Wednesday, December 05, 2012

December 2012

The One Topic One Day symposium of ENFSI on accreditation in Digital Evidence in Tallinn, where I was invited for a talk on Quality Assurance in Digital Evidence both as chairman of the ENFSI and from the view of the NFI, was very nice. It very much depends on the size and the kind of procedures that are handled within the forensic lab. However it appeared that there are many solutions for the rate of change. In the Netherlands we are working with accreditation of R&D in casework within ISO 17025.

Currently the new guideline standard ISO 27032 is published on Information technology -- Security techniques -- Guidelines for identification, collection, acquisition and preservation of digital evidence. New standards are being developed and new standards in ISO are being developed. ISO/IEC 2703727041, 27042 and 27043 is to promote good practice methods and processes for forensic investigation of digital evidence. 

Currently working on several papers and some presentations as well as reviewing and preparing for an ENFSI meeting in Berlin with the board, where we are looking into developments within forensic science, and of course one of the topics will be how to handle cuts of budgets with keeping the quality the same or better..

Friday, November 16, 2012

November 2012

November started with some nice events. I had to go to the Court of Appeal in The Hague and testify in a case on image comparison. It is always nice to answer the questions, and verify if the report that has been written is understood in a correct way by all parties.

In the second week we had a very well organized conference at the Carabinieri in Rome of the ENFSI Forensic IT working group meeting, where I was re-elected as chairman. Many new developments in digital evidence, and now also the discussion on error rate in digital evidence is more visible, as is also discussed at the Scientific Working group of Digital Evidence , where we have an excellent liaison with. Furthermore, three proficiency tests where carried out in the field, so that was very good. Also the ISO-standards on digital evidence are developing rapidly.

Also busy with some proposal on big data for the FP7 cyber security call. And I received the message from the American Academy of Forensic Science that the workshop that we proposed (which I am chairing) on (W17) Image Analysis - 3D Imaging and Virtopsies: Developments, Methods, and Reasoning is accepted.

Currently we are sending out a proficiency test on camera identification  So enough work to do. And next week I am chairing the organisation of our conference for the digital investigators of the Dutch Police, where we have 350 people that will participate. Six parallel workshops and many nice developments, the second day is with companies and universities.

Also we have to cope with some budget cuts, so keeping the work more efficient and finding new ways of doing the forensic work is a challenge, and of course applications of funding, working with R&D and new developments remain important. And finally, I had to give an live interview (in Dutch) on Anne Frank and some photograph comparison for the radio in the Netherlands, which was also interesting to do.

Friday, October 19, 2012

October 2012 : some challenges in digital evidence

This week we will have an ENFSI-meeting in Rome of the Forensic IT Working group, were the new developments in forensic IT are discussed as well as solutions.

In Forensic IT currently we have the next seven long term challenges :

  1. big data 
  2. malware
  3. number of students in ICT
  4. encryption 
  5. different formats 
  6. diversity 
  7. presenting complicated evidence in court
  1. big data 
The issue with big data is that cases are growing rapidly. If all data from a person is collected in a case, the amount grow rapidly, also due to multimedia and fast datalinks. Currently indexing over 100 Petabyte is not easy, also HADOOP has issues with it and new solutions are developed by social networks such as facebook. Indexing video data is also not easy. Filtering is important, and triage is one of the solutions. Cloud computing is an issue here, since often the data is available in other states with different jurisdictions.

2. malware

Issues with malware developers is that it is difficult to investigate. Zero day exploits can be seen more often, and botnets and other attacks of many systems such as SCADA, are an issue. Malware on mobile phones is so common that the FBI placed a warning. Lawyers might use it as defense. Even medical devices can be infected by malware. Also people claim that governments  develop malware.

3. number of students in ICT

ICT and related studies are not very popular, so it is difficult to fill all vacancies. Software engineers are difficult to hire, and are needed for all developments.

4. encryption

With encryption methods getting more sophisticated and also implemented in hardware such as SSD-disks, live forensics methods are the choice instead of trying to break the keys. However live systems should be shielded from network communication, since it is possible to remotely wipe systems.

5. different formats
Many developers will make new file formats which deviate from the file format, and use coding which is not public. Analysing and repairing them is important. The golden age as Simon Garfinkel mentioned  is over, and we will enter a digital forensic crisis.

6. diversity 
There are many hardware  manufacturers as well as software developments. It is hard to keep up with developments and have methods available for doing a forensic analysis. Mobile device forensics with chip extraction is an option, however remains time consuming and expensive.

