In this episode, Matt AKA Billy Humphries, a blockchain and cryptocurrency investigations expert, shares his extensive journey from traditional law enforcement to digital forensics and crypto intelligence. Discover how technology has evolved in investigations, the current state of crypto artifacts in digital forensics, and why agencies must adapt to stay effective in a rapidly changing landscape. If you want to be sure you are up to date with the latest in DFIR, don’t miss an episode!
Key Topics:
Matt AKA Billy Humphries' career journey from law enforcement to crypto investigations
The parallels between mobile phone and crypto adoption in investigations
The current maturity level of cryptocurrency artifacts in digital forensics
The importance of mindset and proactive adaptation for agencies
Practical strategies for integrating crypto into investigative workflows
Connect with MSAB on LinkedIn - https://www.linkedin.com/company/micro-systemation/?viewAsMember=true, Twitter (X) – https://x.com/MSAB_XRY and BlueSky - https://bsky.app/profile/msabcom.bsky.social
• LinkedIn: Matt (Billy) Humphries - Matt Humphries | LinkedIn
Adam Firman (00:01.222)
Hello and welcome to episode 26 of Forensic Fix, a podcast brought to you from MSAB where we talk with experts in digital forensics, investigations and related fields. So I'm your host, Adam Firman, and today I'm very pleased to welcome Matt Humphreys, who many of you will know better as Billy. Billy is a key member of the team at TRM where he works at the forefront of investigations involving cryptocurrency, blockchain intelligence and financial crime.
With a background that bridges traditional investigative practice and emerging digital ecosystems, he brings a practical insight into how investigators are adapting to an increasingly decentralized world. Billy works closely with law enforcement and investigation teams, helping them navigate complex crypto transactions, trace illicit funds, and turn blockchain data into actionable intel. His experience sits right at the intersection of technology, crime, and modern investigation strategy.
So Billy, I've given our listeners a small insight into your background and the work that you're doing at TRM. Before we dive into crypto, can you give us a bit of a rundown of your career path? For those listeners who may not be familiar with your journey, could you share more about your career path and how you found yourself working in the world of blockchain, Intel and crypto investigations? And welcome to the show, Billy.
Billy (01:24.012)
Yeah, thanks, Adam. Really appreciate it. You your kind words there and let's see if I can unpack 40 years in a couple of minutes. So basically, my career started back in 1988, actually, when I joined the Royal Australian Air Force as part of the Air Force Police. And my first interaction, you know, with really anything, you know, resembling technology, you know, in an investigative context.
was around about 1994. So we had a case involving some stolen RAM from a computer, which sounds pretty basic now, but at the time it got me thinking about the role technology was gonna play in investigations. So I thought, you know what, I might apply for a computer course, because this 1994, these computers, that might take off. So...
I did in the Air Force, I got onto a computer course, but instead of I got sent to a course where it was actually how to build a computer from scratch, not how to use a computer. So but in hindsight, that that turned out to be like pretty valuable. Around about 96 then, I left the Air Force and joined the New South Wales Independent Commission Against Corruption. And that mid 90s then was around the time when, you know, investigations there, they were starting to become a little bit
you know, more technically orientated. And so that's when I first leaned into, you know, what obviously back then was called, you know, computer forensics. So I did my first NCASE course in around about 1997. Like there was like three people on the course interested. Like that was like 3.1 or something. Yeah. Because before that it was like SafeBack and, you know, Norton Utilities and the like.
Adam Firman (03:05.102)
Well, what version of NCase? What version of NCase? Can you remember?
Adam Firman (03:13.52)
Wow.
Billy (03:18.38)
Not much else around. But that, you know, like, that was really my formal, you know, like, you know, this is the start of my formal journey. And then in around about 2000, early 2000s, for some family reasons, I ended up relocating to Queensland, and actually spent a little bit time running my own business. I was a licensed private investigator. But you know, that didn't last long, had to go get a real job again. So
I joined the Health Insurance Commission, which is now actually Services Australia, working investigations. So while I was there, early 2000s, I started to get more into sort of like the digital forensics space. So what I did is like I helped establish a national computer forensics capability, which at the time at Health Insurance Commission was like very early in adoption. Because we were effectively like building that capability from like
ground up like the tools, the processes, training, everything. But also, you know, and like many people who get into this technology and digital forensics, around that time, I started to think, well, if I'm gonna work in investigations and move into computer forensics, well, should I get a degree or something? Should I formalize my skills and obtain like some tertiary, you qualifications? So that's what I did. I enrolled in IT at Queensland University of Technology.
