October 3 – 7 , 2011, Dagstuhl Seminar 11401

Forensic Computing


Felix Freiling (Universität Erlangen-Nürnberg, DE)
Dirk Heckmann (Universität Passau, DE)
Radim Polcák (Masaryk University, CZ)
Joachim Posegga (Universität Passau, DE)

For support, please contact

Dagstuhl Service Team


Dagstuhl Report, Volume 1, Issue 10 Dagstuhl Report
List of Participants
Dagstuhl's Impact: Documents available

Press Room

  • Forensische Informatik
    Wolfgang Back und Wolfgang Rudolph vom Computerclub Zwei im Gespräch mit dem Juristen Focke Höhne.
  • Forensische Informatik
    Wolfgang Back und Wolfgang Rudolph vom Computerclub Zwei im Gespräch mit Prof. Felix Freiling.


After a brief introduction by the organizers, the seminar started off with a sequence of 3 slide/5 minute talks by all participants stating their research interests, their background and their expectations towards the seminar. In the afternoon, two introductory talks by Dieter Gollmann ("Access control --- principles and principals") and Stig Mjolsnes ("ICT and forensic science") paved the way for a common understanding of the open questions in the area and the relation of forensic computing to computer security.

Forensic computing is rapidly gaining importance since the amount of crime involving digital systems is steadily increasing. This involves both more traditional crime in which digital systems are merely used as tools (e.g., different types of fraud, blackmailing, hidden communication) as well as new forms of crime in which digital systems are an enabling technology (e.g., computer abuses, malicious software, malicious remote control networks like botnets). Forensic computing aims at identifying, preserving and analyzing digital evidence after a security incident has occurred. As in other forensic sciences, investigators attempt to establish hypotheses about previous actions and try to falsify them based on traces of actions left at the scene of the crime. For example, the hypothesis that a hard disk does not contain any particular incriminating data can be refuted by finding such data.

Wednesday morning commenced with a first introductory law talk by Focke Höhne ("Introduction to German IT Forensics Law"). It was followed by two insightful technical talks from presenters who had considerable practical experience in the area: Glenn Dardick and Kwok Lam.

The afternoon was spent on a pleasant hike to a nearby village where the Dagstuhl office had organized delicious traditional coffee and cake. On the way back to Schloss Dagstuhl a group of adventurers separated from the main party to explore the woods around Wadern. They only managed to return to Dagstuhl in time because of modern navigation technology (paper maps provided by the Dagstuhl office). Reasons for the failure of more traditional technology (iPhones, etc.) were discussed in the evening in the wine cellar.

Thursday saw a mix of legal and technical talks: Herbert Neumann raised many questions during his presentation of practical (law) case studies while Viola Schmid presented a proposal for a "Casebook on Cyber Forensics". Harald Baier discussed the deficits of forensic hash functions and Felix Freiling shared some of his experiences from teaching digital forensics. After lunch Michael Spreitzenbarth presented an overview over mobile phone forensics while Radim Polcák gave some background on the issues of data retention relevant in different countries. Joshua James pointed out the necessity to overcome the traditional separation of sciences and encouraged more interaction between computer science and law. Finally, Johannes Stüttgen introduced the method of "Selective Imaging" to improve the digital evidence collection process.

Friday morning hosted a series of three talks from computer science, law and practice. Stefan Kiltz spoke about techniques to seize transient evidence in networks, Sven Schmitt gave an overview of digital forensics at the German federal police (BKA), and Nicolas von zur Mühlen sparked many discussions during his presentation on transborder searches.


Overall, the seminar was well-received by the participants. They particularly liked the interdisciplinary approach, which is documented by the results of the final Dagstuhl survey: Almost all participants stated that the seminar led to "insights from neighboring fields or communities" and that they made "new professional contacts like an invitation to give a talk or to join an existing project or network". The organizers also identified room for improvement: Only about one-third of the participants came from law. This points to a fundamental problem for future seminars since --- similar to participants from industry --- it is rather untypical for academics in law or for international practitioners to spend an entire week at a seminar or workshop. In possible future seminars, the set of relevant topics should been broadened to include legal aspects of IT forensics in enterprises. This would substantially enlarge the set of interested international academics and further nourish community building which is currently vital to the field.

Related Dagstuhl Seminar


  • Security/cryptography
  • Society/HCI


  • Forensic science
  • Cybercrime
  • Computer science and law


In the series Dagstuhl Reports each Dagstuhl Seminar and Dagstuhl Perspectives Workshop is documented. The seminar organizers, in cooperation with the collector, prepare a report that includes contributions from the participants' talks together with a summary of the seminar.


Download overview leaflet (PDF).

Dagstuhl's Impact

Please inform us when a publication was published as a result from your seminar. These publications are listed in the category Dagstuhl's Impact and are presented on a special shelf on the ground floor of the library.


Furthermore, a comprehensive peer-reviewed collection of research papers can be published in the series Dagstuhl Follow-Ups.