April 2020 - Edition I

President’s Letter – Todd Shipley, HTCIA International President

Hello HTCIA Colleagues,

The changes in our collective lives has had an affect on your HTCIA as well. Your international office and the IEC have been able to rapidly respond to those changes. Some of the things we had in place prior to the Corona Virus outbreak and some things like the Canadian Cyber summit move online caused us to re-evaluate how we conduct a conference. We hope everyone is doing well and following your countries guidelines for self-isolating and distancing.

Overview on the Newest Apple File System (APFS) – Hoyt Harness, Magnet Forensics

Executive Summary

The Apple File System (APFS) is the latest file system to come from Apple, Inc. for their family of Macintosh computers, as well as iPhone, iPad, Apple TV, and
Apple Watch. It supersedes the aging Hierarchal File System Plus (HFS+), adding many significant new features found in other modern file systems such as ZFS or XFS, including Copy-on-Write (CoW), encryption, and cloning. The purpose of this paper is to provide a high-level overview of some of the more prominent APFS features of interest to digital forensic examiners working with APFS-aware tools. HFS+ is referenced where appropriate to illustrate the differences found in the two file systems. To keep the exploration reasonably brief and focused on APFS, it is assumed the target audience has a fundamental understanding of HFS+ and its associated structures, i.e. volume header, allocation file, catalog file, etc. Where APFS structures and functionality
overlap or duplicate HFS+, explanations may only include common definitions when they are appropriate for clarity of discussion. Otherwise, it appears APFS has more in common with other UNIX-like file systems than it does with HFS.

About the Author

Hoyt Harness is a retired sergeant with the Arkansas State Police with over twenty-three years of experience between two separate agencies. In addition to cyber and digital forensics positions, he has served as an undercover narcotics investigator and a SWAT sniper for both state and local law enforcement agencies and a federally deputized task force officer for multiple U.S. Government agencies. He was assigned to FBI’s Innocent Images National Initiative (IINI) Task Force in 2001 investigating technology-facilitated child exploitation and Internet crimes against children. In 2003, he was tasked with establishing Arkansas’ Internet Crimes Against Children Task Force (ARICAC) and acted as the state’s first ICAC Commander for several years. He worked diligently helping other state and local agencies develop a technical and tactical capability to address cybercrime and the victimization of children via technology during that time and later. Harness is currently a Forensic Trainer with Magnet Forensics.

How a High-Tech Crime Unit Leveraged Their Intranet – Kelly Batke, Thought Farm & Sgt. Brandt Watkins, Vancouver Police Department

In the world of Digital Forensics and Cybercrime, it takes a certain type of skill and knowledge to combat criminals who leverage technology like mobile phones and computers. At the Vancouver Police Department, these officers work in the Digital Forensics Unit and Cybercrime Units (DFU and CU).

The DFU provides digital forensic assistance and computer forensics on devices, while the Cybercrime Unit provides online and internet investigative assistance to members of the Vancouver Police Department. Investigators from the DFU and CU examine any computers and/or mobile devices that may have been used as a tool to commit a criminal offence, or to store information storage related to a crime and report their findings back to the VPD.

New Money Laundering Typologies in the Fight Against Money Laundering by Means of Virtual Currencies – S. Visser, Anti Money Laundering Center, De Bilt, Netherlands


Since 2013 the Financial Intelligence Unit (FIU)1 has seen a variety of reports from banks of unusual transactions with more or less the same commentary: ‘Not normal account behaviour: the client receives large amounts of money originating from bitcoin exchanges. The client then withdraws those amounts immediately. There is no apparent economic necessity for doing so. The account shows a number of bitcoin sales but no purchases.’ Three investigation teams from the FIOD (Fiscal Intelligence and Investigation Service) and the police investigated this behaviour. Their conclusion: all of these persons are bitcoin traders helping criminals to launder money. The investigation teams also observed another phenomenon: the bitcoin mixer. Both the trading of virtual currencies such as bitcoin and the use of a mixer of virtual currencies have since been validated as money laundering typology. This article examines the phenomena of ‘bitcoin trader’ and ‘bitcoin mixer’ and how they relate to money laundering. It concludes with new money laundering typologies for the purchase and sale of virtual currencies.