And interestingly, many years later, I ended up going back to QUT as a sessional academic, lecturing part time in digital forensics. was, you know, so inclined that it sort of some way it was went full circle for me, the QUT thing. Anyway, back to the back to the path. I'm saying I'm only now at about 2005. So I still got to get a bit to go through 40 years. So 2005, roughly around about then is when I joined the Australian Federal Police.
Adam Firman (04:57.702)
Yeah.
Billy (05:10.644)
as a digital forensic specialist. And that's really where I spent the bulk of my career. because crypto, not crypto, but digital forensics really took off around about that time. As you can imagine, worked across all the usual crime types, serious organized crime, CTE, child exploitation. Because back then there was definitely an overlap between traditional investigations, cyber was taking off. But digital forensics definitely was becoming increasingly central to everything that we were doing.
Fast forward to about 2019, I was deployed offshore with AFP in the Asia Pacific region, you know, working out of many Australian embassies or consulates. And I was the regional digital forensic specialist. So that role, Adam, is focused on capability uplift, supporting like partner agencies, but mostly training in digital forensic cyber crime and it ended up being a lot of cryptocurrency investigation training.
because that's when we really saw around 2000 and no, sorry, 2021 roughly, you I was seeing around AIPAC out, you know, quickly crypto was becoming part, you know, of the investigative landscape. And then we finally get to, know, where I am now in 20, September, 2022, actually, I left the AFP and joined TRM Labs where I'm currently the director of public sector relations now.
And I work with law enforcement and government agencies, as you mentioned, across AIPAC, basically just to help build capability in cryptocurrency investigations. But what I really love about part of my job now, Adam, finally on my career is that a big part of my role, almost now getting close to my 60th birthday, by the way, is supporting DF practitioners, helping them understand how crypto actually, you
shows up in their day-to-day work. So that involves mostly education, around the crypto artifacts and the like, and how to interpret those in investigative context. So ultimately, helping DF teams think of crypto not as a specialist area anymore, but as a standard part of modern investigations.
Adam Firman (07:20.922)
Yeah.
Adam Firman (07:35.504)
Yeah. And that plays that part for most investigations in digital forensics. Like back in my lab in law enforcement, we always had people who everybody understood Linux, for example, but you'd always have one person in the unit who would understand it that bit further. And the same with Mac OS forensics or phones. I suppose crypto is in that space that everyone can have a base understanding of it.
Billy (08:00.106)
Yeah, definitely. if you don't spend the time at it like anything, you rely on others, you know, and that's clearly what happens for sure.
Adam Firman (08:06.929)
Yeah.
Adam Firman (08:11.236)
And for those people who have never met Billy, I can certainly tell you he doesn't look like he's approaching 60, but I am gonna date you a little bit here with this second question. What was your first personal computer? Do you remember?
Billy (08:23.598)
Yeah, actually, now this is quite strange because I got my first personal computer around about 1998. So I would have been around about 32. So imagine getting your first computer at 32 years of age. Well, that was me. was actually my brother Michael actually was working, I think it was at Compaq at the time. And he managed to get his hands on a Compaq Presario.
I think it was like 2200 or something like that, was definitely a 386. And he actually brought it around to my place and he set it up for me. He was really into computers. And to be honest, I don't remember doing a lot with it. It just felt like something I should have. It looked pretty cool, didn't fully understand it, but I wasn't using it in any serious way, that's for sure. And I think mostly I just played a few
you know, games on it. But in reality, probably, you know, what I think looking back, you know, that period probably was where, you know, I was starting to learn everything about, you know, working with technology, that's for sure. And just having it in the house, you know, made me sort of think about, you know, computers from a technology perspective and law enforcement.
Adam Firman (09:48.955)
Yeah, and was there a particular investigation early in your career where it really clicked that being part of this technology sort of uprising and understanding the technology was going to become critical to investigations?
