November 24 – 29 , 2013, Dagstuhl Seminar 13482

Forensic Computing


Felix Freiling (Universität Erlangen-Nürnberg, DE)
Gerrit Hornung (Universität Passau, DE)
Radim Polcák (Masaryk University, CZ)

For support, please contact

Dagstuhl Service Team


Dagstuhl Report, Volume 3, Issue 11 Dagstuhl Report
Aims & Scope
List of Participants
Dagstuhl's Impact: Documents available


After a brief introduction by the organizers, the seminar started off with a sequence of 3 slide/5 minute talks by all participants stating their research interests, their background and their expectations towards the seminar. In the afternoon, three motivation talks by Felix Freiling ("What is forensic computing?"), Gerrit Hornung ("The fundamental rights dimension of individual and mass surveillance") and Radim Polcák ("Experiences from drafting the cybersecurity act in CZ") paved the way for a common understanding of the open questions in the area and the relation of forensic computing to computer security law.

The rest of the afternoon questions and expectations were collected and grouped using moderation cards. The result was a spectrum of five areas of interest that we termed as follows:

  1. technical possibilities for evidence collection
  2. digital evidence: admissibility, spoofing, integrity protection
  3. open source intelligence
  4. investigations vs. privacy
  5. offensive countermeasures
  6. transborder/cloud evidence collection

For immediate discussion on Tuesday the participants voted for their favorite topics. As a result, three discussion groups were formed for the next day: digital evidence (topic 2), investigations vs.~privacy (topic 4) and offensive countermeasures (topic 5). Topic 1 was to be handled by an overview talk by Andreas Dewald on the following day.

Tuesday morning started with a talk by Andreas Dewald on technically unavoidable evidence and was followed by a multimedia presentation about cold boot and hot re-plug attacks. After this technical introduction work in the discussion groups took place until the afternoon, when the collected results of the discussion groups were presented in a plenary session. As a highlight, the group on offensive countermeasures presented a taxonomy of 5 categories of offensive countermeasures that were specific enough for both law and computer science to investigate. The results of all discussion groups are summarized later in this report.

Wednesday morning commenced with a talk about the work of Interpol by Jan Ellermann ("Data protection as an asset in Europol's fight against cybercrime"). It was followed by a presentation of current research by Dominik Herrmann about the usage of fingerprinting in network forensics ("Fingerprinting Techniques for Network Forensics"). The round of talks was concluded by an introduction to the law of evidence in criminal procedural law by Tobias Singelstein ("Basics zum Beweisrecht im Strafverfahren").

The afternoon was spent on a pleasant hike to a nearby village where the Dagstuhl office had organized delicious traditional coffee and cake. On the way back to Schloss Dagstuhl a group of adventurers again, as in 2011, separated from the main party to explore the woods around Wadern. However, unlike 2011, they managed to return to Dagstuhl in time without major difficulties.

Thursday was started with a talk by Dennis Heinson on investigations in enterprises ("Internal Investigations, IT Forensics and Law"). Afterwards two new discussion groups were formed, partly based on the areas of interest collected on Monday, and commenced discussing the topics of (1) internal investigations and (2) transborder/cloud issues. In the afternoon, the results of these groups were collected in a plenary session during which especially the transboder issues caused a heated and insightful discussion.

Friday morning hosted a series of three talks from computer science, law and practice by Christian Hawellek (on techniques for modeling surveillance), Stefan Kiltz ("Forensically Sound Data for Digitised Forensics on the Example of Locksmith Forensics") and -- last but not least -- Erich Schweighofer ("Surveillance of US-surveillance").


In summary, the participants (and the organizers) enjoyed the week in Dagstuhl. In particular, the chance to get to know many new people from both the technical and the legal side of forensic computing was appreciated. From the viewpoint of the organizers, several points appear worth mentioning which we wish to document here.

First of all, it became clear to all participants that forensic computing is still in the process of maturing. The legal regulations as well as the technical instruments used in forensic computing are evolving quickly and it needs a joint effort by both communities to make progress. In our opinion, the seminar was much better than the preceding seminar in 2011, mainly because the lawyers were more interested in technical details and the technical people presented their ``special secret instruments'' in an understandable way. The seminar showed that fruitful discussions between both sides are possible, that lawyers can be cool as well and that there exist at least some lawyers with advanced technical understanding. For the technical people it was insightful to get a basic feeling on how the interpretation of law works and to see that there are quite a lot of gray legal areas. After all, forensic expertise is just one bit of evidence in court, and it may not be the most important one. And there are actually many, many data protection problems out there that will need to be handled within the field of forensic computing.

Overall, it was again a challenge to gather interested people in Dagstuhl. Dagstuhl seminars are well-known in computer science, but not in law, and it is well-known that practitioners, which are common in forensic computing (prosecutors, defenders, police, expert witnesses), with their tight time schedules can hardly afford to come to Dagstuhl for an entire week, especially from overseas. This is a problem which will remain and explains why -- again -- the seminar was dominated by German speaking participants.

The topic of forensic computing, however, is also gaining importance in the academic community, and at Dagstuhl: In February 2014, a seminar on "Digital Evidence and Forensic Readiness" (Dagstuhl Seminar 14092) will take place, opening the possibility for several of the participants to meet and discuss again, albeit with a slightly sharpened focus. In case another general seminar like this would take place, the topic of mutual understanding can be placed into focus even stronger. This could be achieved by distributing introductory papers from "the other side" in advance or by giving introductory tutorials in forensic techniques at the seminar. In the end, the seminar left us with more open questions than we had at the beginning. But at least this was to be expected.

Summary text license
  Creative Commons BY 3.0 Unported license
  Felix Freiling, Gerrit Hornung, and Radim Polcák

Related Dagstuhl Seminar


  • Security / Cryptology
  • Society / Human-computer Interaction


  • Forensic science
  • Cybercrime
  • Computer science and law


In the series Dagstuhl Reports each Dagstuhl Seminar and Dagstuhl Perspectives Workshop is documented. The seminar organizers, in cooperation with the collector, prepare a report that includes contributions from the participants' talks together with a summary of the seminar.


Download overview leaflet (PDF).

Dagstuhl's Impact

Please inform us when a publication was published as a result from your seminar. These publications are listed in the category Dagstuhl's Impact and are presented on a special shelf on the ground floor of the library.


Furthermore, a comprehensive peer-reviewed collection of research papers can be published in the series Dagstuhl Follow-Ups.