Annual meeting of ENFSI FITWG

ANNUAL MEETING OF

ENFSI FORENSIC INFORMATION TECHNOLOGY WORKING GROUP

September 25-28, 2018

St Petersburg
Russia

ORGANIZERS

General Partners

Partners

GENERAL INFORMATION

Annual meeting of the ENFSI Forensic Information Technology Working Group will be held from 25th to 28th of September 2018 in St. Petersburg, Russia. Conference is organized on behalf of the Ministry of the Justice of the Russian Federation by the Russian Federal Centre of Forensic Science under the auspices of the North-Western Forensic Science Centre.

Annual Meeting of the ENFSI – FITWG is open to members of ENFSI-institutes and associated members of the Expert Working Group.

The ENFSI – FITWG meeting is a great opportunity to share knowledge and experience amongst fellow colleagues, not only from Europe but also from other laboratories and institutes around the world. You will also have the opportunity to attend to a number of lectures and scientific presentations given by the most respectable experts in this forensic field we all cherish. And, of course, you will have the chance to gather with your international colleagues in a friendly and relaxed atmosphere that the beautiful city of St. Petersburg will certainly provide.

IMPORTANT DEADLINES

  • August 20, 2018 is the registration deadline,
  • August 20, 2018 is the deadline for registration fee payment,
  • August 20, 2018 is the deadline of the hotel registration form.
  • August 20, 2018 is the deadline of the abstract submission

COST OF PARTICIPATION

ENFSI Members 300 Euro
Associated ENFSI Members 350 Euro
Accompanying Person 160 Euro (Welcome, Sightseeing Tour, Gala)

As usual in our former meetings, a registration fee is required to participate in this conference.

You may proceed with the payment after registration. Detailed instruction could be found in the Personal Office. Payment can be done by the bank transfer or by card.

The registration fee does include, in general lines, the whole infrastructure of the congress that is developed inside the hotel: coffee breaks, lunch every day, the rent of the plenary room and a working room, the audiovisual means, etc. The registration fee does not include: accommodation, Russian visa fee.

Agenda

SEPTEMBER 25, Tuesday

18:00 – 20:00
(Hall of the Hotel Indigo, follow the navigation signs)
20:00 – 22:00
(Small Atrium of the Hotel Indigo)

SEPTEMBER 26, Wednesday

08:30 – 09:00

(Hall of the Hotel Indigo, follow the navigation signs)

09:00 – 09:20

Dr Svetlana SMIRNOVA - Director of the Russian Federal Center of Forensic Science of the Ministry of Justice

Dr Zeno GERADTS - ENFSI FIT WG Chairman

09:20 – 09:30
09:30 – 09:40

Presenter: Tatiana NOZHKINA

Abstract:

For me as a representative of Egorov, Puginsky, Afanasiev & Partners, the law firm that has been guarding the interests of business for more than 25 years, it's a great honor to welcome members of professional community of forensic experts.

In our work, we regularly face the qualitative transformation of our clients’ business processes which comes as a result of advancement of information technologies. Furthermore, these technologies have brought a lot of positive things to each of us, making the world more open and communication between people more convenient. However, along with positive changes to our everyday lives and development of businesses and society, information technologies bring new negative transformations as well. In our practice in particular, we notice it more often nowadays that perpetrators use information technologies to commit illegal acts against entrepreneurs and ordinary people.

Fraud of different kind, committed with the use of high-tech tools, cause significant damage to global economy. And this is just a single example. Of course, investigation of such wrongful acts by public authorities largely depends on how the expert community can effectively detect and analyze the traces of such crimes. And this is your mission.

On behalf of our firm and all Russian colleagues, let me wish you a fruitful conference ahead. We hope that your work together will result in improvement of expert techniques to trace electronic crimes, and this in turn will make not only businesses, but everyone more protected from cybercrime, fraud and other misdeed, including cross-border ones, committed with the use of high-tech tools.