Billy (10:07.118)
Yeah, definitely. Not in 1988 though. Wasn't many investigations around then, but definitely there was one investigation in particular that it sort of, it started that journey. it was clear to me at that point how important understanding technology was going to become, not just like digital forensics in general. Because it was around 1996 or 1997 when I was working at the New South Wales Independent Commission Against Corruption. And the matter,
The matter itself I'm just about to talk about has been publicly reported. So I'm not talking out of school here, Adam. The investigation involved actually the New South Wales State Rail Authority and their procurement processes. And one of the areas I was looking into involved an IT manager who was responsible for rolling out new infrastructure and decommissioning some of the old equipment. So you can see sort of what's happened here. The allegation, you know,
was that instead of disposing of the equipment appropriately, he was actually diverting it and selling it privately for his own personal gain. So part of the investigation, we executed search warrants on his home, we located quite a significant amount of networking equipment, switches and other bits and pieces that looked like it had come from some large enterprise environment. Now he claimed that he'd purchased it from some various markets.
which didn't really align with what we were seeing though. So the challenge for me right there at that point, Adam, was how do I prove that this equipment was actually connected to the State Rail Authority network? That was what I was trying to do. This is back in 1997, And this work got really interesting because at that point, I had to very quickly start learning about networking, things like,
I remember first I heard of ARP, address resolution protocol or reverse ARP. First I heard of DNS, DHCP, know, MAC addresses. All of a sudden, all these concepts I didn't really know anything about, I had to try and learn. So look, I had to go down to the library, you know, I had to get textbooks out, I had to speak to IT specialists and yes, library for those young people. There was no Google in 1997, you know, trust me. So, yeah.
Adam Firman (12:01.2)
Yeah.
Adam Firman (12:04.762)
Yeah.
Adam Firman (12:28.078)
Yes, they don't understand, do they?
Billy (12:30.19)
That's right. So just trying to understand how our networks worked and how devices like communicated with each other. You can imagine trying to learn that from a textbook and do an investigation. So a lot of the equipment actually though, interesting enough was from a company called Nortel, which I think went belly up sometime after this, but we even went to the extent of sending some of the devices back to the manufacturer in Canada, right? Because what we wanted to do to them is get them to extract
all that like the Mac addresses and anything that I could then link to that network. Cause I was trying to prove that that was owned by the, you know, the state rail authority, but we ran into some challenges because, know, some of the key components of the devices that actually being deliberately damaged by this guy, right? So the data that we're hoping to get, you know, we, we just couldn't recover it wasn't available. But despite all that, Adam, that the process itself was a real turning point for me. And this is,
that investigation alone, because it made me realise if you don't understand underlying technology, how systems communicate, how data moves, where artifacts might exist, from the investigator's point of view, you're gonna miss a lot of opportunities in any investigation. And sort of more importantly, I suppose, it made me realise that technology then, even in the mid-90s, it's not just gonna be part of some investigations.
it's going to be part of like almost all of them, you know. So that was really the moment, you know, when I decided, you know, if I was going to say effective as an investigator, I had to lean into technology and not avoid it basically. And there's this saying that I really liked that I've always liked this saying about the steam roller of technology. Have you heard it? when, when the, when the, when the steam roller, you know, of technology,
Adam Firman (14:19.62)
No, I haven't.
Billy (14:25.624)
you know, comes rolling down, you know, the road and runs right over the top of you. You're either part of the road or part of the steamroller. I love that saying because for me, that was the point where I decided I needed to jump on. I needed to become part of the steamroller and just not be left behind on the road, if you know what I mean. So looking back, obviously now that sort of, you know, we're getting into the crypto in a minute, but that moment feels very similar to where we are today with
Adam Firman (14:44.261)
Yeah.
Billy (14:54.87)
with things like crypto. Like you might not fully understand it at first, but it's part of the whole environment that we're in now. And you have to engage with it because that's where the evidence is.
Adam Firman (15:08.348)
And very similar to you, Billy, and I think it leads us nicely onto crypto. I remember getting an investigation and it was intelligence received from one of the social media channels with illicit images that were being shared, but it resulted to a NAT address because IP addresses are running out. We're still running on old technology.
Billy (15:28.238)
Alright.
Adam Firman (15:32.839)
They build new apartment blocks and then obviously that apartment blocks got the same IP address, but then it resolves down to port ranges. I didn't know anything about that, but I had to research it. could have just, you have no choice, but to become that steamroller and to educate yourself and to prove theories. And in this industry, it's never going to stop because like you say, that steamroller is going to carry on with new and new technology. And you have to adapt and learn and
Billy (15:56.78)
Yeah.
Adam Firman (16:02.768)
be part of it rather than the road. So I love that analogy as well.
And how would you say, so moving into crypto, how mature is cryptocurrency as an artifact in digital forensics today? Are we early, mid or are we late stage to this?
