The table of contents is done!  Or at least the tentative table of contents is done.

You'd figure that a table of contents would be the easiest thing to write for a nonfiction book, but not only is it not the easiest, but it changes as you write.  I've learned that a good plan for a table of contents helps keep the book focused, but I also learned that as you research, you either add or subtract to the original plan.  Some of the book has been started as well, but the table of contents is what I want to get out for a few reasons.  One, build your interest in cryptocurrency investigations and get you excited about the book, (2) get input if you have it on what you would like to see in the book, and (3) check if you have interest in contributing to the book process.

• Introduction
  • You should maybe get started learning this sooner than later
  • Eventually, every case where money is involved will involve cryptocurrency
• Chapter 1 - Money
  • Currency
  • Physical money
  • Virtual money
• Chapter 2 - Money Laundering
  • Traditional methods (simple to complex) with physical money
  • High tech methods (simple to complex) with virtual money
• Chapter 3 - The Blockchain
  • It is not just for Bitcoin
  • Blockchain is a big deal
• Chapter 4 - Wallets, Exchanges, and Transactions
  • How to use cryptocurrency
  • How cryptocurrency changes everything in money laundering investigations
• Chapter 5 - Anonymity and Cryptocurrency
  • You are not anonymous when using cryptocurrency
  • You are anonymous when using cryptocurrency
  • The Dark Web Markets and Cryptocurrency
• Chapter 6 - Cryptocurrency Investigations
  • Device forensics (artifacts)
  • Forensic tools
  • Tracking transactions on the Blockchain
  • Seizing wallets
  • Identifying the owner of a cryptocurrency wallet
  • Legal issues
• Chapter 7 - Case Studies
  • Money laundering related crimes
  • Terrorism
• Chapter 8
  • Putting it all together
  • Tying suspects to wallets and devices
  • Tying suspects to cryptocurrency transactions
• Summary
• Appendix
  • Everything we can put together as resources for you!

We have a general idea of how long each section will be, but won't know until we write it.  So one chapter may be way longer than another simply because there is so much to discuss.  Don't worry about being overwhelmed with cryptocurrency information as this book is for you, the practitioner, the investigator, and the trier of cases.

There is one request (or offer, depending on how you look at it):

If you ever thought of writing a book, or contributing to a book, but wanted to dip your toes in first, this is an opportunity.  I have a handful of crypo cases worked and Tim has more than a bit of research into cryptocurrency investigations.  I already have a few offers of case studies and research that I will be taking people up on; however, if you have interest as a contributor, email me (This email address is being protected from spambots. You need JavaScript enabled to view it.).  Whether you'd like one of your cases featured in a case study, share some things you did in a case, or share some research findings, we are open to all.  That what we use is credited directly to you in a peer-reviewed, tech-edited, professionally published digital forensics book.  

On case studies you may want to use, I am way familiar with police cases, privacy, and legal restrictions on public disemination. I am also aware of public records laws and if you have a case to talk about, I can easily formally receive a copy through public records and be able to talk to you about it without worrying of releasing any information that should not be released.

On research, if you have done some work already, we're glad to incorporate part or whole, as you would like seen in the book.

Our goal is not fame or fortune, but to write the best book on a topic that will be red hot sooner than you think.  But if you want to be famous...get ahold of me. I'll put in you in the book :)

Two books in the works.

In between the adventures in life and work, I have been busy with writing.  One, a fiction book, is expected to be in print next year (all on the publisher's schedule).  It’s an exciting book and sure to grab your attention. More on that sometime later.  The second book is another nonfiction forensics book, Bitcoin Forensics ?.

There were a few topics I wanted to write about for my next forensic book; however, considering the recent cases involving cryptocurrency, Bitcoin Forensics is at the top of the list.  A couple of points on the book before you make an assumption about what the book is or is not:

1. The book is not anti-cryptocurrency.  In fact, this book is pro-cryptocurrency not only as use as a currency, but as an investigative target for investigators when following the money.

2.The book will not be about only Bitcoin.  The book will cover cryptocurrency in totality of all-the-coins, to include the major coins (Bitcoin, Ethereum, etc…) and the Altcoins.