09:40 – 10:10

Presenter: Harm VAN BEEK

Organization: Netherlands Forensic Institute

Abstract:
The last decade, Dutch law enforcement organizations have joined their forces to fight the challenges in digital forensic investigations. This resulted in providing digital forensic as a service based on a centralized platform called Hansken. This game changing way of processing digital traces has been used in over 1000 crime cases.

To bring the platform to the next level, Hansken is planned to be made available to LEAs and supporting science institutes in Europe. In this presentation we give a short wrap up of the current status of Hansken, after which we present our vision on investigating and innovating in the digital forensic domain, based on international cooperation and knowledge sharing.

10:10 – 10:40

Presenters: Lucio BONETTO, Patrick DE SMET

Organization: NICC – INCC

Abstract:
File carving is a technique used to recover files from a storage device without relying on file system meta-data. These techniques can be useful for restoring data lost because of disk usage incidents or deliberate deletion during or related to criminal activities. Among all graphic file formats, PNG is particularly interesting because it is one of the most widely used ones. Additionally, PNG often is the format of choice for screenshots and web site graphic resources, which means that its recovery can thus be very fruitfully used in reconstructing internet user activities. Many tools are already available for carving PNG pictures but they often fail when the file data is fragmented. PNGCarve is an advanced structure-based carving tool, designed to address several carving issues such as simple fragmentation, out-of-order fragmentation, and even recovery of partial files. The tool takes advantage of the structure of PNG pictures and their composition into independent chunks in order to discover areas where "erroneous bytes" have been introduced by the file system allocation strategy.

On all NIST CFTT graphics carving datasets PNGCarve outperforms all of its main competitors in terms of number of recovered files and is able to produce correctly viewable pictures where the other tools are not. Furthermore, it is also designed to work on selected sections of the input data, which makes it a good choice for a “divide et impera” strategy in big data processing.

10:40 – 11:10
10:10 – 10:40

Presenter: Carlota URRUELA

Organization: Universidad Autonoma de Madrid

11:25 – 11:40

Presenters: Dr. Zeno GERADTS - Netherlands Forensic Institue
Raffaele OLIVIERI - Arma dei Carabinier

11:40 – 11:55

Presenters: Elena KARPUKHINA, Nikolay KHATUNTSEV

Organization: Russian Federal Center of Forensic Science

11:55 – 12:25

Presenter: Alexey LIZORKIN

Organization: Russian Federal Center of Forensic Science

Abstract:
When the file system is lost, it is usually impossible to restore fragmented files using standard methods, such as carving. However, the restoration of compound files, such as video files, archives, office documents, is possible based on their structure, known from the specification of the appropriate file format. There are specific carvers, which in some cases can restore files of a very limited number of formats, based on their structure.

But there is no general method. In my report I will tell about my experience writing such a carver from a basic idea to software implementation. I believe that the approach adopted can become the basis for the development of some general methodology.

12:25– 12:40

Presenter: Gregory WEBB

Organization: Metropolitan Police Service

Abstract:
This brief presentation provides an overview of methods that can potentially be employed within the E01 forensic file format to improve compression ratios and analysis performance, whilst retaining full backward compatibility with previous E01 file format readers.

12:40 – 14:00
14:30 – 15:15

Presenter: Erik KRUPICKA

Organization: Bundeskriminalamt

Abstract:
In this presentation we will share information about our recent activities in the field of forensic password recovery. Because of the increasing challenges we observe, when trying to recover passwords in today's forensic casework, we have updated our "strategy", which now focuses greatly on the use of case- and/or suspect-related wordlists.

To fully use the potential of our self-created wordlists we use them primarily as a data source for pre-processors like Hashcat's PRINCE tool or our self-developed tool "LEA".

We will compare the performance of the LEA tool with PRINCE's recovering yield and the recovered passwords are examined with respect to their structural composition. In addition, some preliminary design studies and first results of our deep learning approach for password candidate generation based on artificial neural networks (Project “LUCY”) will be presented.

