IMF 2014

8th International Conference on
IT Security Incident Management & IT Forensics

May 12th - 14th, 2014
Münster, Germany

Conference of SIG SIDAR
of the German Informatics Society (GI).

Conference Program

Monday, May 12th, 2014

Time Presentation / Description Speaker
12:00 Registration and Welcome Coffee
13:00 Welcome General Chair
Rainer Böhme
(Westfälische Wilhelms-Universität Münster, Institut für Wirtschaftsinformatik, Germany)
13:15 Challenges of Coordinated Linux and Android Intrusions
  • Coordinated attacks against Linux/Android systems
  • Advances in Linux/Android malware
  • Convergence of Linux/Android threats
  • Forensics and security implications
Eoghan Casey
14:15 Coffee Break
14:45 The humming hum: background noise as a carrier of ENF artifacts in mobile device audio recordings
Niklas Fechner and Matthias Kirchner
(Westfälische Wilhelms-Universität Münster, Germany)
15:30 AFAUC - anti-forensics of storage devices by alternative use of communication channels
Harald Baier
(Hochschule Darmstadt/CASED, Germany)
Julian Knauer
(Ernst & Young, Germany)
16:15 Coffee Break
16:45 Capacity Building for Computer Emergency Response Teams
  • Definition of baseline capabilities for national / governmental CERTs
  • Capacity building for CERT via good practice sharing and training
  • Support the fight against cybercrime by facilitating CERT-LEA cooperation
  • Community building for operational information sharing
Invited Talk
Marco Thorbruegge
17:45 Wrap-Up Moderated by Felix Freiling / Holger Morgenstern (Program Chairs)
18:15/18:30 Social Events
1) Dinner at the restaurant Grosser Kiepenkerl, Spiekerhof 45, 48143 Münster, Germany - about 800 meters walking distance from the conference hotel.
(Meeting point in front of the hotel at 18:15.)

2) Afterwards at 21:00, a guided tour through the Old Town of Münster (90min) is planned (Nachtwächter-Rundgang / Night Watchman Tour) - Details to come.

Tuesday, May 13th, 2014

Time Presentation / Description Speaker
09:00 Registration and Welcome Coffee
09:30 Incident Response in Times of Cholera
  • Rules for incident response - and forensic related to incidents - have changed
  • Incident response is helping victims of unintended consequences, but there are unintended consequences for incident response and forensic as well
  • The future will bring new systems and systems of systems we will have difficulties to handle both from a response as well as a forensic perspective
Key Note
Klaus-Peter Kossakowski
(Trusted Introducer, Germany)
10:30 Coffee Break
11:00 Information Security Incident Management: Identified Practice in Large Organizations
Cathrine Hove, Marte Tårnes, Maria B. Line
(NTNU, Norway)
Karin Bernsmed
11:45 Information security incident management: Planning for failure
Maria B. Line
(NTNU/SINTEF, Norway),
Inger Anne Tøndel Martin G. Jaatun
(SINTEF, Norway)
12:30 Lunch
13:30 Current Challenges in Multimedia Forensics
  • Imperfections at the interface between analogue and digital signals
  • Forensic methods for image, video and audio data
  • Radio fingerprinting of GSM devices
Invited Talk
Thomas Gloe
(dence, Germany)
14:30 Coffee Break
15:00 Post-Mortem Memory Analysis of Cold-Booted Android Devices
Christian Hilgers, Holger Macht, Tilo Müller
(Friedrich-Alexander-University, Germany)
Michael Spreitzenbarth

(Siemens CERT, Germany)
15:45 Assuming a state of compromise. A best practise approach for SMEs on incident response management
Ralph Noll, Alexander Harsch and Steffen Idler
(PricewaterhouseCoopers, Germany)
16:30 A model for types of internet-based communication (short talk)
Robert Altschaffel, Christian Krätzer, Jana Dittmann and Stefan Kiltz
(Otto-von-Guericke-Universität Magdeburg, Germany)
17:00 Wrap-Up Moderated by Oliver Göbel
(RUS-CERT, Universität Stuttgart, Germany)
17:15 End of Day Two

Wednesday, May 14th, 2014 - WORKSHOP DAY

Time Presentation / Description Organisation
08:30 Welcome Coffee
09:00-09:45 Workshop
Android App for First Response According to ISO/IEC 27037
ISO/IEC 27037 describes the steps that IT staff should follow in a first response. The developed app guides first responders through that process, documents the process (including fotos of the location) and generates a report.
Philipp Heischkamp and Fabian Adolphs
(Aachen University of Applied Sciences, Germany)
10:00-10:45 Workshop
Dynamic Correlation of Digital Forensics Reports
The Direct Report Correlation Tool (DIRECT) is a research prototype that correlates data of different forensic reports. The demo will present the latest extensions to the tool: interactive normalization and model-object generation for forensic artifacts.
Christoph Beckmeyer
(Aachen University of Applied Sciences, Germany)
11:00-12:00 Workshop
Digital Forensics of RAM Images Using VOLIX II
"Volatility Interface and Extensions" (VOLIX) is a tool that provides better usability and additional functionality for the Volatility command line tool. One example is the automatic check of extracted processes using Virustotal. The latest version of the tool (VOLIX II) further improves the ease of use (better guidance of investigators) and includes help and reporting functions.
Patrick Bock
(Aachen University of Applied Sciences, Germany)
Parallel Session
09:00-11:30 Workshop
Finding abandoned data in SQLite databases
Creating a new SQLlite database based on the freepages in SQLite databases.
Martin Westmann
(Micro Systemation, Sweden)
12:00 Lunch
13:00-14:20 Workshop (for (ISC)² Members without fee*)
Legal and Ethical Principles
  • Nature of Evidence
  • Chain of Custody
  • Rules of Procedure
  • Role of Expert Witness
  • Codes of Ethics
Graham Thornburrow-Dobson
14:40-16:00 Workshop (for (ISC)² Members without fee*)
Emerging and Hybrid Technologies
  • Cloud Forensics
  • Social Networks
  • Big Data Paradigm
  • Control Systems
  • Critical Infrastructure
  • Virtual/Augmented Reality
Graham Thornburrow-Dobson

* If you are a (ISC)² member, there will be no fee if you want to participate in this workshop only. If you want to visit other workshops on that day as well, the regular fees apply - Conference Fee and Registration.

The conference would qualify for CPE hours for ISACA certifications (CISA, CISM, CRISC an CGEIT) and (ISC)² certification CISSP. Participants can earn up to 18 CPE for continuing their professional education.