Oakland, California, U.S.A.



Call For Papers




you will need to enroll your contact information in REG-SITE if you have not used it before







Visitor Information

Previous Workshop


3rd International Workshop on
Systematic Approaches to Digital Forensic Engineering

May 22, 2008

The Claremont Resort & Spa
Oakland, California, USA
In conjunction with
2008 IEEE Symposium on Security and Privacy

Preliminary Program





Sunday - Wednesday

2008 IEEE Security and Privacy Symposium


07:15 AM-09:00 AM

Registration and Continental Breakfast


09:00 AM-09:15 AM

Welcome and Opening Remarks


09:15 AM-10:30 AM

Paper Session I: Finding Evidence for Digital Forensics I


10:30 AM-10:55 AM

Break and Poster Session


10:55 AM-11:45 AM

Paper Session II: Digital Forensics Theory


11:45 AM-01:00 PM

Lunch, Invited Paper: Computer Forensics In Forensis


1:00 PM-01:55 PM

Panel: Digital Forensic Engineering


1:55 PM-2:45 PM

Paper Session III: Finding Evidence for Digital Forensics II: Workstation Logs and Residual Data


2:45 PM-3:00 PM



3:00 PM-3:30 PM

Works in Progress


3:30 PM-3:35 PM

Short Break


3:35 PM-4:50 PM

Paper Session IV: A Legal View of Digital Forensics


4:50 PM-5:00 PM

Best Paper Award and Closing Comments

Thursday, May 22

7:15 AM - 9:00 AM

Breakfast and Registration

9:00 AM - 9:15 AM

Welcome Workshop Day 1

Chair: Michael Losavio (University of Louisville, USA)

Chair: Deborah Frincke (Pacific Northwest National Laboratory, USA)

8:45 AM - 10:30 AM

Paper Session I: Finding Evidence for Digital Forensics I

Session Chair: Antonio Savoldi

A Novel Skin Tone Detection Algorithm for Contraband Image Analysis

Marcus K Rogers, Abhishek Choudhury, Blair Gillam, and Keith Watson


This paper examines skin tone detection algorithms used by first responder forensic tools such as File Hound. File Hound is a field analysis software application that is currently being used by over 100 law enforcement agencies, both internationally and domestically. It is mainly used in forensic investigations to search and identify pornographic images from a hard drive. Since the conception of File Hound, several steps have been taken to improve its performance and expand its features. One such feature is a skin tone detection filter that can identify images with a large skin color count from the aggregate image results found by File Hound. This filter is based on the idea that there is a positive correlation between images with a large skin color count and images that are pornographic in nature. A novel skin tone detection filter was developed and this filter was tested against random images obtained from the Compaq Image database for skin tone detection [5]. The results of the test are
encouraging in terms of accuracy and low error rates: Type I = 20.64%, Type II = 0.81%, Accuracy = 78.55%.

Combining Physical and Digital Evidence in Vehicle Environments

Dennis K. Nilsson, Ulf E. Larson


Traditional forensic investigations of vehicles aims at gathering physical evidence since most crimes involving vehicles are physical. However, in the near future, digital crimes on vehicles will most likely
surge, and therefore it will be necessary to also gather digital evidence. In this paper, we investigate the possibilities of combining physical and digital evidence in forensic investigations of vehicle crime scenes. We show that digital evidence can be used to improve the investigation of physical
crimes and, respectively, that physical evidence can be used to improve the investigation of digital crimes. We also recognize that by gathering purely physical or digital evidence certain crimes cannot be solved. Finally, we show that by combining physical and digital evidence it is possible to distinguish between different types of physical and digital crime.

 Towards the Virtual Memory Space Reconstruction forWindows

              Live Forensic Purposes

Antonio Savoldi, Paolo Gubian


Live Forensic Purposes The aim of this paper is to demonstrate the usefulness of the pagefile in a live forensic context. The forensic science is striving to find new methodologies to analyze the massive quantity of data normally present in a medium-sized workstation, which can have up to several terabytes of storage devices. As a result, the live forensic approach seems to be the only one which can guarantee promptness in obtaining evidential data to be used in the investigative process. The
current approach of volatile forensic analysis does not consider the pagefile as an important element to be used in the analysis. Therefore, we have developed a solution which permits to correlate evidential data within the pagefile to the relative process located in the RAM dump. This work can
be considered a natural extension of our previous work on this topic.


10:35 AM - 10:55 AM

Break and Poster Session 

10:55 AM - 11:45 AM

Paper Session II: Digital Forensics Theory

            Session Chair: Deborah Frincke

Cognitive-Maps based Investigation of Digital Security Incidents



Investigation of security incidents is of great importance as it allows to trace back the actions taken by the intruders. In this paper we develop a formal technique for digital investigation based on the use of Incident Response Probabilistic Cognitive Maps. Three main issues are addressed here: (1) construction and extraction of plausible known attack scenarios, (2) construction of hypothetical scenarios and their validation using a logic-based formalism, and (3) selection of optimal countermeasures addressing the detected attacks.