7. presenting complicated evidence in court
Often digital evidence especially in hacking cases is difficult to interpret for juries and judges. The challenge for the forensic examiner is to present the evidence in court such that it is acceptable. Many times new methods have to be developed and validated for the court, and also privacy laws have to be taken care of.

Sunday, October 14, 2012

Guest post by Ken Myers

7 Ways Social Media is Used by Forensic Investigation

As the saying goes, "What is posted on the Internet, stays on the Internet". Investigations are including
social media sites during forensic investigations to strengthen or confirm information gathered about any
given case. Sometimes, the criminal themselves will post incriminating information without thinking
about how it could affect them. How is this information gathered?

1. Profile Activity - Many people like to update his or her Facebook or other community site's profile.
However, posting pictures and commenting on robbing a gas station probably isn't the best method of
gaining fame.

2. Video Can Hurt - Sites such as YouTube and Flikr are entertaining sites created by those who use
them. Recording your criminal behavior and then posting it for everyone to see will secure your room at
the Jail House Hotel.

3. Chirping Your Crime - Tweeting about how you got away with an illegal activity isn't proving to
anyone how smart you are. On the contrary, posting the information is essentially telling everyone who
did what and how to find you.

4. No Comment - Posting on forums about your activity could give you a sense of status. Posting on
forums could solidify a case against you in a court of law.

5. Website Content - Even if you think your website is small and unnoticed, it can be traced back to you.
Detailing your deeds on a website could easily gather the attention of law enforcement.

6. Digital Information - During an Investigation, your computer could become evidence and all accounts
could be analyzed. The sites you once thought of as hang-outs, could be used against you to make legal

7. Reputation - If you think something may be too incriminating to post on the Internet, don't post it. Not
everyone needs to know every secret, and information has a way of telling more than you want it to.

If you don't want someone to know something about yourself, don't post it on the Internet. Even
photographs have a way of staying in the system long after you deleted them from your account. Data is
collected on a regular basis and could come back to haunt you if you're not careful.

Ken Myers is the founder for He frequently researches and
writes about a variety of topics like education, Technology, Health and many more. He welcomes your

Sunday, October 07, 2012

October 2012

September was as always a busy month, so not much time to write. Many reviews for articles, and rescheduling projects and making new project proposals. It is often not easy to explain technical issues or research projects to people that are not used to them, so the challenge is always to write clearly and receive as much feedback as possible, by directly asking non-technical people to explain what is written, and hear back if it is understood well. This is important in both forensic reports as well as project proposals.

At the start of October I enjoyed a week vacation in Bucharest. It was nice to see the different musea and buildings and some big shopping malls. I even saw some nice paintings of Rembrandt over there. In October I have to make preparations for a two days conference in the Netherlands on Digital Investigation which I am currently organizing together with a good team, so that should work well. Also I am looking forward to the ENFSI Forensic IT working group meeting in Rome later in October, where I am chairman of the working group. I visited in September during two days the ENFSI Digital Imaging Working group in Brussels, which was very well organized by NICC.

Of course, some casework, and currently also some students on different projects from several universities, on several topics, from camera identification, to forensic hand comparison and other body parts, super resolution and some research on iPhone forensics.

Saturday, August 18, 2012

August 2012

This month starts busy, lots of cases often are submitted before the vacation starts. I also had several deadlines before August 1st, for example submission of abstracts for the AAFS conference in Washington DC next year.

Several students finished their thesis for their internship, unfortunately it is difficult to get a job in general forensic science now, however it van be easy in the field of forensic ICT, so currently I advise students to study informatics and forensics, since people are needed there at the moment.

I will present at two workshops at the European Academy of Forensic Science in the Hague in August, and one paper. I am looking forward to the conference, it is always nice to meet all colleagues. The ENFSI awards will also be granted at this meeting, where I am honored and thankful to receive the distinguished forensic scientist award. Also I had the honor to meet Queen Beatrix there.

Furthermore the ENFSI Forensic IT working group meeting in Rome in October seems to have many attendees registered. In September I am looking forward to be at the ENFSI Digital Imaging Working group in Brussels, however I will only be there for a part of the meeting. Also I am looking forward to the ICMedia conference in Brasilia where I will be one of the invited speakers in September.

