Volume 2, Edition 1 - 2021
In This Issue...

  • President's Message
  • Member Submission: Your Guide to Discussing TSCM with Management
  • 2021 Call for Proposals
  • Member Submission: Spot fake locations stored inside mobile phones with Data Validation: Why only using an application to track user movements is simply not enough
  • Gold Annual Sponsor: Skopenow Webinar hosted by HTCIA New England Chapter
  • New On-Demand Training
  • 2021 International Awards Nominations
  • Member Submission: Digital Footprints
  • Platinum Annual Sponsor: Analyzing Videos With Multiple Video Streams in Digital Forensics
  • Member Submission: Using Maresware to Validate Forensic File Hashes
  • HTCIA Jobs Bulletin - Recent Postings
  • Shop for a Cause on Amazon Smile
  • New Feature! Digital Footprints
  • Upcoming Events
President's Message
Hello HTCIA,

2021 is here and hopefully this will be a very different year than 2020. We all have a lot of things to look forward to in our upcoming year. HTCIA is moving forward with our conferences. The Canadian Cyber Summit will be online and run similar to last year's summit. The International conference will be a hybrid conference this year. It will be both a physical conference in Phoenix, Arizona and an online broadcast of the training. We are excited about getting back to traditional training methods as well as incorporating our new distance learning methods. Our sponsor to make the conferences happen, so please connect with them all and support their products.

2021 HTCIA Call for Proposals
The 2021 Call for Proposals for HTCIA's 2021 education offerings is open!

New this year - speakers can submit a single proposal form for a wide range of speaking opportunities. Each submission will be considered for:
  • 2021 HTCIA Canada Cyber Summit
  • 2021 HTCIA International Conference
  • Chapter Meetings and Conferences
  • Pre-recorded content for Training Portal

Those interested in presenting to the HTCIA membership and stakeholders should indicate their preferences on the form. Additional information about the 2021 call for proposals can be found online here.

The first deadline to submit proposals (to be considered for the Canada Cyber Summit and Q1 chapter meetings) is March 15, 2021.
Your Guide to Discussing TSCM with Management

By Kevin D. Murray, CPP, CISM, CFE, CDPSE

TSCM is an important brick in the security wall. However, in many cases, management isn’t aware (or convinced) the expenditure for periodic inspections is necessary. Further, many security professionals lack the knowledge to comfortably explain TSCM to management, so they don’t.

This is your instant education. These are the questions management frequently ask, and your answers!

  • What is TSCM?
  • Why should we do this?
  • What are the benefits to our organization?
  • What are we protecting?
  • Do we legally need this type of security?
  • What areas should be inspected?
  • Why Outsource to a Specialist instead of Doing This Ourselves?
  • Finally, management says, “I agree, this is smart. What’s the process?”

Spot fake locations stored inside mobile phones with Data Validation: Why only using an application to track user movements is simply not enough

By: Nicola Chemello, CEO, Securcube srl.

Geoposition is useful to track a cell phone user's movements, and today every enabled smartphone is capable of saving its exact GPS position with the high accuracy of a few meters.

This useful information is often used in criminal cases to prove or disprove alibis. In fact, there are several powerful digital forensics tools that allow data extraction from mobile phones, that are also capable of recovering some deleted contents.

The old school digital forensics examiner, focused on evidence integrity by preventing any change to a suspect’s phone, tries to extract all it can, and then locks that information with what are called HASH functions to securely save it for the courtroom.

HTCIA Gold Annual Sponsor Event!

Date: Wednesday, March 24
Host: New England Chapter
Speaker: Jake Creps, Product Manager
Description: Skopenow shows you manual investigation techniques for discovering fraudulent product listings and seller accounts. Learn how to expand your investigation and discover locations, phone numbers, email addresses, and other social media accounts from marketplace listings.

New Programs Available in the Training Portal!

Check out the most recent programs uploaded to the HTCIA Member Training Portal! This great benefit is available to HTCIA members only.

  • YARA Rules - Why They Matter: During this presentation and demonstration, Professor Hosmer will provide an overview of YARA Rules and demonstrate how to employ them to perform malware searching and the identification of compromise.
  • macOS Forensics - Avoiding the Gotchas: Bruce Hunter of BlackBag provides an in-depth look at macOS "on-scene" best practices, MacQuisition, the BlackBag and Cellebrite merger, as well as a look to the future regarding potential impacts of Apple manufacturing their own Mac processors from a forensic perspective.
  • Digital Forensics in the Cloud: This talk/demonstration will discuss the basics of moving forensics to the cloud, examine the advantages of cloud forensics, and review the security/evidence considerations necessary to conduct investigations. We’ll also briefly run through a mock investigation from loading images to processing automated reports and visual timelines using the Truxton forensic platform.

Log in and check out all the great content today!
HTCIA Annual Awards Nominations Now Open!