Billy (16:23.662)
Yeah, I do actually think that's the real key question here. Because I think for me, the easiest way to frame it based on the fact that this is a digital forensics podcast is to compare it to something that we've already been through as digital forensic practitioners and that's mobile phones. So if you go back to around say 2000, right?
mobile phones were starting to become a little popular, but definitely sort of not common in investigations. You probably had somewhere around 10 to 12 % of the global population actually using a mobile phone in a meaningful way. So at that point, computer forensics was still a very new discipline and mobile forensics from a law enforcement perspective didn't really exist. Maybe XRY I think released
you know, something or MSAB released the XRY around about 2004. There was a couple other companies, but you can imagine very early 2000, 2000, not a lot of mobile phones around. So if you fast forward like to today though, it's impossible to even think of running investigation without considering mobile devices, right? It's just like, it's part of the standard workflow. So I think of cryptocurrency is sitting in a very similar place right now.
Adam Firman (17:30.117)
Yeah.
Billy (17:52.43)
to where we were with mobile phones, say 20 years ago. As I said, 20 years ago, 10 to 12 % of people were using them. Guess what? Globally now, roughly 10 to 12 % are using crypto. That's a very, know, like the statistics is very, you know, like paralleled there. So obviously depending on how you measure it, but it's definitely not everywhere yet, but it's far from rare. So,
I'd describe crypto from a DF perspective as being definitely at the early to mid stage, you know, because now it's very close to that inflection point, because now, you know, like, we're seeing that crypto is not just confined to one, like one crime type, definitely, you know, shows up across, you know, drug investigations and fraud, child exploitation. And that's really an important shift.
Billy (18:50.562)
But even if it's only present say in like one in 10 cases, the risk that it's not part of your workflow, it's very easy to overlook. So that's exactly what happened with mobile phones in the early days, because I was there. I was there when the phones first started arriving in the door. And there was a period where devices were being seized but not examined properly or not even examined at all.
because they weren't really seen as a critical evidence source. And that's where we're seeing the similar pattern right now with crypto. So it's often there, but it's either not recognized or it's treated as something that gets handed off to a specialist later maybe. That's if it's picked up at all. So from a maturity perspective, I think that
Adam Firman (19:23.418)
Yeah.
Adam Firman (19:44.048)
Yeah.
Billy (19:48.014)
We're also still working through the fundamentals. We're still looking for the key artifacts. Where do they live? How do we detect them? What are the tools doing? How do we interpret what we're seeing and all that sort of stuff? And importantly, it's the work flows. How are we integrating this into existing work flows? Because let's face it, often examiners are relying on the tools for the insights, which then the burden.
Adam Firman (20:07.366)
Yeah.
Adam Firman (20:11.376)
Mm-hmm.
Billy (20:14.998)
sorry to say, but it sits with the companies like MSAB to deliver, you know, and clearly at the moment crypto still sits slightly like outside of the standard digital forensics process. It's considered really additional rather than something embedded, but I think over the next few years, it's definitely gonna change quickly, Adam. And I think because of all the adoption, the more cases involved from using digital assets,
Adam Firman (20:37.03)
Yeah.
Billy (20:44.972)
It's going to become definitely less specialist area and more of a baseline capability. That doesn't mean obviously all DF members are going to become crypto experts overnight. That's for sure. But we're definitely in that transition phase. And historically, that's the point where capability gaps actually matter the most.
because the technology already being used, but investigations and mobile response to the crypto is not fully caught up yet. Because the first place crypto often shows up is actually on a device. And if it's not recognized, obviously at the device level right there and then, well then it often is not being...
Adam Firman (21:15.185)
Yeah.
Billy (21:44.953)
picked up at all. Fun fact actually, in relation to mobile phones. Adam, I didn't actually get my first mobile phone till around 2001. So that was a Nokia 3310, for those who might have seen one of those in a museum. And that was really my introduction to mobile technology.
Adam Firman (22:06.78)
I remember those.
Billy (22:14.048)
at years of age. Imagine being 35 and you got your first mobile phone. So my understanding wasn't from growing up with it. You know, it was from something I had to learn and adapt to as part of the job. And so I think that's really a good parallel to where we are now with crypto. You know, because early on mobile phones weren't something that every investigator or DF member had, you know, like, and they definitely, but had to learn very quickly because it became
Adam Firman (22:25.958)
Yeah.