Tuesday, July 31, 2012

Guest post by Nancy Parker

Gather Evidence to Prosecute Cyber-Criminals with Tech Forensics

Digital or tech forensics provide the digital evidence required to apprehend a hacker engaged
in criminal activity in the digital world. Without digital evidence, prosecution is not possible
and justice is unlikely. Tech forensics increases the possibility that justice will be served if the
hacker’s steps can be traced.

Corporations can take precautions. Proactive measures can be taken with the use of digital
forensics to prevent future breaches. Corporations can examine vulnerabilities and implement
safeguards to increase security in those areas.

For instance, wireless-based technology and infrastructure has grown in popularity in the last
10 years, but it is not without its vulnerabilities. Security threats are common with wireless
infrastructure. Wireless technology provides corporations with flexibility and convenience, but
it also opens the door for corruption, criminal activity and intentional misuse. Tech forensics can
help companies identify areas of weakness and close those doors for potential breaches while
maintaining convenience for the company.

The Future of Tech Forensics and Wireless Networks

More research in the field of tech forensics and wireless networks is required to prevent breaches
and gather adequate evidentiary support when breaches do occur. Currently, most companies
make use of wireless local area networks (WLANs). In an effort to reduce potential breaches,
researchers proposed a new wireless model in 2010 that incorporates a wireless drone with a
forensic server.

The wireless forensic model (WFM) monitors wireless network traffic at multiple access points
(APs). Wireless drones are employed to accomplish this goal. During monitoring, the drones
collect information about the network traffic and forward it to a centralized forensic server. The
server will store all acquired data for evaluation and future use. These systems were tested to
determine the efficacy and viability of the new model.

When evaluated on its ability to gather evidentiary information and store trails of digital
evidence relating to an attack, WFM proved its ability. The new model is capable of capturing
data generated even at the maximum speeds of a WLAN configuration. In most instances, data
integrity was maintained and details of the attacks were provided. When evaluated, researchers
found that the WFM model was capable of providing information about any attack that occurred.
This development marked the beginning of a new and more secure wireless network for

Prosecuting Cyber-Criminals

Without evidentiary support, cyber-criminals cannot be prosecuted and stopped. When
technology is put into place to gather evidence, the next phase of capturing cyber-criminals can
occur. DNA testing and analysis is another aspect of tech forensics that helps corporations gather
evidence to incarcerate guilty cyber-criminals. This technology is older and has been employed
since the 1980s. Newer technologies are expected to have a greater degree of precision.

Prior to implementing a strategy to catch cyber-criminals, every company should review the
basic principles of computer hacking forensic investigation. This ensures that companies
are gathering evidence in a “forensically sound manner.” When the information is captured
according to the principles, it can be used in a court of law to prosecute cyber-criminals. If
the evidence gathering procedures do not comply with the regulations for forensic evidence
gathering, the evidence may not be used in a court of law. Legal evidence is instrumental in
capturing cyber-criminals and gaining justice for victims.

How is Your Companies Tech Forensics Strategy?

More hacking incidents have occurred in the past two years than has historically occurred. Your
company’s tech forensics strategy is essential to survival. Talk with a professional that can
provide information about tech forensics solutions available to prevent breaches and capture

Author Bio

Nancy Parker was a professional nanny and she loves to write about wide range of subjects like
health, Parenting, Child Care, Babysitting, nanny background check tips etc. You can reach her
@ nancy.parker015@

Saturday, July 07, 2012

July 2012

Just updating my weblog in Istanbul at the airport since I just attended the International Association of Legal Medicine IALM 2012, where I presented a paper on face comparison as well as other body parts for forensic investigations and a poster on camera identification. It was a nice conference closed to the water in the Halic conference center, and good to see some good papers on CT and MRI imaging techniques for pathology. Where the main message is that these techniques are additional to the regular atopsy, since some causes of death can be determined by CT scans and angiography and others can only be determined by an atopsy. Also the AAFS had a special session within the conference which discussed the further implementation of the outcomes of the NAS-report.

Lately I received several messages of social network sites and even my phone provider that the database of password was hacked by cybercriminals. So it seems that either they did not detect it before, or they did not inform me, or perhaps indeed more sites are hacked. Having different passwords on different sites can help, however of course the best would be to have a 2-way protection as such, which some sites as gmail have implemented. 

