Repetition

• Forensics Science: Legal and scientific.
  
• Digital evidence: digital data that can refute or support a hypothesis on an incident.
  
• Evidence dynamics: what operations can change data (read, write, modify, metadata)
  
• Evidence integrity
  
• Chain of custody
  
• Forensics soundness: Using methods and tools of best practice and legal requirements. A practical term.
  
• Internet investigations: Detecting crimes, how to secure integrity, tracing/attribution, passive vs active methods.
  
• Examine collected data: Hashing, undelete, uncrypt, unzip, known good/bad files.
  
• Cyber crime: 4 types (child pornography, fraud, hacking/violate network security and piracy): Criminal law, prosecution law, co-operation.
  
• Order of volatility
  
• Media analysis: seized evidence, abstraction levels, anomaly detection, "archaeology vs geology". RAID, different media, file systems, HPA, LBA vs CHS, block and clusters (on windows, mac and linux). File tables.
  
• Live forensics: OoV, store evidence remotely, "trusted" tools (kernel, library and binaries). Get running processes, network connections, keys.
  
• Memory analysis
  

Future work

• ISO/IEC credible digital evidence (ISO 27037)
  
• Handling big data
  
• Internet and network forensics
  
• Embedded systems accusation and analysis
  
• Using the "cloud" in terms of finding evidence and to process evidence. Using the latest technology.
  

Presentation of 7 groups

1. "Trojan did it" defense: Tree cases where this defense has been used, find malware, disprove malware, prove user did it.
   
2. Mobile forensics (ours): iOS versus Android, boot level access, protection bypassing and initial analysis (undelete of files)
   
3. Windows 8 forensics: IE10, mail, messenger, people, skype. Registry and changing of file names.
   
4. Social networks visualization(?): Relations and information flow between nodes, cyber forensics timeline, CFTL vs FTK, A device only has a snapshot of the activity. Timelines concluded to be very important in future forensics work.
   
5. MoonSols: Windows memory dump. Difficult to calculate actual footprint.
   
6. Splunk: Post mortem analysis. Import logs and csv files in this web interface, fast search and easy scripting. Easy to find data across many sources.
   
7. Supertimeline with infographics: Comparison of software performing generation of timelines based on disk images, and how a common standard is missing for import to these kind of software. More reliable if automated tools can do the same job now performed by a human (extract interesting findings).