Billy (22:43.85)
unavoidable, you know, really. And I think we're seeing the same thing right now with crypto. You you may not be a specialist and it might not be the core focus of the examination. But, you know, as a DF practitioner, you definitely need to be able to recognise when it's present and understand what you're looking at. So if I had to dot point those, Adam, I'd basically say, yeah, we're at the early to mid stage, you know.
We're approaching definitely a tipping point though, like say around about 2010 with mobile phones, right? And now is really the time where like the agencies need to start treating it more as a standard investigative practice rather than something optional, know, or specialist.
Adam Firman (23:30.076)
Well, you look back to early mobile forensic days and like you said, was always a device would go into a forensic lab and it would come out and here's your calls, contacts and SMS. That was pretty much it. And that's where the investigation went. just for the record, Billy and I are recording this a week after the MSAB digital summit where Billy did an amazing talk on crypto. But one of the other sessions that I want to relate to for this was Steve Bunting.
did a presentation on how the evidence of nothing can be something. Because he did an investigation where he pinpointed the fact that a device was being turned off was evidence in itself, because the device wasn't turned off. And it's all about thinking outside the box. Because like I said, when Mobile Forensics started, it was calls, contacts, SMS. Now we rely on movement of the device. Those are parts of what should be the workflow.
and so many other factors that sort of show pattern of life analysis. And any investigator out there listening would never ignore financial transactions from regular banks. Crypto should be no different. So it should be at the forefront of people's workflows as part. And I understand that investigations have to be refined. Digital evidence is huge. And if you went through
like back when you and I started looking at phones, they were minuscule in size and you could go through every piece. Now you can't, so you have to have a targeted investigation plan, but crypto should be part of that targeted plan.
Billy (25:08.854)
Yeah, you make some really good points there, Adam. And I think it actually reminds me of when I first had an issue with a job where there was some issue with location services, right? And, you know, there was an image on a phone and location services were
supposedly running and there was another image on the phone that was taken, you know, at least an hour away from the first one, but time wise, it was like five minutes away. And it had this dilemma, you know, like in 2010, where everyone was like, how could this be even possible? know? So I had to do a lot of research, I, you know, like asked a lot of people, you know, like
did all the usual things by then, you know, like Google, you know, was up and running and didn't really help me. Anyway, cut a long story short, is that I discovered that if you take a picture of something with location service on, then turn location services off, right? And then travel an hour and then turn it on, turn on location services, but take a photograph in the first five seconds or seven seconds, right?
It takes a little while for location services to really get your true point. So when it takes the second photo, right, it actually thinks it's still in the first location. Right. So I actually, I actually stood in the middle of a baseball diamond. Actually, I remember that in Cumber in Queensland, where I was actually living, where my son actually used to play baseball, because I want to know exactly where I was and what I was doing. And that's, and that's, that's, I love that old school sort of like go out and, and try to explain the evidence by
doing something that makes sense to you. And that was basically, you know, one of those instances.
Adam Firman (27:01.04)
Yeah, I always found that if you're going to give testimony and about a digital artifact, if you've researched it and done exactly what you just said, it gives you so much more confidence to say to the best of my ability, that is my belief because of rather than say the tool told me.
Billy (27:18.926)
Yep.
Adam Firman (27:21.648)
So you spent many years in law enforcement and you now work in crypto Intel. What has changed in how you see crime?
Billy (27:32.91)
Yeah, in many ways, Adam, this has been a really interesting like shift for me because you can imagine after 35 odd years in pretty much mostly law enforcement, going to the private sector was a big, you know, big step for me. But as far as, you know,
how I actually see crime differently. It's probably, it's less about seeing different crime, but more about seeing the same crime basically in a different way. Right? Because when you're in law enforcement, particularly when I was in DF, I would focus, you know, what's in front of me, you know, it's the artifacts. You know, I'm just looking at the artifacts. It's all mostly, you know, dis-based, you know, forensics.
I'm looking at device, I'm looking at any communications files and timelines and whatever, but I'm building that picture based on what I can extract and interpret right in front of me. like, look, that work was absolutely critical. But what I didn't fully appreciate more until when I moved into the crypto intelligence sort of space was just how much of the crime picture sits outside of the device.
Because in this case, when we're talking cryptocurrency, like that introduced to me a whole other layer, you know, which is the movement of some value, you know, like in this case, you know, we're talking a digital currency because that movement or that crypto movement is definitely like global. It's in like near real time. It happens across multiple platforms, you know, simultaneously. So
What changed for me is that I started to see crime less as like this static analysis or static investigation that became much more of a, like a dynamic ecosystem. So it's not, you know, what happened on the device anymore. It's like, well, where did the money go? You know, where did it come from? You know, how does that, you know, connect with everything else in the bigger picture? You know, like, so.