Like my other books, it will be written for the practitioner, the investigator, and the court officer with duties of trying cases involving cryptocurrency.  Our goal is to write a book that you can read and put to use on day-one.  Oh yeah, did I say “our”?  I sure did.  Tim Carver is my co-author.   If you know of Professor Carver, then you know that you will be learning all you need with the investigative aspects of cryptocurrency in your cases.  Additionally, we have a few contributors (and on the lookout for more!) that have either conducted extensive research or have conducted successfully cases with cryptocurrency as a money laundering aspect of their cases.

I have one confession to make.   Some time ago (a few years?), Tim asked for my opinion on cryptocurrency and money laundering with criminals.  At the time, I said that I believe it may be years before the common criminal uses cryptocurrency for money laundering simply because of the technology.  “Blockchain technology” is not something that everyday meth dealers may be knowledgeable about.  The other obstacle I thought was that converting physical cash into digital cash is not that easy.  On the other end of the criminal spectrum is the DTO (drug trafficking organization). The amount of physical cash generated alone is enough to prohibit converting into digital cash.  I just didn't see cryptocurrency being a major criminal investigative aspect.

But here comes 2017...  I’ve seen more than a few cases in the news of BILLIONS of dollars being laundered. On top of that, after doing research on cryptocurrency for over a year (talking to Tim generated an interest to test theories in cryptocurrency) and coincidentally getting a case with cryptocurrency being a central target in the case….I think I was mistaken.  Cryptocurrency has come and will eventually be part of every criminal investigation that has any financial aspect.

So, there you have it.  The inspiration of the book came from Tim Carver calling me to ask my opinion, a year of research afterward, a cryptocurrency case to figure out, and finally me asking Tim to co-author a book on it.

If you have conducted a cryptocurrency case or done research into cryptocurrency, and you want to be in the book as a contributor (named or unnamed), This email address is being protected from spambots. You need JavaScript enabled to view it. right away.   If you want to be a bigger part of the book, that is a possibility as well.  Email me and let’s talk.

Until then, expect the book to be in print (or on your mobile device) in 2018.  Cool book topic, and probably one of the most relevant subjects for the years ahead in forensic investigations, both in the criminal case world and private sector engagements.  Don't believe?  No worries.  You will soon enough, just like I did.

I’m big on privacy, even though I know that practically, the only information that is private today is that which (1) only you know and (2) does not exist anywhere outside your head.  Everything else can be had one way or another, by hook or crook.  Most personal information we willingly give away, such as our date of birth when signing up for “free” online services.  Other personal information we are required to give in order to abide by laws, such as applying for a driver’s license.                         

I’m also big on de-anonymizing criminals.   Supporting privacy efforts while at the same supporting de-anonymization efforts is contradictory, but realty. If you have ever been a victim of a crime where the criminal got away with it, you probably feel the same.  Both aspects contradict each other, where I want to have individual privacy but at the same time, I want to be able to de-anonymize someone who is committing crimes facilitated with technology.  What a dilemma...

I tend to focus on de-anonymization of criminals more since we are on a never-ending trend of breaches, hacks, and theft of personal information, let alone crimes against persons using technology. Two of my books were solely focused on the topic.  During presentations on the subject, I have regularly been questioned on “How do I…” in this case or that case from investigators* looking for the magic bullet.  Given just a 15 second brief of an investigation that has been ongoing for months, my typical answer is – the answer is there, you just have to find it. 

Secret Tip: there is no magic bullet until there is one.

The magic bullet in almost every case is a mistake made by the suspect.  An oversight.  An error.  A bad decision.  Or just plain ignorance.  All on the part of the suspect.  But a mistake by itself is not enough to crack a case.  You, the investigator or the analyst, need to catch that mistake.  You have to look for it constantly.  You have to expect to find where the suspect made the error because if you don’t have the intention to find the criminal’s mistakes, you will not find them.  That is when you find the magic bullet to solve your case, by looking for it and not hoping it drops in your lap.

When you do find the break in an analysis or investigation, everything becomes clear and appears to be such an easy thing that you wonder why you didn’t think of it before.  The fact is, finding the errors is not always simple or easy.  The little mistakes are usually hidden in tons of data and easily overlooked.  Sometimes the answer is plain view and no one sees it. Even when you find the suspect’s mistake, if you do not recognize it for what it is, you will quickly pass it and keep looking without realizing you could have solved your case a few minutes prior.

