• Workshops
  • Accepted Papers
  • Attending ARES & DOD
  • Social Events
  • Presenter Information
  • Venue and Location
  • Co-located Conferences
  • ICS-CSR 2024
  • Archive
  • Registration & Visa
  • WSDF

    17th International Workshop on Digital Forensics
    • Date
      Jul 31, 2024
    • Location
      SR05
    • Duration
      08:45 — 16:45
    Workshops Lettering

    Workshop Chairs

    Workshop Chairs Logo Workshop Chairs Logo Workshop Chairs Logo Workshop Chairs Logo
    • → Virginia N. L. Franqueira
    • → Andrew Marrington
    • → Richard Overill
    • → Kim-Kwang Raymond Choo

    Detail WSDF 01/05

    Topics of interest include, but are not limited to 02/05

    • Digital Evidence Extraction and Analysis
    • Network Forensics
    • Anti-Forensics Techniques
    • Memory Forensics
    • Digital Forensics of immersive technologies (AR/MR/VR/XR)
    • Cyber Terrorism and Warfare
    • Log Analysis and Malware Analysis
    • Incident Response and Management
    • Best Practices and Case Studies
    • AI to enhance investigation capabilities (e.g., Natural Language Generation (NLG), Large Language Models (LLMs))
    • AI applications/benefits for policing
    • Digital Forensics of AI-based systems
    • Quality assurance in investigations
    • Certification of Digital Forensics labs
    • Novel Data Recovery and Analysis Techniques
    • Cyber Criminal Profiling
    • Big Data in Digital Forensics
    • Digital Forensics datasets
    • Digital Forensics education
    • Cloud Forensics
    • Mobile & Drone Forensics
    • Emerging challenges in Digital Forensics
    • eDiscovery
    • Open Source Intelligence (OSINT)
    • Cybercrime investigations
    • AI-generated synthetic evidence (trends, use, impact)
    • Evidence gathering in adversarial attacks
    • AI-generated child abuse material
    • Investigations involving Deepfakes
    • Legal and court challenges of Deepfakes
    • Pattern-of-life Analysis in the era of A

    Workshop Chairs 03/05

    Workshop Chairs

    Workshop Chairs Logo
    Virginia N. L. Franqueira
    University of Kent, UK
    Workshop Chairs Logo
    Andrew Marrington
    Zayed University, UAE
    Workshop Chairs Logo
    Richard Overill
    King’s College London, UK
    Workshop Chairs Logo
    Kim-Kwang Raymond Choo
    University of Texas at San Antonio, US

    Program Committee

    Asma Adnane | Loughborough University, UK
    Olga Angelopoulou | University of Warwick, UK
    Ibrahim Baggilli | Louisiana State University, US
    Frank Breitinger | University of Lausanne, Switzerland
    Kam-Pui Chow | The University of Hong Kong, Hong Kong
    Jan Collie | The Open University, UK
    Mauro Conti | Padova University, Italy
    David Dampier | University of Texas, US
    Gleen Dardick | Dardick, US
    Sarah De’Ath | De Montfort University, UK
    Raphael Antonius Frick | Fraunhofer Institute, Germany
    George Grispos | University of Nebraka, US
    Chris Hargreaves | University of Oxford, UK
    Pedro Inácio | Universidade da beira Interior, Portugal
    Helge Janicke | Cyber Security Cooperative Research Centre, Australia
    Katerina Kanta | University of Portsmouth, UK
    Erisa Karafili | University of Southampton, UK
    Ville Leppãnen | University of Turku, Finland
    Raul Lopes | Brunel University and CERN, UK
    Aine MacDermott | Liverpool John Moores University, UK
    Aleksandra Mileva | University Goce Delcev, Macedonia
    Chiara Pero | University of Salerno, Italy
    Mark Scanlon | University College Dublin, Ireland
    Simon Tjoa | St. Polten University of Applied Sciences, Austria
    Harm Van Beek | Netherlands Forensic Institute, Netherlands
    Inna Vogel | Fraunhofer Institute, Germany
    Stefano Zanero | Politecnico di Milano, Italy
    Xiaojun Zhai | University of Essex, UK
    Jeroen van den Bos | Infix Technologies, Netherlands
    Vincent van der Meer | Zuyd University of Applied Sciences, Netherlands

    Subreviewers

    Alessandro Galeazzi | Padova University, Italy
    Clinton Walker | Louisiana State University, US

    Submission 04/05

    Important Dates

    Extended Submission Deadline May 07, 2024
    Author Notification May 29, 2024
    Proceedings Version Jun 18, 2024
    Conference Jul 30 — Aug 02, 2024