The last part of the talk will show the results of this year's proficiency test on password recovery, in which 24 labs from 14 EU countries participated.

15:15 – 15:45

Presenter: Dr Zeno GERADTS

Organization: Netherlands Forensic Institute

15:45 – 16:00

Presenter: Andrey BEREZNITSKY

Organization: North Caucasus center of forensic examination

Abstract:
Mobile devices, which include: cell phones, smartphones and tablets, are increasingly becoming objects of computer-technical expertise. The research is subject to information stored not only in the memory of the mobile device, but also on a flash drive or sim card. As part of our research, it was necessary to extract the information stored in the memory of the smartphone and sim-card and restore the deleted data. The result of the study was the determination of the mechanism of a perfect computer crime with the help of the smartphone being researched.

16:00 – 16:30
16:30 – 16:45

Presenter: Gregory WEBB

Organization: Metropolitan Police Service

Abstract:
The presentation presents a method of viewing bespoke file systems within existing forensic tools that subscribe to the Europol CASE standard. The project was born from the inability to forensically view data within bespoke file systems found on embedded systems such as VDFS; EMMCFS; Etc. which currently require kernel device driver modifications just to view the files within the Linux operating system.

The basic principle of the system presented is to enable the forensic analysis of any bespoke file system within any supporting forensic application such as SleuthKit/Autopsy and commercial tools which subscribes to the Europol CASE standard.

(The initially concept is developed in SleuthKit/Autopsy, prior to presentation to commercial tool providers)

16:45 – 17:30

Presenter: David-Olivier JAQUET-CHIFFELLE

Organization: NIST National Institute of Standarts and Technology

Abstract:
The Organization of Scientific Area Committees for Forensic Science (OSAC), which works to strengthen forensic science through the development of technically sound forensic science standards, has published A Framework for Harmonizing Forensic Science Practices and Digital/Multimedia Evidence. The aim of this document is to guide the systematic and coherent study of digital and multimedia evidence, to foster interdisciplinary dialog and to harmonize fundamental processes that are common across most forensic disciplines.

Three years in the making, this document was prepared by OSAC’s Digital/Multimedia Science Task Group. The task group researched and debated the essential elements of digital/multimedia science, the nature of evidence, and overarching scientific principles, reasoning processes, and techniques. The task group also reviewed a large volume of pertinent literature and interviewed practitioners, academicians and other stakeholders.

The framework presented in this document includes five core forensic processes that, when coupled with the application of scientific reasoning, can be used to answer questions about evidentiary traces. The publication also describes forensic activities and operational techniques specific to digital and multimedia forensic science that support those core forensic processes, and it discusses the scientific nature and practice of digital and multimedia sub-disciplines. A number of these forensic activities and operational techniques might be similar to those of other forensic disciplines, and therefore could be explicitly redefined within those disciplines. Although forensic disciplines each have their own terminology, the overarching structure and vocabulary presented in this publication may be useful as a framework for harmonization across disciplines.

As digital and multimedia evidence and forensic science continue to evolve, the

18:00

SEPTEMBER 27, Thursday

09:00 – 09:30

Presenters: Jan Peter VAN ZANDWIJK, Abdul BOZTAS

Organization: Metropolitan Police Service

Abstract:
PURPOSE: The iPhone Health App automatically collects data on daily activities for health purposes. Detailed information on the number of steps taken and distances travelled is stored in a database with a time granularity of a couple of minutes. While such information is potentially a very valuable source of information in a forensic investigation, one needs to have a good understanding of the its reliability in order to make proper use of it.

METHOD: In this study we investigate the accuracy of steps and distances registered by the Health App under a broad range of experimental conditions. For five subjects, we varied carrying location of the telephone, walking distances, walking speed and compared steps and distances registered by the telephone to manually measured steps and the real distance.