Now it is also the time to submit abstracts for the American Academy of Forensic Science, since they should be in before August 1st. Also the Forensic IT Working group meeting in Rome, in October is also coming nearby.

the conference center of IALM

Saturday, June 09, 2012

June 2012

The month May was a quiet month due to the number of holidays during this month, so time to read and make some new plan and working on casework as well as doing some presentations and giving some courses. Before the summer it appears the number of reviews being asked rises, so I did lots of effort in reading all interesting research. Also testing several new software approaches. Big data (analyzing thousands of terabytes for forensic investigation) seems to be one of the nice challenges, and it appears there is lots of interest. Also I have to testify as expert witness in June for a case.

Several conferences are approaches, such as the IALM 2012 in Istanbul, where I will present two papers (one in the section of the American Academy of Forensic Sciences and one poster. And I was very glad for the poster that I did not have to carry the poster, but that they have this digital system where I could upload my material to.

Also preparation for the working group meeting of the Forensic IT Working group in Rome, as well as the EAFS 2012 conference in The Hague, where I have one paper and two workshops that have been accepted.  And of course also working on the proposals for the conference of the American Academy of Forensic Sciences in Washington next year.

Saturday, April 28, 2012

April 2012

This month busy with updating my website at and new designs and contents to have less maintenance work. Also I had given a workshop on camera identification during the Digital Imaging School as well as given some training on new developments in digital evidence at the Police Academy in Apeldoorn. Many new developments and new possibilities, I also had some papers accepted for the IALM conference in Istanbul, where participants from 64 countries will attend, and which also has a special session for the American Academy of Forensic Sciences.

Currently some report and casework, and also some casework on camera identification, where we will test a method to interchange CCD's modules between different cameras for camera identification, also a topic one of the students worked on. So sometimes it appears that after a while I see that we did not publish research which might be of interest. I also updated some of the pages with previously unpublished results, for example on gait analysis.

Working on camera identification 

As a handling editor of Elseviers journal Digital Investigation I see often that people that work on casework do not have much time left on publishing their results. I also experience the same often, since the case reports are top priority, and other things can only be done when there is some time left. However it is also at the same time a question of organization of time. Writing short papers and submitting abstracts for conferences is however often a way to handle this. However I always like to work on different projects with universities and other institutions, as well as giving workshops and some lectures, so most often I will make some additional time for this.

Thursday, March 29, 2012

March 2012

March gave new insights on the different topics I am working on. Sometimes solving issues is asking the right questions, often the how questions, since they give somewhat more insight and instead of all doing myself it works best in teams with people, and especially multidisciplinary solutions are the nicest to see developing.

I also prepared an abstract for IALM 2012 in Istanbul at the AAFS-session there, as well as of course the EAFS 2012 that NFI organizes in The Hague. Many new things to develop, and it also works to have good students working on the different topics. March was my last vacation (next will be October), since I had time to read books as well as forensic literature. The casework is also giving some nice work and new ideas for R&D projects.

Also for ENFSI we are preparing the Forensic IT Working group meeting in Rome from 24-26 October 2012. It should be a good event. Also I saw that Europol will have the European Cybercrime Center, so this will be very nice to collaborate further on with the vice chair who is from Europol.

At some presentations I heard some discussions on the understanding of Bayesian conclusions by lawyers. The question that always arises if the conclusion that is logically correct is understood well by the readers of the reports. It takes some time to understand the conclusions as such for most people. However I see that people who are used to these kind of conclusions appear to understand them. However one of the most challenging issues is to have a calibration of conclusions among the forensic scientists and the different disciplines especially if it is subjective or a form of opinion, since often there is not enough statistical data to make it objective.

With some budget cuts to come, the main challenge is to find the most efficient and objective solutions and keep improving methods.

Wednesday, February 29, 2012

February 2012

This month was an excellent month, since we did not have an backlogs in casework, and I had four new students that started on different projects with doing new validation studies on camera identification, as well as aging and determining influence of firmware. Also the heart beat continues as such. I also had an evening at a crime scene for making reference video for a forensic comparison. Even the projects were going well, and all was correctly timed.

This month the American Academy of Forensic Sciences had its meeting in Atlanta from 18-25 February. It was a well attended meeting with over 4000 people attending. I was one of the organizers two workshops, one on 2D and 3D morphometrics for the Forensic Science Foundation and another workshop on innovations in multimedia forensics. Both went well, and I was also invited for a presentation at the Interdisciplinary Workshop. It appeared all workshops were sold out, and it is always nice to learn from questions that are asked.

As a Director of the Digital and Multimedia Section, I was also attending the Board of Director meeting in Monday and Saturday. Overall the meeting gave many new ideas, and it was for me good to see that collaboration between the different disciplines in forensic science goes very well. Also I was elected for the editorial board of the Journal of Forensic Science, which I also like very much because it has many disciplines in forensic science combined.