    Accepted Paper

    Forensic Analysis of Artifacts from Microsoft’s Multi-Agent LLM Platform AutoGen
    Clinton Walker (Louisiana State University, United States), Taha Gharaibeh (Louisiana State University, United States), Ruba Alsmadi (Louisiana State University, United States), Cory Hall (MITRE, United States), Ibrahim Baggili (Louisiana State University, United States)
    Full Paper
    Innovations in technology bring new challenges that need to be addressed, especially in the field of technical artifact discovery and analysis that enables digital forensic practitioners. Digital forensic analysis of these innovations is a constant challenge for digital investigators. In the rapidly evolving landscape of Artificial Intelligence ( AI), keeping up with the digital forensic analysis of each new tool is a difficult task. New, advanced Large Language Model (LLM)s can produce human-like artifacts because of their complex textual processing capabilities. One of the newest innovations is a multi-agent LLM framework by Microsoft called AutoGen. AutoGen enables the creation of a team of specialist LLM-backed agents where the agents "chat" with each other to plan, iterate, and determine when a given task is complete. Typically one of the agents represents the human user while the other agents work autonomously after the human gives each agent a responsibility on the team. Thus, from a digital forensics perspective, it is necessary to determine which artifacts are created by the human user and which artifacts are created by the autonomous agents. Analysis in this work indicates that the current implementation of AutoGen has little in artifacts for attribution outside of particular memory artifacts, yet has strong indicators of usage in disk and network artifacts. Our research provides the initial account on the digital artifacts of the LLM technology AutoGen and first artifact examination for a LLM framework.
    Workshop WSDF
    Forensic Investigation of Humanoid Social Robot: A Case Study on Zenbo Robot
    Farkhund Iqbal (Zayed University, United Arab Emirates), Abdullah Kazim (Zayed University, United Arab Emirates), Aine MacDermott (Liverpool John Moores University, Liverpool, UK, United Kingdom), Richard Ikuesan (Zayed University, United Arab Emirates), Musaab Hassan (University of Science and Technology of Fujairah, United Arab Emirates), Andrew Marrington (Zayed University, United Arab Emirates)
    Full Paper
    Internet of Things (IoT) plays a significant role in our daily lives as interconnection and automation positively impact our societal needs. In contrast to traditional devices, IoT devices require connectivity and data sharing to operate effectively. This interaction necessitates that data resides on multiple platforms and often across different locations, posing challenges from a digital forensic investigator’s perspective. Recovering a full trail of data requires piecing together elements from various devices and locations. IoT-based forensic investigations include an increasing quantity of objects of forensic interest, the uncertainty of device relevance in terms of digital artifacts or potential data, blurry network boundaries, and edgeless networks, each of which poses new challenges for the identification of significant forensic artifacts. One example of the positive societal impact of IoT devices is that of Humanoid robots, with applications in public spaces such as assisted living, medical facilities, and airports. These robots use IoT to provide varying functionality but rely heavily on supervised learning to customize their utilization of the IoT to various environments. A humanoid robot can be a rich source of sensitive data about individuals and environments, and this data may assist in digital investigations, delivering additional information during a crime investigation. In this paper, we present our case study on the Zenbo Humanoid Robot, exploring how Zenbo could be a witness to a crime. In our experiments, a forensic examination was conducted on the robot to locate all useful evidence from multiple locations, including root-level directories using logical acquisition.
    Workshop WSDF
    Blue Skies from (X’s) Pain: A Digital Forensic Analysis of Threads and Bluesky
    Joseph Brown (Louisiana State University, United States), Abdur Rahman Onik (Louisiana State University, United States), Ibrahim Baggili (Louisiana State University, United States)
    Full Paper
    This paper presents a comprehensive digital forensic analysis of the social media platforms Threads and Bluesky, juxtaposing their unique architectures and functionalities against X. This research fills a gap in the extant literature by offering a novel forensic analy- sis of Threads and Bluesky, based on established techniques. Mobile forensic analysis of both platforms yielded few results. Network analysis produced a variety of artifacts for Bluesky, including plain- text passwords. Threads proved to be robust, and a presentation of its security and API flow is presented. A detailed depiction of the forensic analysis performed for this paper is presented to aid future investigators.
    Workshop WSDF
    Give Me Steam: A Systematic Approach for Handling Stripped Symbols in Memory Forensics of the Steam Deck
    Ruba Alsmadi (Louisiana State University, United States), Taha Gharaibeh (Louisiana State University, United States), Andrew Webb (Louisiana State University, United States), Ibrahim Baggili (Louisiana State University, United States)
    Full Paper
    The Steam Deck, developed by Valve, combines handheld gaming with desktop functionality, creating unique challenges for digital forensics due to its Linux-based SteamOS and its stripped symbol tables. This research addresses how to conduct reliable memory forensics on the Steam Deck. Employing the ~\ac{LiME} and Volatility 3, we acquire and analyze volatile memory, a process complicated by Steam's stripped symbol table that obscures forensic reconstruction of memory structures. Our approach reconstructs these symbols and adapts forensic tools to the Steam Deck’s architecture. Our results include the successful generation and validation of symbol tables and the patching of profiles to align with system configurations. During gameplay, we observed a significant increase in platform-related and game-related processes, highlighting the system's dynamic operation while gaming. These findings contribute to improving forensic methodologies for similar Linux-based devices, enhancing our capability to extract valuable forensic data from modern gaming consoles.
    Workshop WSDF
    Don’t, Stop, Drop, Pause: Forensics of CONtainer CheckPOINTs (ConPoint)
    Taha Gharaibeh (Louisiana State University, United States), Steven Seiden (Louisiana State University, United States), Mohamed Abouelsaoud (Louisiana State University, United States), Elias Bou-Harb (Louisiana State University, United States), Ibrahim Baggili (Louisiana State University, United States)
    Full Paper
    In the rapidly evolving landscape of cloud computing, containerization technologies such as Docker and Kubernetes have become instrumental in deploying, scaling, and managing applications. However, these containers pose unique challenges for memory forensics due to their ephemeral nature. As memory forensics is a crucial aspect of incident response, our work combats these challenges by acquiring a deeper understanding of the containers, leading to the development of a novel, scalable tool for container memory forensics. Through experimental and computational analyses, our work investigates the forensic capabilities of container checkpoints, which capture a container's state at a specific moment in time. We introduce \textit{ConPoint}, a tool created for the collection of these checkpoints. We focused on three primary research questions: \textit{What is the most forensically sound approach for checkpointing a container's memory and filesystem?}, \textit{How long does the volatile memory evidence reside in memory?}, and \textit{How long does the checkpoint process take on average to complete?} Our proposed approach allowed us to successfully take checkpoints, and recover all intentionally planted artifacts, that is artifacts generated at runtime from the tested container checkpoints. Our experiments determined the average time for checkpointing a container to be 0.537 seconds by acquiring a total of $(n=45)$ checkpoints from containers running different databases. The proposed work demonstrates the pragmatic feasibility of implementing checkpointing as an overarching strategy for container memory forensics and incident response.
    Workshop WSDF
    Sustainability in Digital Forensics
    Sabrina Friedl (University of Regensburg, Germany), Charlotte Zajewski (Universität Regensburg, Germany), Günther Pernul (Universität Regensburg, Germany)
    Full Paper
    Sustainability has become a crucial aspect of modern society and research. The emerging fusion of digital spaces with societal functions highlights the importance of sustainability. With digital technologies becoming essential, cybersecurity and digital forensics are gaining prominence. While cybersecurity's role in sustainability is recognized, sustainable practices in digital forensics are still in their early stages. This paper presents a holistic view of innovative approaches for the sustainable design and management of digital forensics concerning people, processes, and technology. It outlines how these aspects contribute to sustainability, which aligns with the core principles of economic viability, social equity, and environmental responsibility. As a result, this approach provides novel perspectives on the development of sustainability in the field of digital forensics.
    Workshop WSDF
    ScaNeF-IoT: Scalable Network Fingerprinting for IoT Device
    Tadani Nasser Alyahya (University of Southampton School of Electronics and Computer Science , United Kingdom), Leonardo Aniello (University of Southampton School of Electronics and Computer Science , United Kingdom), Vladimiro Sassone (University of Southampton School of Electronics and Computer Science , United Kingdom)
    Full Paper
    Recognising IoT devices through network fingerprinting contributes to enhancing the security of IoT networks and supporting forensic activities. Machine learning techniques have been extensively utilised in the literature to optimize IoT fingerprinting accuracy. Given the rapid proliferation of new IoT devices, a current challenge in this field is around how to make IoT fingerprinting scalable, which involves efficiently updating the used machine learning model to enable the recognition of new IoT devices. Some approaches have been proposed to achieve scalability, but they all suffer from limitations like large memory requirements to store training data and accuracy decrease for older devices.