RESULTS: Steps registered by the iPhone Health App agree very well with those measured manually. Distances registered, however, depend on a number of factors, such as walking speed and (walking style of the) subject and can deviate up to 30-40% from the true value.

09:30 – 10:15

Presenters: Alexey LIZORKIN

Organization: Russian Federal Center of Forensic Science

Abstract:
In January 2019 the law obliging government services to use software produced in Russia comes into force. The law concerns, among other things, mobile platforms. At the moment, only one mobile platform is registered in the Russian software registry - Sailfish Mobile OS RUS. In this regard, about 8 million officials in Russia will be transferred to the use of office mobile phones based on Sailfish Mobile OS RUS until 2021. This is an occasion to get to know it better.

Sailfish Mobile OS RUS is based on Linux Mer (MeeGo fork) as core and Wayland as GUI. In worldwide version it's allowed to run many of Android applications through Alien Dalvik machine, but due to security reasons this function is disallowed in version for govermment. That's why a lot of software makers developing a software for native Sailfish OS. There are such applications as WhatsApp and Telegram, Facebook and Twitter, cloud storages and so on, rewritten for Sailfish OS and having own infrastructures and data storing schemas. In my report I will describe the general principles of working with Sailfish OS from the point of view of forensic examination: creating data image, applications structure, extracting data from most popular services clients.

10:15 – 10:30

Presenter: Johnny BENGTSSON

Organization: Swedish National Forensic Centre, Swedish Police Authority

Abstract:
This presentation goes deeper into the embedded system of a VeraPlus home automation system from a forensic perspective. It will not only present how to extract and interpret vital data that may be crucial for a forensic investigation on a crime scene, but also a demonstration of a conceptual tool for extracted log data.

10:30 – 11:00
11:00 – 11:45

Presenter: Hans Micael BREWITZ

Organization: Сellebrite

Abstract:
For digital forensic investigations, leveraging the full potential of data should mean being able to perform functions such as identify communication patterns, map out social circles and determine future plans of suspects, witnesses and victims. So why is this not a common practice yet?

There is a huge gap between the potential of evidence within digital data and how much it is actually being tapped for investigations. With the leaps in memory sizes, device processing power and cloud storage services this current gap is set to widen exponentially if not closed by cutting-edge technology.

We should be expecting the power of data analysis to surface answers to initial investigation questions, instead of just trying to digitally support conclusions that have been arrived at outside of the digital arena. During this presentation, we will take a look into a schematic description of the investigation process and will map the way Digital Forensics is currently interacting with this flow, as well how Data Analytics improves the process.

11:45 – 12:30

Presenters: Ghennadii KONEV, Arne ALEKSANDERSSON

Organization: MSAB (Micro Systemation AB)

Abstract:
Extract, decode and decryption of data from mobile phones, automotive vehicles and drones. Search, reconstruction and analysis of the obtained data. Build of a network infrastructure to collect data from the organization's regional units, synchronize with the central server, and distribute information between employees with appropriate data tolerance. Examples of successful implementations in the EU.

12:30 – 14:00
14:00 – 16:00

Presenters: Patrick GRIFFITH, Martin BARROW

Organization: Magnet Forensics

Abstract:
With a growing number of investigations where digital evidence is present, it has become increasingly important for investigators to be able to extract digital evidence from a wide range of devices and sources. Whether an examiner, investigator, chief of police or internal corporate investigator, Magnet Forensics products offer solutions to your unique needs. This session will discuss Magnet’s full product suite from Magnet Atlas to Magnet AXIOM and our most recent addition, Magnet Review.

We will also introduce our newest projects, Magnet Automate and Project Dublin. Join our presentation for a demonstration on how our products can assist in getting the most out of your investigations and leave with a full license of Magnet AXIOM to use within your organization.