Lifetime Achievement Award

The Lifetime Achievement Award recognizes an individual who has made substantial and sustained contributions to HTCIA and the Investigations community. Nominees must meet the following minimum requirements to be accepted:

  • Seven years of good standing membership in the HTCIA and;
  • Made a significant contribution to the goals of HTCIA.

Case of the Year

The Case of the Year award recognizes a group or individual who investigated a significant case in their jurisdiction. At least one of the participants (investigator, forensic examiner, attorney, etc.) in case must be an HTCIA member. Factors considered for selection:

  • The case was regional, national, or International in scope;
  • The case established an important legal precedent;
  • The case involved significant expenditure of resources (manpower, funds and/or technology);
  • The case resolved a particularly violent offense;
  • The case involved a significant dollar loss;
  • New technology or techniques were expended to resolve the case

More information and directions to nominate are online here. Award recipients will receive complimentary meeting registration and travel to the 2021 International Conference in Phoenix, AZ!
Analyzing Videos With Multiple Video Streams in Digital Forensics

Whether a digital forensic investigator or a corporate cybersecurity analyst, everyone works with media files. One particular issue of video forensics is connected to the trick when an illicit content is hidden inside something called 'secondary video stream'.

A typical video contains a single video stream for visuals and one or multiple audio streams for various sounds. Having multiple video streams is quite unusual and suspicious.

In a digital forensic case, multiple video streams in the same video file may mean a situation when CSAM content is hidden inside. That's why it is vital to have a quick way to distinguish and analyze such files.

Using Maresware to Validate Forensic File Hashes
By: Dan Mares, Atlanta Chapter

The reason I decided to put this document together is that a few days ago, a very intelligent forensic investigator said his co-workers had asked how to easily use hashing software to compare hash values from pointA to pointB. His exact quote is/was "A colleague did ask if we can get the tool just to hash source and hash destination, comparing differences without any copying."

So I got to thinking. I know, its bad for the health. But I was thinking about how many others might at some point wished they had a simple program or process to do just that. I realize that the large suites can compare hashes, but that involves creating a case, loading the data, etc. etc. etc.; and other hashing software (remember to read my hash test article) can compare the source and destination, but usually that involves copying process, and/or installation of the software. So what about a simple, process or batch file (thats a script for you millenials) that could do this routinely.

I discuss how to validate and/or compare hash values using a number of different Maresware programs. Don't be overwhelmed at the descriptions or processes. Because they are generic, they can be re-used and modified easily. Know full well that in my previous life, I actually taught internal auditors how to use the software efficiently. So you should have no trouble learning its process.

Also, I remind the reader that the operation of the software used in these descriptions: (hash, hashcmp, disksort, total, compare) is extremely generic and can (and has been) be used to process other types of data which an analyst, or investigator might generate in day to day operations. So when reading the capabilities of the software, don't restrict your thoughts to merely matching hash values.

Call for papers for BelkaDay Europe

2nd Online DFIR Conference by Belkasoft is coming soon! 

This year the Belkasoft team invites you to share your expertise on digital forensics and incident response with your colleagues from all over the world. Belkasoft welcomes proposals from DFIR experts until March 1, 2021. Learn the details on BelkaDay conference page.

Belkasoft team is looking forward to hearing from everyone who has a great topic to share. The success of the conference will be joined with your contribution.
HTCIA Jobs Bulletin!

Have you checked out the HTCIA Jobs Bulletin lately? Several new positions have recently been updated. If you are seeking qualified candidates, submit your posting to the page here.

The HTCIA member community also hosts a Jobs and Employment Circle, for those seeking new opportunities or promote openings in their organization. Check out the circle in the member portal!
HTCIA is now registered as a charitable organization with Amazon Smile! Next time you shop on Amazon, make sure HTCIA is selected as your charity partner. HTCIA will receive a percentage of your purchase total. The donations will help fund special projects, such as our new scholarship program! Start shopping today.
Digital Footprints

Member updates! Share your professional updates with HTCIA to be published here in the newsletter and shared with your colleagues.


Sgt Brandt Watkins, Vancouver Police Department retired in May 2020 and has moved to the Real Estate Council of BC to serve as a compliance officer.

Reply to our office with your updates for the next newsletter edition - contact@htcia.org.
Upcoming Events
Investigations in Europe following Brexit - Hosted by NY Metro Chapter
Date: February 24, 2021
Time: 11:00 AM-1:00 PM EST

Panelists include:
  • lyana Bardyn Chair, International Law Committee, NY Bar Association
  • Sophie Beattie | Consilio Director - Forensic Investigation and Expert Witness Services
  • Denise Backhouse - Littler Shareholder -eDiscovery Counsel

More details to follow!
Introduction to NC3: National Cybercrime Coordination Unit (RCMP)
Date: March 9, 2021
Time: 6:00 PM EST

France Thibodeau will join us to give an introduction to NC3 (National Cybercrime Coordination Unit) of the RCMP to share with members as to what NC3 does, what is Cybercrime, and who Cybercrime affects.

Open to all HTCIA members!