SDI  Statistical Analysis for Data type Identificatio

Sarah J. Moody, Robert F. Erbacher


A key task in digital forensic analysis is the location of relevant
information within the computer system. Identification of the relevancy of
data is often dependent upon the identification of the type of data being
examined. Typical file type identification is based upon file extension or
magic keys. These typical techniques fail in many typical forensic analysis
scenarios such as needing to deal with embedded data, such as with Microsoft
Word files, or file fragments. The SDI (Statistical Analysis Data
Identification) technique applies statistical analysis of the byte values of
the data in such a way that the accuracy of the technique does not rely on
the potentially misleading metadata information but rather the values of the
data itself. The development of SDI provides the capability to identify
what digitally stored data actually represents and will also allow for the
selective extraction of portions of the data for additional investigation;
i.e., in the case of embedded data. Thus, our research provides a more
effective type identification technique that does not fail on file
fragments, embedded data types, or with obfuscated data.

11:45 AM - 1:00 PM

Lunch and Invited Paper

            Computer Forensics In Forensis

Sean Peisert, Matt Bishop, Keith Marzullo

1:00 PM - 1:55 PM

Panel: Digital Forensic Engineering 
Deborah Frincke, Ming-yuh.Huang

1:55 PM - 2:45 PM

Paper Session III: Finding Evidence for Digital Forensics II: Workstation Logs and Residual Data

Session Chair: Rob Erbacher

           Exemplifying Attack Identification and Analysis in a Novel
           Forensically Viable Syslog Model

Steena D.S. Monteiro, Robert F. Erbacher


This research builds on our method for validating syslog entries
proposed in [3]. The goal of the proposed method is to allow syslog files to
be forensically viable. The goal with this phase of the work is to implement
the proposed method and evaluate the forensic validity of the method under
real-world conditions. This paper discusses that implementation and the
ability for the generated authentication logs and access fingerprints to
both identify malicious activity and identify the source of this activity.
While work has been done to develop secure log files, i.e., making them
tamper resistant, there has been no prior work to ensure they are
forensically valid.


               Finding the Evidence in tamper-evident logs 

Daniel Sandler, Kyle Derr, Scott Crosby, Dan S Wallach


Abstract: Secure logs are powerful tools for building systems that must
resist forgery, prove temporal relationships, and stand up to forensic
scrutiny. The proofs of order and integrity encoded in these tamper-evident
chronological records, typically built using hash chaining, may be used by
applications to enforce operating constraints or sound alarms at suspicious
activity. However, existing research stops short of discussing how one might
go about automatically determining whether a given secure log satisfies a
given set of constraints on its records. In this paper, we discuss our work
on Querifier, a tool that accomplishes this. It can be used offline as an
analyzer for static logs, or online during the runtime of a logging
application. Querifier rules are written in a flexible pattern-matching
language that adapts to arbitrary log structures; given a set of rules and
available log data, Querifier presents evidence of correctness and offers
counterexamples if desired. We describe Querifier's implementation and offer
early performance results.

2:45 PM - 3:00 PM


3:00 PM - 3:30 PM

Works in Progress

3:30 PM - 3:35 PM

Short Break

3:35 PM - 4:50 PM

Paper Session IV: A Legal View of Digital Forensics

Implications of Attorney Experiences with Digital Forensics and

Electronic Evidence in the United States

Michael M Losavio, Deborah W Keeling, Adel Elmaghraby, George Higgins ,John Shutt


We examine the experiences of one group of lawyers with electronic

evidence and digital forensics. This indicates disparate experiences based

on case type as to 1) the use of different types of electronic evidence, 2)

disputes over that use and 3) utilization of digital forensics experts.


Protecting Digital Legal Professional Privilege (LLP) Data

Pierre K.Y. Lai, Frank Y.W. Law, Zoe L. Jiang, Ricci S.C. Ieong, Michael Y.K. Kwan , K.P. Chow


To enable free communication between legal advisor and his client for proper functioning of the legal system, certain documents, known as Legal professional privilege (LPP) documents, can be excluded as evidence for prosecution. In physical world, protection of LPP information is well addressed and proper procedure for handling LPP articles has been established. However, there does not exist a forensically sound procedure for protecting digital LPP information. In this paper, we try to address this important, but rarely addressed, issue. We point out the difficulties of handling digital LPP data and discuss the shortcomings of the current practices, then we propose a feasible procedure for solving this problem.


Legal Issues Pertaining to the Development of Digital Forensic Tools

Charles W Adams


Developers of new and improved forensic tools need to design them with the end result of their use in court in mind. Law enforcement must be able to show that the forensic tools and techniques produce reliable evidence in order for a court to consider it. Reliability is enhanced by demonstration that the forensic tools conform to the general standards within the forensic community. In addition, forensic tools must have adequate safeguards to protect the privacy of the public. Designing forensic tools so that they produce audit trails may help to verify that the use of forensic tools is limited appropriately to comply with court authorization.

4:50 PM - 5:00 PM

Best Paper Award and Closing Comments