Adam Firman (29:35.706)
Yeah.
Billy (29:42.465)
What really, suppose the way I think of it is it gives you a very different lens, right? Because I'm not just looking at from that pure, you know, device perspective, you know, but if I do, that's important because, you know, like a lot of people on listening to this podcast, it'll be important for them to like identify that the wallet apps, like the seed phrases, you know, the transaction references, you know, but, but then if you just zoom out for a moment,
You know, what you then start to see is, you know, like maybe the networks, the flows, you know, the patterns of behaviour, you know, across multiple actors and the like. And I think that's probably the biggest shift for me is that more of a bigger picture. But it's definitely not the only one, Adam. Another thing for me is just getting a little bit more of a handle around speed.
And when I say speed, it's like, traditionally, when I was in law enforcement, you know, I'd watch the investigators do the financial investigations, and they would take years, right? Because often, the criminals would take years to do all their financial transactions, because, you know, the funds move through the banks and the financial intermediaries and all that sort of stuff. Because there's plenty of friction points. So things went a little slow. But with crypto now, what I'm seeing is that there's no friction. know, like funds move just full.
Adam Firman (30:41.968)
Yeah.
Adam Firman (30:51.408)
Yeah.
Billy (31:11.128)
you know, like across chains, multiple jurisdictions, know, cross platforms, like a very short period of time. Like, so from an investigative perspective, you know, timing now becomes way more critical, right? You don't have that luxury of, you know, working on things, you know, over time and doing it slowly. You need to recognise things really early and act really quickly. So another thing that I,
Adam Firman (31:12.699)
Yeah.
Billy (31:40.835)
something that I think of when I actually think of my friend Nick Ferner, who's written a book on investigating cryptocurrencies. And that he talks about, there's no such thing as crypto crime. And I don't see crypto as a crime type, right? It's an enabler. So I think that's where some of the misunderstandings that it comes from. People think of crypto crime as something separate.
Adam Firman (31:58.161)
No.
Yeah, correct.
Billy (32:10.072)
But in reality, it's embedded across all the different crime types. So the question isn't like, is this the crypto case? The question really is, is crypto being used anywhere in this case? And that's a mindset. That's a very different mindset. So the other thing that I suppose that's changed since I joined TRM is,
Adam Firman (32:24.732)
part of this case. Yeah.
Billy (32:38.988)
my understanding of like visibility, you know, because, you know, often I was only working with like partial information. You know, I just had a very small subset, you know, of something. But with blockchain data, what I learned very quickly is that there's a level of transparency that didn't exist for me before, you know, because I can now see the flow of funds. I can see data on a mobile phone, but then I can see how it relates to the flow of funds, you know.
Adam Firman (32:57.584)
Mm-hmm.
Billy (33:05.838)
I can trace the movement of it, I can identify patterns over time. Now that doesn't mean that the attribution is always easy, far from it. But it does mean that you have that extra level of context. And it's more open, a little bit more complex. And that complexity takes me to the mindset.
Adam Firman (33:20.826)
Yeah.
Billy (33:32.079)
shift. And that's probably the big thing I've already mentioned before. The mindset because when I was in law enforcement, crypto was often seen as something like it's new and it's still even now, even though it's been around for as it's still it's new, it's complex. It's a bit niche. You've probably heard all these terms and talk about it like that, Adam. But for me now, I just see it as normal.
Adam Firman (33:32.538)
Yeah.
Adam Firman (33:54.298)
Yeah.
Billy (34:02.214)
So, but not in the sense that everyone's gonna understand it, but in the sense that it's becoming part of the everyday investigative reality. You know, that's where I see it.
Adam Firman (34:06.192)
Yeah, so.
Adam Firman (34:13.212)
So why do you think cryptocurrency is still treated as a niche capability rather than being embedded in everyday workflows? Do you think it's because of that lack of understanding or scared?
Billy (34:26.478)
That's all those, it's probably a combination of things. Definitely that mindset that we were just talking about. I think for a long time crypto has been positioned as something like, it's highly technical, it's specialist, and even a bit intimidating, let's face it. And it's something that gets labeled. because it's been labeled that way, it tends to get pushed into the corner.