    In this paper, we propose ScaNeF-IoT, a novel scalable network fingerprinting approach for IoT devices based on online stream learning and features extracted from fixed-size session payloads. Employing online stream learning allows to update the model without retaining training data. This, alongside relying on fixed-size session payloads, enables scalability without deteriorating recognition accuracy. We implement ScaNeF-IoT by analysing TPC/UDP payloads and utilising the Aggregated Mandrian Forest as the online stream learning algorithm. We provide a preliminary evaluation of ScaNeF-IoT accuracy and how it is affected as the model is updated iteratively to recognise new IoT devices. Furthermore, we compare ScaNeF-IoT accuracy with other IoT fingerprinting approaches, demonstrating that it is comparable to the state of the art and does not worsen as the classifier model is updated, despite not requiring to retain any training data for older IoT devices.
    Workshop WSDF
    Timestamp-based Application Fingerprinting in NTFS
    Michael Galhuber (Wittur Group, Austria), Robert Luh (St. Pölten University of Applied Sciences, Austria)
    Full Paper
    The NTFS file system contains crucial (meta-)information that plays a significant role in forensic analysis. Among these details are the eight file timestamps, which serve as the foundation for constructing a reliable timeline. However, beyond their temporal significance, these timestamps also harbor valuable clues. Specifically, the patterns of file handling by user programs are reflected in these timestamps. By analyzing these "fingerprint" patterns, it becomes possible to identify the applications responsible for creating and editing files. This discovery facilitates event reconstruction in digital forensics investigations.