The steps in finding these mistakes made suspects are:

If you don’t have #1 above, then #2 and #3 won’t matter since you won’t be able to identify the evidence or clues you need.  The first things I do in any case is determine the goal or goals. Sometimes the goal is either dictated by someone else or it is obvious.  If the goal is not dictated or obvious, you have to identify the goal or again, step #1 is useless which renders #2 and #3 just as useless.

When you work with these 3 steps, the 6-Ws naturally come up in the case (the 6-Ws: who, what, when, where, how, why).  You need the above 3 steps as your foundation to actually work a case in order to get to the 6 Ws.  Focus on the 3 and the world is yours.  A tip: not everyone does this.  Many many examiners/investigators/analysts simply collect data without reason other than to collect data with the hope the case solves itself.  Don't be that person.

When I was a new investigator, it seemed that every case I received was like Groundhog Day.  No case was like the last, no evidence was consistent among the cases, and the goals were sporadic (other than “find the bad guy”).  Basically, every day I was starting over as new in each assigned case. In time, I learned a few things from experienced investigators, other things I learned the hard way.   In more than one case, I would be given a hint or a tip that would put me on a path to close a case.  A question as simple as, “Did you try this?” or “Did you look here?” was all I needed to plow ahead.  Sometimes, i would figure out an easy way or more effective means of gathering information and intelligence.  Many training courses focus on the technical means, but not the thinking part.  It's nice to know how to recover deleted event logs, but why? If you don't know why you should do it, you won't get anything out of it because you won't see the clues.

In cases with electronic media, the process is the same as in any investigation you have, whether it is a criminal or civil case (or even an internal corporate matter).  Define the goal so you know what to look for, know where to look, and figure out how to look for it.  Apply this to every case and incident you have and your case closure rates will be much better with less work.

For example, a case involving an unidentified cyber-criminal who is ‘hiding behind the keyboard’ clearly means that the what is anything that ties directly to the criminal.  The specifics of the what is important. The where depends on what you have to work with.  Perhaps you have an email, or network traffic, or maybe even physical media.  Somewhere in that data is the where and you need to know in what part of that data you should be looking.  The how is maybe the easiest part.  Maybe you need to look at metadata, or reverse engineer a file, or simply recover a deleted file.  That’s the manual labor part.  You need to work the brain part first, otherwise the labor will be for nothing.  

Recent cases in the news have shown that this method of investigation works on the most difficult of cases.  I must stress that when you see that a major case was solved by the simple piece of evidence of identifying an email address, that this is not so simple.  Every case has at least one error that was made by the suspect, and to discount looking for that mistake is a mistake on your part.

Any case where the article states that, “Oh, the case was easily solved because the suspect forget his email was in the code” seriously discounts the effort of the investigator who took the time to know what to look for, where to look for it, and how to look for it.  Cold cases are solved the very same way.

It’s not the size of the dog in the fight, but the size of the fight in the dog.

This is what I have been teaching for almost 20 years now.  I believe that anyone from any place in any job with any education level can be a superb investigator.   I have met young investigators from small towns who can run circles around someone with 10 times their experience and education in the largest agencies because they apply the foundation principles of what it takes to solve a case.  Once they learn the how of digital forensics, they are just as effective in the digital world as if they were working a street corner robbery.  It’s not a diploma, or a certificate, or a coin in your pocket that makes you good.  You make yourself good.  If you happen to collect some tokens along the way, add them to a shadow box, but bragging about having certs has no weight if you can't work a case.

Another benefit of getting the investigative skills down is that you can apply it to other areas and other types of cases.  If you have the desire and can finesse the skill, you can run with the big dogs in working any type of case.  I truly mean that in every sense.  My first investigator duties, after being a patrol officer, was a narcotics detective.  I used the skills learned in narcs to solve murders, uncover and disrupt organized crime groups, identify terrorists, and work all types of crimes involving technology.   

Be prepared that when you start solving cases by finding the “easy” things, that those around you will call you names, like lucky or you only solved the case because of a suspect's mistake. Just smile and carry on.  After enough cases, you won’t be called lucky anymore; you will be called good and that is the goal: be good at what you do. 

* I use the term “investigator” to apply to anyone who has the job to find information, curate into intelligence, on which assumptions, conclusions, and judgments can be made.  That means a police detective, federal agent, incident responder, or forensic examiner.