And it becomes, we hear that saying, that's for the crypto person or that's for the specialist team. We all hear that. And what that means in practice is that it's not part of the default workflow. That's an issue. And I suppose to maybe timing, how it's been adopted.
Adam Firman (35:12.497)
Yeah.
Billy (35:23.704)
the timing of it into an agency. Like, because when mobile phones came in, it's like, bam, they were there, you know, there was a clear understanding, you know, and how it needed to be adopted. But Crypto hasn't followed this like neat adoption curve. You know, it's, it didn't arrive, you know, clearly and with a defined and easy to understand and integrate, it sort of just appeared, you know, across, you know, multiple crimes in different ways and at different times.
So instead of being embedded, say systematically, it definitely was adopted like reactively. So when something gets adopted like that reactively, it definitely stays fragmented. it ends up with like this, know, pockets of capability, know, or individual expertise, but definitely not, you know, consistent, you know, integration. And then what that leads to is the confidence issue, as you mentioned, you know, like a lot of digital forensics practitioners, you know,
Adam Firman (36:01.319)
Yeah.
Billy (36:23.468)
As we know, they're extremely capable, you know, but if they haven't had hands-on experience with crypto, you know, tools or wallets, their level, their levels of uncertainty, you know, sort of appear, if you know what I mean. And that uncertainty definitely leads to potential avoidance. And look, that's not intentional. I'm not having a go at anyone. It's just the sense of that. Well, I'm not entirely sure what I'm looking at. So I'll focus on
what I do know. And that's completely understandable. But the risk is that, you know, the crypto like doesn't stand out as in an obvious way. It might just look like strings of characters or, you know, an unfamiliar app or a database entry doesn't immediately make sense. So if you don't have that baseline familiarity, you know, it's very easy to overlook. Yeah, particularly with
Adam Firman (36:56.486)
Yeah.
Adam Firman (37:17.222)
Yeah.
Billy (37:19.714)
Sorry, mate, but I was just gonna say, lastly, just particularly with digital forensics, right? Because of the role that digital forensics actually play, it's fundamentally a support discipline, right? So, you're working on the direction of investigation team where you're asked, extract this, examine that, look for these artifacts, and we do that in really, an excellent way, but the reality is if the investigation team isn't asking about cryptocurrency,
Adam Firman (37:29.937)
Yeah.
Billy (37:47.49)
there's a good chance we're not actually looking for it either.
Adam Firman (37:50.811)
Yeah. And like you say, it's investigators went out and did search warrants and they came across physical devices such as phones and laptops and hard drives. So of course they're going to seize them and they want them investigated. Crypto, yes, there's wallets and things, but people's understanding of it. And probably, like you said, that sort of the 12, 13 % figure means people aren't familiar with crypto, so they can't relate to it. Whereas
most other digital devices people can relate to because they use them every day, every hour of every day. so maybe it's part of that as well is that, you know, I was in law enforcement, so we quickly started learning crypto and set up syndicates and so got an understanding of it. But we're quite niche. Whereas if I spoke to my parents, for example, they'd probably see the press related to crypto and say, it's related to crime.
and they don't understand how it works. And I think that's probably the same experience for most of the globe, to be honest. And that's probably why investigators shy away from it because of that negative, it's crypto, it's got to be criminal activity, which like you say, it's not, it's linked to some criminal activity, but it's not a crypto crime.
Billy (39:13.065)
Yeah. Yeah. Yeah. And of course then, you know, what you then start to allude to is, is the organisational issue, you know, in that, um, you know, many agencies, you know, crypto capability, you know, it's been built, it's been built up as a specialist function. And as soon as you do that in law enforcement, that tends to mean something, you know, which, but it makes sense initially because you need expertise to develop a capability. over time,
Adam Firman (39:34.278)
Mm-hmm.
Billy (39:40.814)
If that doesn't get distributed, it creates that dependency. And all of a sudden, that dependency becomes, well, maybe I'm not going to dabble into that area because it's obviously not that important. It's a specialist capability.
Adam Firman (39:53.733)
Yeah. And what would you say is crypto first thinking? What does it actually look like in practice for digital forensic examiners?
Billy (40:05.998)
Well, firstly, Adam, and I spoke about this, he'd mentioned I was on the webinar the other day, and I talked about some of this during that webinar, but.
I think the really important place to start is that when it comes to actual cryptocurrency, to be crypto first thinking, you know, it's not particularly, you know, about memorizing artifacts. You know, that's not the starting point, right? It's actually about understanding how people interact with cryptocurrency. Right? Because once you understand like the user behavior, the artifacts definitely start to make a bit more sense.