    In this study, we explore the extent to which timestamp patterns can be harnessed for application fingerprinting. Our approach involves creating classification models based on neural networks and evaluating their performance using established machine learning metrics. The results demonstrate that analyzing user file timestamps allows us to associate and narrow down potential user programs for specific file types and applications. By automating this process, we significantly reduce the analysis phase duration in forensic investigations, providing relief to resource-constrained IT forensic experts. This novel application fingerprinting method enables swift initial assessments of programs involved in cybercrime incidents.
    Workshop WSDF
    Manipulating the Swap Memory for Forensic Investigation
    Maximilian Olbort (FernUniversität in Hagen, Germany), Daniel Spiekermann (FH Dortmund, Germany), Jörg Keller (FernUniversität in Hagen, Germany)
    Full Paper
    Swap memory plays a critical role in modern operating systems' memory management. This paper explores the potential for manipulating swap memory to alter memory content at runtime and thereby control the behaviour of the target system. While conventional memory security techniques typically focus on preventing runtime manipulation of memory pages, they often overlook the moment when pages are swapped and later reloaded into memory. Therefore, we investigate the feasibility of manipulating swap memory and describe the necessary steps of extracting involved memory areas as well as techniques to force swapping of relevant processes. We verify this theoretical concept with a prototype implementing a manipulation of memory of a given program.
    Workshop WSDF
    Using DNS Patterns for Automated Cyber Threat Attribution
    Cristoffer Leite (Eindhoven University of Technology, Netherlands), Jerry Den Hartog (Eindhoven University of Technology, Netherlands), Daniel Ricardo dos Santos (Forescout Technologies, Netherlands)
    Full Paper
    Linking attacks to the actors responsible is a critical part of threat analysis. Threat attribution, however, is challenging. Attackers try to avoid detection and avert attention to mislead investigations. The trend of attackers using malicious services provided by third parties also makes it difficult to discern between attackers and providers. Besides that, having a security team doing manual-only analysis might overwhelm analysts. As a result, the effective use of any trustworthy information for attribution is paramount, and automating this process is valuable. For this purpose, we propose an approach to perform automated attribution with a source of reliable information currently underutilised, the DNS patterns used by attackers. Our method creates recommendations based on similar patterns observed between a new incident and already attributed attacks and then generates a list of the most similar attacks. We show that our approach can, at ten recommendations, achieve 0.8438 precision and 0.7378 accuracy. We also show that DNS patterns have a short lifespan, allowing their utility even in more recent knowledge bases.
    Workshop WSDF
    A Quantitative Analysis of Inappropriate Content, Age Rating Compliance, and Risks to Youth on the Whisper Platform
    Jeng-Yu Chou (University of Massachusetts Amherst, United States), Brian Levine (University of Massachusetts Amherst, United States)
    Full Paper
    We perform an in-depth, quantitative examination of a prominent app by studying the content it sends to users, including minors. Whisper is a popular app that encourages interactions among anonymous users posting short confessional-style texts overlaid on images. We instrumented a system to collect Whisper data over a nine-week period, consisting of 23,516 unique posts. We trained classifiers to detect sexual content appearing in the text content of these posts, estimating 23\% contain sexual content, including requests to meet up for sex with strangers. Whisper's lowest age rating is set for children 13 and older. Our characterization of the collected Whisper data yielded insight into the content circulating the social media platform such as frequency of posts with detected sexual content, community behavior, and age rating compliance. Our data collection and annotation methodology yielded insight into the limitations of accurately detect age-inappropriate content and potential dangers apps may pose to children.
    Workshop COSH
    Register here!
    Join us at ARES 2024 in Vienna, Austria