- Overview
INFORM 2025 ran from 28 January to 15 February across four time-zones, delivering 15 live sessions, 9 400 unique log-ins and 38 speaker contributions. Every demo was rebuilt with OSI-licensed components, benchmarked on-air and pushed to public repositories before the closing keynote. This paper summarises the artefacts, adds independent metrics and releases the first multi-jurisdictional deep-fake corpus signed with post-quantum keys. - Multi-Jurisdiction Investigation Pack —
x-border-nimbus(MIT)
Problem: Varying evidence standards, language barriers and conflicting privacy regimes.
Solution:
- Jupyter notebook that ingests JSON audit logs from M365, GWS and AWS
- Geo-fences data by custodian nationality using ISO-3166-1 tags
- Auto-generates jurisdiction-specific hold notices (English, Spanish, Hindi, Arabic)
- Exports STIX-2.1 + GDPR Art. 30 annex
Live Trial: 6 400 custodians, 3 jurisdictions (US, India, UK); hold dispatch completed in 11 min; no inadvertent cross-border transfer detected.
- Cloud Incident Response —
cloud-ir-notebook(Apache-2.0)
Dataset: 60-day synthetic CloudTrail (4.2 GB, 9 M events) modelling a double-extortion ransomware case.
Functions:
- Reconstructs assume-role chain
- Flags impossible travel (> 600 km in < 30 min)
- Visualises attack path in Cytoscape.js
Benchmark: 9 M events parsed in 3 min 57 s on a 16-vCPU laptop; 94 % overlap with red-team ground truth.
- Deep-Fake Detection Benchmark —
fake-or-real-2025(CC-BY 4.0)
Content: 400 media files (200 synthetic, 200 bona fide) covering audio, video and still images.
Ground Truth: Frame-level labels; files signed with CRYSTALS-Dilithium and hashed to sigstore/rekor.
Challenge Top-Line:
- Best submitted model: 97.4 % accuracy, 2.1 % false-positive rate
- Median inference time: 0.8 s per 10 s clip on RTX-4090
Leader-board remains open; results auto-update via GitHub Action.
- Wireless Mobile Imager —
air-ff-q v3.0(BSD-3)
Enhancements:
- iOS 18 & Android 15 support
- Post-quantum signature per acquired block
- AFF4-L streaming into S3-compatible bucket
On-Air Demo: 14 audience devices; average throughput 3.5 GB/min; cryptographic log verified in 1.4 s.
- Corporate Insider Workflow —
insider-pipeline(MIT)
Stack: Velociraptor + YARA + one-class SVM.
Data: 90-day Windows logs (470 M events, anonymised).
Metrics: 92 % TP, 0.7 % FP at 5 % attack prevalence; notebook included for replication. - Creative Thinking Canvas —
dfir-canvas(Creative Commons)
One-page A3 template that converts MITRE ATT&CK tactics into “How-Might-We” questions; adopted by 19 agencies for brainstorming. - Combined Metrics
- Unique live viewers: 9 400
- GitHub stars (60-day window): 2 147
- Independent forks confirming results: 71
- Community pull-requests merged: 94
- Post-quantum signed artefacts: 1 847
- Reproducibility
Single-command meta-repo:
git clone https://github.com/inform-2025/inform-2025
docker compose up –profile full
make audit # regenerates CSV and cross-checks hashes - Future Work
INFORM 2026 will add a live quantum-safe CTF and a drone-forensics track; CFP opens 1 November 2025.
Conclusion
By replacing slide decks with live pull-requests, INFORM 2025 delivered an auditable, vendor-neutral toolkit that satisfies multi-jurisdiction evidence rules, post-quantum integrity standards and real-world performance baselines. Continuous peer review and open data will be critical as synthetic media and cloud-native attacks reshape digital investigations.
正文完
