Overview
Between 4 and 18 February 2025, a three-city travelling lab converted vendor slides into reproducible experiments. Every artifact was rebuilt with open-source components, benchmarked on stage, and pushed to public repositories before the closing keynote. This paper summarises the methodology, releases four BSD-licensed tools, and publishes the first UK police reference image signed with a post-quantum key.
Session 1 — Accreditation & Certification (Kay Murfin, Compass QMS)
Challenge: ISO/IEC 17025 compliance without expensive commercial QMS portals.
Released Tool: accred-cicd (BSD-3)
Function: GitHub Actions workflow that spins up a containerised LIMS, pre-loaded with 2025 Forensic Science Regulator checklists. Every commit triggers a 140-point control test; failures block merge.
Live Demo: West Midlands Police fork passed 98 % of controls in 6 min 12 s; certificate PDF and signed JSON evidence are automatically deposited in an evidence bag hashed to sigstore/rekor.
Session 2 — Cloud Forensics: Future or Gamble? (DS John Price, West Midlands Police)
Dataset: 60-day synthetic AWS CloudTrail (1.8 GB JSON, 4.2 M events) modelling a double-extortion ransomware case.
Released Tool: cloud-forensic-notebook (MIT)
Jupyter notebook that:
- Replays AssumeRole events into a Neo4j graph
- Flags impossible-travel logins (> 600 km in < 30 min)
- Exports STIX-2.1 bundles ready for MISP
Benchmark: 4.2 M events parsed in 4 min 8 s on a 16-vCPU laptop; 92 % of attack paths reconstructed matched the red-team ground-truth.
Session 3 — Mobile Speed & Efficiency (Christine Hall, Exterro)
Hardware: Raspberry Pi 5 + Nvidia Jetson Nano (20 W total)
Released Tool: mobile-triage-go (BSD-3)
- Agent-less, wireless logical acquisition for iOS 18 & Android 14
- Streams NAND blocks into AFF4-L containers
- Calculates BLAKE3 hash and Dilithium signature in real time
Trial: 12 audience devices; average throughput 3.4 GB/min; cryptographic log notarised to Rekor.
Admissibility: On-site CPS barrister confirmed format satisfies current CrimPR Rule 19.
Session 4 — Leading Change (Ewelina Gramala, Exterro)
Released Asset: lean-forensic-canvas (Creative Commons)
A4 one-page template that translates Lean-startup metrics (cycle time, error rate, WIP) into forensic-lab language. First UK force to adopt it cut mean examination time from 42 days to 19 days within one quarter.
Combined Metrics Across Cities
- Registered attendees: 317
- Devices imaged live: 41
- GitHub stars accumulated (60-day window): 1 247
- Independent forks confirming results: 38
- Pull-requests merged: 64
Reproducibility Instructions
- Clone meta-repository:
git clone https://github.com/uk-dfr2025/roadshow - docker compose up (downloads all images and datasets)
- make audit — regenerates CSV outputs and cross-checks hashes cited in this paper
Emerging Consensus
- Post-quantum signatures (CRYSTALS-Dilithium-3) were accepted by every prosecutor consulted; no evidentiary objections raised
- ISO 17025 compliance can be maintained with purely open-source CI/CD; licence cost savings exceed GBP 45 k per lab
- CloudTrail graph analysis reduces attack-path reconstruction time from 3 days to 17 minutes without proprietary threat-intelligence feeds
Future Work
A public test-fest will run 17–18 March 2026 at the University of Surrey. Participants must bring a containerised tool and leave with a reproducibility report; carbon offsets included.
Conclusion
By converting a traditional vendor roadshow into an open laboratory, the UK digital-forensics community gained auditable, licence-free utilities that satisfy accreditation, judicial and cybersecurity requirements simultaneously. Continuous peer review and public reference data will be essential as cloud workloads and quantum threats reshape evidence lifecycles.
