Dagstuhl Seminar 13482
( Nov 24 – Nov 29, 2013 )
- Felix Freiling (Universität Erlangen-Nürnberg, DE)
- Gerrit Hornung (Universität Passau, DE)
- Radim Polcák (Masaryk University, CZ)
Forensic computing (sometimes also called digital forensics, computer forensics or IT forensics) is a branch of forensic science pertaining to digital evidence, i.e., any legal evidence that is processed by digital computer systems or stored on digital storage media. Forensic computing is a new discipline evolving within the intersection of several established research areas such as computer science, computer engineering and law.
Forensic computing is rapidly gaining importance since the amount of crime involving digital systems is steadily increasing. This involves both more traditional crime in which digital systems are merely used as tools (e.g., different types of fraud, blackmailing, hidden communication) as well as new forms of crime in which digital systems are an enabling technology (e.g., computer abuses, malicious software, malicious remote control networks like botnets). Forensic computing aims to identify, preserve and analyze digital evidence after a security incident has occurred. As in other forensic sciences, investigators attempt to establish hypotheses about previous actions and try to falsify them based on traces of actions left at the scene of the crime. For example, the hypothesis that a hard disk does not contain any particular incriminating data can be refuted by finding such data.
Forensic computing poses many technical and legal challenges. Particularly interesting are the mutual interactions of several well-established research directions in computer science and law. Like in other forensic sciences, the emergence of forensic computing was mainly driven by practitioners trying to satisfy immediate needs within concrete digital investigations. Now that many universities, mainly from North America, have started to establish degree programs and research labs in this area, forensic computing is increasingly profiting from research knowledge and the scientific methods developed in computer science, but there is still a lot of potential. Progress is hindered, for example, by the subtle immaturity of methodology for digital investigations, i.e., the lack of standardized models, file formats, investigative procedures, and abstraction methods, and by the complex (and nontechnical) interactions with law and the differing requirements of different juridical systems, especially comparing continental Europe and the United States/United Kingdom.
This Dagstuhl seminar aims to bring together researchers and practitioners from computer science and law who work in the diverse areas of forensic computing. The goal of the seminar is to further establish forensic computing as a scientific research discipline, to identify the strengths and weaknesses of the research field, and to discuss the foundations of its methodology. Some of the research questions to be discussed are:
- How can we define, identify and classify digital evidence? How can we deal with the volatile nature of many forms of digital evidence like evidence in memory and networks?
- How can a research-driven systematic investigation of computer systems look like?
- Technical and legal possibilities on how to manage enormous amounts of data in digital investigations? How can data be disseminated without contaminating it for later use in a court of law?
- What are good ways to teach forensic computing at research institutions and universities?
- What relations exist between forensic computing and other forensic sciences, and how can they be exploited?
- How can forensic computing procedures relate to different laws worldwide, e.g., law concerning the seizure and confiscation of data?
- How can forensic computing help in fighting cybercrime? Are there important example cases? What are the legal and administrative requirements (Cybercrime convention and its adoption in Germany and the European Union)?
- How can we approach technical and legal questions concerning later use of data obtained by means of state- or privately-run data retention mechanisms in a court of law?
After a brief introduction by the organizers, the seminar started off with a sequence of 3 slide/5 minute talks by all participants stating their research interests, their background and their expectations towards the seminar. In the afternoon, three motivation talks by Felix Freiling ("What is forensic computing?"), Gerrit Hornung ("The fundamental rights dimension of individual and mass surveillance") and Radim Polcák ("Experiences from drafting the cybersecurity act in CZ") paved the way for a common understanding of the open questions in the area and the relation of forensic computing to computer security law.
The rest of the afternoon questions and expectations were collected and grouped using moderation cards. The result was a spectrum of five areas of interest that we termed as follows:
- technical possibilities for evidence collection
- digital evidence: admissibility, spoofing, integrity protection
- open source intelligence
- investigations vs. privacy
- offensive countermeasures
- transborder/cloud evidence collection
For immediate discussion on Tuesday the participants voted for their favorite topics. As a result, three discussion groups were formed for the next day: digital evidence (topic 2), investigations vs.~privacy (topic 4) and offensive countermeasures (topic 5). Topic 1 was to be handled by an overview talk by Andreas Dewald on the following day.
Tuesday morning started with a talk by Andreas Dewald on technically unavoidable evidence and was followed by a multimedia presentation about cold boot and hot re-plug attacks. After this technical introduction work in the discussion groups took place until the afternoon, when the collected results of the discussion groups were presented in a plenary session. As a highlight, the group on offensive countermeasures presented a taxonomy of 5 categories of offensive countermeasures that were specific enough for both law and computer science to investigate. The results of all discussion groups are summarized later in this report.
Wednesday morning commenced with a talk about the work of Interpol by Jan Ellermann ("Data protection as an asset in Europol's fight against cybercrime"). It was followed by a presentation of current research by Dominik Herrmann about the usage of fingerprinting in network forensics ("Fingerprinting Techniques for Network Forensics"). The round of talks was concluded by an introduction to the law of evidence in criminal procedural law by Tobias Singelstein ("Basics zum Beweisrecht im Strafverfahren").