17:30 – 22:00
17:30
18:30 - 19:00
19:00
19:30 - 22:00

SEPTEMBER 28, Friday

09:00 – 10:00

Presenters: Maria KHRIPUN

Organization: Belkasoft

Abstract:
Digital forensics is a rapidly changing field. While in the golden era of forensics we had only a limited amount of types of devices and pretty straightforward process of investigation, it is not the case anymore. New devices appear daily, older devices come to the nonexistence with the speed of light. There are many types of digital investigations, each with its own peculiarities, restrictions and limitations. Modern forensic investigator must have pretty various knowledge to be in line with all the new types of analysis. In this session we will review different topical questions of computer, mobile and cloud forensics, discuss their limitations and tendencies and learn Belkasoft approach to fight investigation complexity with its innovative all-in-one digital forensics tool Belkasoft Evidence Center 2019.

10:00 – 10:30

Presenters: Matthieu REGNERY

Organization: French Gendarmerie Forensics Institute

Abstract:
During the past few years we are seeing a professionalization of communications inside Organized Crime Groups (OCG). To avoid forensic as well as interception and thus prevent evidence and surveillance, OCG are using enterprise solutions with military grade security. This talk will draw a panorama of the different solutions used by these groups as well as their specificities.

10:30 – 11:00
11:00 – 11:30
11:30 – 12:30
12:30 – 12:45
12:45 – 13:30
13:30 – 17:00

Not included in the Meeting’s Programme. All additional excursions are to be planned by the participants themselves.

ABSTRACT FORM

You may fill the attached form if you would like to chair a working session or deliver a presentation and/or poster. This is your conference and its technical level will fully depend on your participation. This form should be returned by e-mail to Elena Karpukhina, e.karpukhina@sudexpert.ru.

ACCOMMODATION

  • Исаакиевский собор
  • Санкт-Петербург: Алые Паруса

ENFSI – FITWG meeting participants are recommended to stay in the Hotel Indigo St. Petersburg-Tchaikovskogo.

About the Hotel

Hotel Indigo St. Petersburg-Tchaikovskogo

http://indigospb.com/en/

17, Tchaikovskogo str.

St. Petersburg, 191187

The Hotel Indigo St.Petersburg - Tchaikovskogo, the first and the only representative of its brand in Russian and Eastern Europe, is located in the historical city-center of Saint-Petersburg, in 20-minutes walk from Nevsky prospect and the Hermitage Museum.

There are 117 rooms and 3 suites in the property, 6 conference- rooms with day light, Spa center with a swimming pool, fitness center and complimentary bike rent.

The main restaurant “Vino &Voda” offers dishes from Russian and Asian cuisine accompanied with a wide range of wine. The restaurant has the largest assortment of mineral water in the city.

In the summer time guests are welcome to enjoy the most beautiful views to the city from the panoramic roof top terrace of the Hotel.

Hotel reservation is available via your Personal office. Please kindly fill in the HOTEL REGISTRATION FORM and sent directly to the reservation@Indigospb.com. Accommodation will be paid directly by the participants themselves at the hotel desk.

CITY

The venue of the Annual Meeting of the ENFSI – FITWG is St. Petersburg which is the second largest city in Russia and one of the most beautiful cities in the world. It was founded in 1703 by Peter the Great as the window to Europe. Thousands of workmen were brought from all parts of Russia to build a new city on the swampy land at the mouth of the Neva River.

  • Стрелка Васильевского острова
  • Памятник Николаю I
  • Памятник Николаю I
  • Памятник Николаю I
  • Памятник Николаю I
  • Памятник Николаю I
  • Памятник Николаю I
  • Памятник Николаю I
  • Исаакиевский собор
  • Санкт-Петербург: Алые Паруса
  • Набережная Канала Грибоедова
  • Набережная реки Мойки

St. Petersburg is a wonderful city: at every turn there is something to catch your eye. There are spacious squares and circles and the streets are wide and straight. Palace Square, Senate Square, St. Isaac`s Square, Trinity Square and Arts Square - they all are historical places, shaped with famous buildings and have striking monuments. Alexander Column, the highest structure of this kind in the world, raises on Palace Square. Peter the Great Monument, better known as the Bronze Horseman, is on Senate Square. Nicholas 1 Monument, which is considered a masterpiece of engineering art, stands on St. Isaac`s Square. Pushkin Monument is in the center of Arts Square. The Field of Mars, with the area of twelve hectares, is the biggest square in St. Petersburg. The city is called Northern Venice because there are 65 rivers, arms and canals there with artistically decorated bridges. Eight bridges across the Neva River open every night in summer giving together with the unset sun and magnificent buildings a picturesque view.

