03. – 07. Oktober 2011, Dagstuhl-Seminar 11401

Forensic Computing


Felix Freiling (Universität Erlangen-Nürnberg, DE)
Dirk Heckmann (Universität Passau, DE)
Radim Polcák (Masaryk University, CZ)
Joachim Posegga (Universität Passau, DE)

Auskunft zu diesem Dagstuhl-Seminar erteilt

Dagstuhl Service Team


Dagstuhl Report, Volume 1, Issue 10 Dagstuhl Report
Dagstuhl's Impact: Dokumente verfügbar

Press Room

  • Forensische Informatik
    Wolfgang Back und Wolfgang Rudolph vom Computerclub Zwei im Gespräch mit dem Juristen Focke Höhne.
  • Forensische Informatik
    Wolfgang Back und Wolfgang Rudolph vom Computerclub Zwei im Gespräch mit Prof. Felix Freiling.


After a brief introduction by the organizers, the seminar started off with a sequence of 3 slide/5 minute talks by all participants stating their research interests, their background and their expectations towards the seminar. In the afternoon, two introductory talks by Dieter Gollmann ("Access control --- principles and principals") and Stig Mjolsnes ("ICT and forensic science") paved the way for a common understanding of the open questions in the area and the relation of forensic computing to computer security.

Forensic computing is rapidly gaining importance since the amount of crime involving digital systems is steadily increasing. This involves both more traditional crime in which digital systems are merely used as tools (e.g., different types of fraud, blackmailing, hidden communication) as well as new forms of crime in which digital systems are an enabling technology (e.g., computer abuses, malicious software, malicious remote control networks like botnets). Forensic computing aims at identifying, preserving and analyzing digital evidence after a security incident has occurred. As in other forensic sciences, investigators attempt to establish hypotheses about previous actions and try to falsify them based on traces of actions left at the scene of the crime. For example, the hypothesis that a hard disk does not contain any particular incriminating data can be refuted by finding such data.

Wednesday morning commenced with a first introductory law talk by Focke Höhne ("Introduction to German IT Forensics Law"). It was followed by two insightful technical talks from presenters who had considerable practical experience in the area: Glenn Dardick and Kwok Lam.

The afternoon was spent on a pleasant hike to a nearby village where the Dagstuhl office had organized delicious traditional coffee and cake. On the way back to Schloss Dagstuhl a group of adventurers separated from the main party to explore the woods around Wadern. They only managed to return to Dagstuhl in time because of modern navigation technology (paper maps provided by the Dagstuhl office). Reasons for the failure of more traditional technology (iPhones, etc.) were discussed in the evening in the wine cellar.

Thursday saw a mix of legal and technical talks: Herbert Neumann raised many questions during his presentation of practical (law) case studies while Viola Schmid presented a proposal for a "Casebook on Cyber Forensics". Harald Baier discussed the deficits of forensic hash functions and Felix Freiling shared some of his experiences from teaching digital forensics. After lunch Michael Spreitzenbarth presented an overview over mobile phone forensics while Radim Polcák gave some background on the issues of data retention relevant in different countries. Joshua James pointed out the necessity to overcome the traditional separation of sciences and encouraged more interaction between computer science and law. Finally, Johannes Stüttgen introduced the method of "Selective Imaging" to improve the digital evidence collection process.

Friday morning hosted a series of three talks from computer science, law and practice. Stefan Kiltz spoke about techniques to seize transient evidence in networks, Sven Schmitt gave an overview of digital forensics at the German federal police (BKA), and Nicolas von zur Mühlen sparked many discussions during his presentation on transborder searches.


Overall, the seminar was well-received by the participants. They particularly liked the interdisciplinary approach, which is documented by the results of the final Dagstuhl survey: Almost all participants stated that the seminar led to "insights from neighboring fields or communities" and that they made "new professional contacts like an invitation to give a talk or to join an existing project or network". The organizers also identified room for improvement: Only about one-third of the participants came from law. This points to a fundamental problem for future seminars since --- similar to participants from industry --- it is rather untypical for academics in law or for international practitioners to spend an entire week at a seminar or workshop. In possible future seminars, the set of relevant topics should been broadened to include legal aspects of IT forensics in enterprises. This would substantially enlarge the set of interested international academics and further nourish community building which is currently vital to the field.

Related Dagstuhl-Seminar


  • Security/cryptography
  • Society/HCI


  • Forensic science
  • Cybercrime
  • Computer science and law


In der Reihe Dagstuhl Reports werden alle Dagstuhl-Seminare und Dagstuhl-Perspektiven-Workshops dokumentiert. Die Organisatoren stellen zusammen mit dem Collector des Seminars einen Bericht zusammen, der die Beiträge der Autoren zusammenfasst und um eine Zusammenfassung ergänzt.


Download Übersichtsflyer (PDF).

Dagstuhl's Impact

Bitte informieren Sie uns, wenn eine Veröffentlichung ausgehend von Ihrem Seminar entsteht. Derartige Veröffentlichungen werden von uns in der Rubrik Dagstuhl's Impact separat aufgelistet  und im Erdgeschoss der Bibliothek präsentiert.


Es besteht weiterhin die Möglichkeit, eine umfassende Kollektion begutachteter Arbeiten in der Reihe Dagstuhl Follow-Ups zu publizieren.