Picture taken at the Aquarium in Atlanta at Presidents Reception on Thursday

Later on the scientific session of our section also went very well, with lots of attendance on the forensic aspects of Facebook. I also have papers on video carving and on heart beat detection from videos.

Saturday, January 21, 2012

January 2012

As always we have several things to do starting in January, and it appears I have some more time since I organized my work somewhat more efficiently. Currently I am working with five students on projects on camera identification with PRNU, detection of image manipulation, heart beat detection in video and quantization tables in JPEG. It works often very efficient to have validation studies on several topics, since often journal articles do not directly translate in forensic solutions which have been validated.

Also working on some casework on forensic multimedia, doing some review work and participating in project proposals. Of course since budget cuts are near, it is time to look for new solutions which make work more efficiently. Most often in my experience with some pressure on budgets the nicest solutions are developed, as long as there remains some time for doing research, which is often not easy since forensic casework is of course the most important.

As you might have seen, I also have sometimes guest posts for this blog, which also helps with seeing the contents. The latest is of Melanie Slaugh on mobile forensics. New developments in this field are very rapidly making old methods less useful, so it is important to do very much development in this field, and know forensic properties of new devices that are handled. 

December was a month for planning, and January we have to do the real work, also in private life, to make more balance. The good thing it started right with many days that I could take my bicycle to my work, as is usual in the Netherlands. Since I live near the beach, I can go with my bicycle through the dunes without any traffic jams, and it always helps to make new plans, and evaluate the day.

Saturday, January 14, 2012

Issues with Cell Phone Forensics guest post by Melanie Slaugh

Cell phones don’t feel new, but in reality they are. With this newness comes rapid change, sometimes so
rapid that it is difficult for forensic scientists to keep up. Suspects use cell phones in a variety of crimes
and it is up to the forensic scientists to uncover their wrongdoings. But where do you start? What are
some problems that scientists come across?

1. Change- Change is the number one issue for forensic scientists to overcome. Even the cell phone
manufactures don’t always know how to retrieve information stored in new phones, so how can
scientists retrieve the information? Staying up-to-date on new cell phones is difficult, but not
impossible. As fast as they are produced, criminals come up with ways to abuse them. Strangely
enough, this can be useful for forensic scientists. Using online tips can allow scientists to easily
access information that would otherwise remain inaccessible.
2. Passwords – Password protection on cell phones are difficult to overcome, though not
impossible. Depending on the model, passwords can be bypassed in several ways.
3. Internet connection – The smarter cell phones get, the harder they are to delve into. Using an
internet connection instead of SMS or voice makes a forensic scientist’s job much harder.
4. Charge – Unlike computers, much of what is stored in a phones memory is dependent upon the
battery. When the electricity goes, so does the information. Depending on what information you
are looking for and how it is stored, battery or charger power is an important thing to think about.
5. SIM cards and removable media- SIM cards are the heart of a cell phone. They carry important
user information. Likewise, removable media, such as SD cards, can have lots of stored
information on them. It is important that forensic scientists have the proper equipment to read and
analyze the data.
6. Isolation – One thing that is often overlooked is the need to isolate the cell phone before
analyzing it. New text messages can overwrite old information, and connections to the internet
can invalidate old data. It is important to make sure the phone is isolated.
7. Security enhancements- Be especially careful when dealing with cell phones that have been
enhanced in some way. Some users have the ability to put in dead man’s switches, effectively
wiping the contents after an action or a period of time. Malware can also be loaded onto the
phone, placing your computer systems in danger.

There are many ore issues to watch out for, but these are the seven most common. Tracing cell phone data
is an arduous task, but it can be done. All it takes is a little research, a few tools, and a lot of patience.

Melanie Slaugh is enthusiastic about the growing prospects and opportunities of various industries and
writing articles on various consumer goods and services as a freelance writer. She writes extensively for
internet service providers and also topics related to internet service providers in my area for presenting the
consumers, the information they need to choose the right Internet package for them. She can be reached at
slaugh.slaugh907 @

Author Bio
Melanie Slaugh is enthusiastic about the growing prospects and opportunities of various industries and writing articles on various consumer goods and services as a freelance writer. She writes extensively for internet service providers and also topics related to internet service providers in my area for presenting the consumers, the information they need to choose the right Internet package for them. She can be reached at slaugh.slaugh907 @