices (paper and slides) Best Paper Award: Andreas Schuster, Deutsche Telekom AG, Germany: Searching for Processes and Threads in Microsoft Windows Memory Dumps (paper and slides) Nitin Khanna, Aravind Mikkilineni, Anthony Martone, Gazi Ali, George Chiu, Jan Allebach and Ed Delp of Purdue University, USA: A Survey of Forensic Characterization Methods for Physical Devices (paper and slides)
11:45am	Lunch and Breakout Discussions
1:15pm	SESSION 2: Working Between Disciplines Issues in Building the Digital Forensics Bridge From Computer Science to Judicial Science (slides) Panel: Michael Losavio, Deborah Wilson, Adel Elmaghraby, James Graham, S. Srinivasan, David Elder, Marcus Rogers
2:15pm	Break
2:30pm	SESSION 3: Frameworks Chair: David Baker Ricci Sze-Chung Ieong, eWalker Consulting Ltd., Hong Kong: FORZA - Digital Forensics Investigation Frameworks That Incorporate Legal Issues (paper and slides) Ashley N. Brinson, Abigail Robinson, Purdue University, USA: A Cyber Forensics Ontology: Creating a New Approach to Studying Cyber Forensics (paper and slides) Ryan Harris, Purdue University, USA: Arriving at an Anti-forensics Consensus: Examining How to Define and Control the Anti-forensics Problem (paper and slides)
4:00pm	Break
4:15pm - 5:30pm	Tool Demo & Poster Session Chair: Todd Shipley
Tuesday, August 15, 2006
9:00am	Administrative Remarks
9:15am	SESSION 4: Evidence Management Chair: Brian Carrier Wouter Alink, Raoul Bhoedjang of the Netherlands Forensic Institute, Netherlands and Peter Boncz, Arjen de Vries of the Centrum voor Wiskunde en Informatica, Netherlands: XIRAF - Ultimate Forensic Querying (paper and slides) Philip Turner, QinetiQ, UK: Selective and Intelligent Imaging using Digital Evidence Bags paper and slides) Sangwon Lee, David Ayman, Bruce Gooch, Northwestern University, USA: Detecting False Captioning Using Common Sense Reasoning paper and slides)
10:45am	Break
11:00am	SESSION 5: Summary Reports Chair: Vassil Roussev DFRWS Common Digital Evidence Storage Format (CDESF) Working Group Mark Maybury and Penny Chase, The MITRE Corporation, USA: Knowledge Exploration, Analysis, and Discovery (KNEAD) Workshop (slides)
11:45am	Lunch and Breakout Discussions
1:15pm	SESSION 6: Evidence Correlation 1 Chair: Wietse Venema Simson L. Garfinkel, Harvard, USA: Cross-Drive Analysis (paper and slides) Vassil Roussev, Timothy Bourg, Yixin Chen, Golden G Richard of the University of New Orleans, USA: md5bloom - Forensic Filesystem Hashing Revisited (paper and slides)
2:15pm	Break
2:30pm	SESSION 7: Evidence Correlation 2 Chair: Marcus Rogers Jesse Kornblum, ManTech, USA: Identifying Almost Identical Files Using Context Triggered Piecewise Hashing (paper and slides) Bradley Schatz, George Mohay, Andrew Clark of Queensland University of Technology, Australia: A Correlation Method for Establishing Provenance of Timestamps in Digital Evidence (paper and slides)
3:30pm	Break
3:45pm	Presentations of the DFRWS 2006 Breakout Session Results Panel Lead: Frank Adelstein
4:30pm	Presentations of the DFRWS 2006 File Carving Challenge Submissions Lead: Brian Carrier
5:30pm	Banquet Sponsored by WetStone Technologies. Prizes include copies of Gargoyle Enterprise from WetStone, copies of recent digital forensic books, and more. File Carving Challenge Best Paper Award Presentation
7:00pm	Forensic Rodeo Wrangler: Chet Hosmer
Wednesday, August 16, 2006
9:00am	SESSION 8: Clever Analysis Chair: David Baker Sundararaman Jeyaraman, Purdue University, USA: An Empirical Study of Automatic Event Reconstruction Systems (paper and slides) Marcus Rogers of Purdue University, USA, Kathryn Seigfried of John Jay University, USA and Kirti Tidke of Purdue University, USA: Self-Reported Computer Criminal Behavior: A Psychological Analysis (paper and slides) Brian D Carrier, Eugene Spafford, Purdue University, USA: Categories of Digital Investigation Analysis Techniques Based On The Computer History Model (paper and slides)
10:30am	Break
10:45am	Short Presentations & Works in Progress Chair: Wietse Venema (5 minutes each)
11:30am	Closing Comments
11:45am	Lunch & DFRWS 2007 Planning Session

DFRWS Forensic Rodeo

The Forensic Rodeo has been a tradition at DFRWS for many years. After the banquet, attendees break into teams to tackle a digital forensic challenge. The first team to answer the questions wins. Historically, the challenges have been based on analyzing and recovering evidence from disk images. This year, the topic will be live analysis and the collection of evidence from a running system. At this point, that is all that we are saying. You are free to bring what ever tools you want.

Short Presentations & Works in Progress

The Short Presentations & Works in Progress session is a forum open to anyone interested in presenting topics that would not merit a full time slot, perhaps because it is on-going work or it is at an early idea stage. The only limitations are on the time and number of slides, specifically 5 minutes and 2 slides (more time may be allotted depending on how many people sign up). Participants can use this time as a sounding board to judge the interest of other researchers or practitioners. Presentation slots will be allocated on a strictly first come, first serve basis. Talk to Daryl Pfeif anytime during the workshop to sign up for a slot; she will be managing the schedule.