The afternoon was spent on a pleasant hike to a nearby village where the Dagstuhl office had organized delicious traditional coffee and cake. On the way back to Schloss Dagstuhl a group of adventurers again, as in 2011, separated from the main party to explore the woods around Wadern. However, unlike 2011, they managed to return to Dagstuhl in time without major difficulties.
Thursday was started with a talk by Dennis Heinson on investigations in enterprises ("Internal Investigations, IT Forensics and Law"). Afterwards two new discussion groups were formed, partly based on the areas of interest collected on Monday, and commenced discussing the topics of (1) internal investigations and (2) transborder/cloud issues. In the afternoon, the results of these groups were collected in a plenary session during which especially the transboder issues caused a heated and insightful discussion.
Friday morning hosted a series of three talks from computer science, law and practice by Christian Hawellek (on techniques for modeling surveillance), Stefan Kiltz ("Forensically Sound Data for Digitised Forensics on the Example of Locksmith Forensics") and -- last but not least -- Erich Schweighofer ("Surveillance of US-surveillance").
In summary, the participants (and the organizers) enjoyed the week in Dagstuhl. In particular, the chance to get to know many new people from both the technical and the legal side of forensic computing was appreciated. From the viewpoint of the organizers, several points appear worth mentioning which we wish to document here.
First of all, it became clear to all participants that forensic computing is still in the process of maturing. The legal regulations as well as the technical instruments used in forensic computing are evolving quickly and it needs a joint effort by both communities to make progress. In our opinion, the seminar was much better than the preceding seminar in 2011, mainly because the lawyers were more interested in technical details and the technical people presented their ``special secret instruments'' in an understandable way. The seminar showed that fruitful discussions between both sides are possible, that lawyers can be cool as well and that there exist at least some lawyers with advanced technical understanding. For the technical people it was insightful to get a basic feeling on how the interpretation of law works and to see that there are quite a lot of gray legal areas. After all, forensic expertise is just one bit of evidence in court, and it may not be the most important one. And there are actually many, many data protection problems out there that will need to be handled within the field of forensic computing.
Overall, it was again a challenge to gather interested people in Dagstuhl. Dagstuhl seminars are well-known in computer science, but not in law, and it is well-known that practitioners, which are common in forensic computing (prosecutors, defenders, police, expert witnesses), with their tight time schedules can hardly afford to come to Dagstuhl for an entire week, especially from overseas. This is a problem which will remain and explains why -- again -- the seminar was dominated by German speaking participants.
The topic of forensic computing, however, is also gaining importance in the academic community, and at Dagstuhl: In February 2014, a seminar on "Digital Evidence and Forensic Readiness" (Dagstuhl Seminar 14092) will take place, opening the possibility for several of the participants to meet and discuss again, albeit with a slightly sharpened focus. In case another general seminar like this would take place, the topic of mutual understanding can be placed into focus even stronger. This could be achieved by distributing introductory papers from "the other side" in advance or by giving introductory tutorials in forensic techniques at the seminar. In the end, the seminar left us with more open questions than we had at the beginning. But at least this was to be expected.
- Andreas Dewald (Universität Erlangen-Nürnberg, DE) [dblp]
- Jan Ellermann (Europol, NL)
- Hannes Federrath (Universität Hamburg, DE) [dblp]
- Felix Freiling (Universität Erlangen-Nürnberg, DE) [dblp]
- Michael Gruhn (Universität Erlangen-Nürnberg, DE) [dblp]
- Christian Hawellek (Leibniz Universität Hannover, DE)
- Dennis Heinson (Hamburg, DE) [dblp]
- Dominik Herrmann (Universität Hamburg, DE) [dblp]
- Gerrit Hornung (Universität Passau, DE) [dblp]
- Sven Kälber (Universität Erlangen-Nürnberg, DE) [dblp]
- Stefan Kiltz (Universität Magdeburg, DE) [dblp]
- Volker Krummel (Wincor-Nixdorf International GmbH - Paderborn, DE) [dblp]
- Radim Polcák (Masaryk University, CZ) [dblp]
- Thomas Schreck (Siemens AG - München, DE) [dblp]
- Erich Schweighofer (Universität Wien, AT) [dblp]
- Tobias Singelnstein (Freie Universität Berlin, DE) [dblp]
- Vaclav Stupka (Masaryk University - Brno, CZ)
- Tatiana Tropina (MPI für Strafrecht - Freiburg, DE) [dblp]
- Nicolas von zur Mühlen (MPI für Strafrecht - Freiburg, DE)
- York Yannikos (Fraunhofer SIT - Darmstadt, DE) [dblp]
- Riha Zdenek (Masaryk University - Brno, CZ)
- Dagstuhl Seminar 11401: Forensic Computing (2011-10-03 - 2011-10-07) (Details)
- security / cryptology
- society / human-computer interaction
- forensic science
- computer science and law