Now St. Petersburg is an important industrial, cultural, and educational center. It is also famous for its legendary white nights. People all over the world know that far north in Russia is the city of St. Petersburg. Many of those who once visited the city liked it and want to be there again.


You might be willing to visit the museums of St. Petersburg in your free time. Here is a number of options for you to consider:
The Hermitage, September 26, 2018 (Wednesday), opening hours: 10.30-21.00;
The Peterhof State Museum-Reserve, visiting hours: 11:00-18:00.
Please visit the website of the St. Petersburg Official City Guide to find out more information: http://www.visit-petersburg.ru/en/

THE HERMITAGE


People from around the world come to St. Petersburg to admire the splendid Hermitage (French word for “seclusion”). This magnificent complex comprises the Winter Palace, the Small Hermitage, the Old Hermitage, the Hermitage Theatre and the New Hermitage.

The history of the museum dates back to the day when Catherine II purchased a set of paintings from merchant Gotskovsky. As time passed by, the collection was little by little enriched not only by single masterpieces but also by private collections of foreign masters’ canvases bought abroad. Nowadays guests and residents of the Northern capital can see “The Maid of Honour” and “Perseus and Andromeda” by Rubens, “Danae” by Titian, “Madonna Connestabile” by Raphael and many other chefs-d’oeuvre of Russian and foreign painters.

More info on the Museum website: https://www.hermitagemuseum.org/wps/portal/hermitage/tickets?lng=en

THE PETERHOF


Peter The Great had intended for Peterhof (which is the Dutch for “Peter’s Court”) to serve as his main summer residence. Peterhof (also known as Petrodvorets) was a distant suburb at the time when it was erected on the southern coast of the Gulf of Finland. Now it is a district of St. Petersburg. Peterhof is the home of many architectural masterpieces and historical landmarks, built in the 18th and 19th centuries for the Russian royal family and its close associates.

Peterhof owes its worldwide renown to its “constellation” of palaces and 150 fountains, of which the four better known cascades are particularly impressive. Peter I modelled Peterhof on Versailles, but the truth is that Peterhof surpasses its prototype in the lavishness and ingenuity of décor and the originality of some of its engineering ideas. The water supply system, which supplies water to the fountains to this day, was highly advanced for its time. It was built during Peter I’s reign, as were the emperor’s favourite little palace, the Monplaisir, the exquisite Marli and Hermitage Palaces, two fountain cascades, the canal, the boat landing and several isolated fountains, such as the overflowing Pyramid, which uses up 100 litres of water per second.

Peterhof was built and beautified over the course of two centuries. It was continually enlarged and augmented with the works of talented artists, architects, engineers and landscape artists. You will never forget your walk amid the parks of Peterhof, admiring the amazing Grand Cascade, the Samson, Dragon Hill, the canals, palaces and apple orchards.

More info on the Museum website: https://en.peterhofmuseum.ru/plan-a-visit

Please note that excursions to the Peterhof and to the Hermitage are not included in the Meeting’s Programme. All additional excursions are to be planned by the participants themselves.

For your convenience, you can buy electronic tickets via the websites.

CONTACTS

enfsi2018@confcentre.ru - for general information, registration issues, accommodation

e.karpukhina@sudexpert.ru - for abstract submission

+7 (812) 449 36 21

Working hours: 10:30 a.m.–6:00 p.m. (UTC+3)



CONTACT US