For example, when someone creates a sale wallet, right? On their phone, for example. One of the first things they're prompted to do is back up their seed phrase. Now, in practice, that doesn't just sit neatly in one place. we see all those seed phrases end up all across all sorts of locations, whether it be on notes or screenshots.
photos that get sent by email, sometimes ends up in a cloud backup or even in a messaging app. But so if you're approaching an examination purely on a checklist, then you're likely to basically miss things. crypto thinking is definitely not about just checklists, but it's that understanding what the user is trying to do. Are they setting up a wallet? Are they like,
Are they securing their access? Are they moving funds? And at that point, you start to think, well, where would they have stored that information that I'm looking for? Or also, where has the file system or where is the operating system stored that information? And that's why hands-on experience is so important. Because without that practical understanding, it can be definitely harder to interpret what you're seeing because
Billy (42:15.862)
you don't have that like mental model of how these tools work or behave. Imagine trying to investigate or analyze Facebook and you've never even seen Facebook. Right? So from a workflow perspective, you know, the way in which I would typically approach is to start broad and then now I'll in. And this is what I talked about the other day. For example, if I'm using say examine pro, I'd start definitely with the, you know, the smart processing. Yeah, that gives you the ability to run the red.
Adam Firman (42:26.15)
Yeah.
Adam Firman (42:33.136)
Yeah.
Billy (42:45.282)
the pattern analysis, you know, across the data set. But in that context though, it's really important to understand what you're actually looking for, what you're searching for. Because, when you're dealing with things like wallet addresses and seed phrases, other crypto identifiers, you know, the effectiveness of your search basically is going to depend heavily on the regular expression you're using to pull out that.
that artifact. Now, for example, if you're looking for any, you know, are you looking for an exact match, right? Or are you looking for say, embedded, you know, like matches in larger strings? That's why sometimes MD5 values come up as a regular expression, because it's like, you know, like the crypto address is sort of part of the MD5. Or are you using something more sort of like context aware, you know, that reflects how data might actually appear on the device. There's different levels of
that DF members need to understand when they're using regular expressions. And because if you don't understand that, you can easily, you know, miss artifacts or, or, or, you know, on the flip side, you just get a lot of noise, you know, and that definitely slows you down. But once I've identified those, you know, those, you know, recognized patterns, you know, I can then start, you know, filtering the results. So this is, this is my idea of, know, what's, what's crypto first? What's that thinking sort of look like?
Because what I'm after is those SQLite or Realm database files. That's what I'm looking for. Because many crypto applications, those databases store a significant amount of transactional information. So other things, if you're a crypto first sort of thinking type person, just some understanding of some very basic keyword searches. And this may sound a little bit crazy, but yes, just standard
keywords and there's this keyword that I talked about the other day called mnemonic, you know, starting with an N E O N I C. I always struggled to even spell that word, but you know, you search for that across, you know, a mobile phone and you'd be surprised what that picks up because that actually helps identify database files, you know, that contain that term. And, sometimes there's database files that actually have that in the file name itself.
Billy (45:13.472)
if there's crypto related artifacts. And so, but in many cases, those databases that are going to be encrypted, you know, but you know, they still even the partial information, it can still be definitely, you know, valuable. So another couple of things, you know, like another couple of words like history, for example, if you're thinking crypto, you know, then
you should be, you know, someone who's thinking, I'm going to look at history, just like you would look at normal browser history for any other type of job. So because if you, if you search for, you know, history in your examine pro, you're going to get all the databases there, the history databases, then they're not encrypted. You can just look at those and have there, has there been any visits to exchanges or block explorers, know, wallet services, transaction, you know, pages, other crypto related.
you know, websites. So that helps sort of like build, I'm starting to build, you know, a bit of context around the owner, you know, was, was actually doing on the, on the device. So I'll give you one more word and then, because obviously I can, you asked a question which is like dear to my heart and I can just keep talking, but I'm not, there's a time limit on this podcast, but there's this word that I often talk about called Toshi, right?
And, and probably some people are into crypto might know where that may have came from, right? Very. Yeah. Well, Satoshi. Yeah. Yeah. Satoshi, but Toshi actually was, was the original code based used by the early coin based wallet. And that's the, that, that, that term Toshi just T O S H I still actually appears in a wallet, lot of like wallet applications and, even the underlying code.
Adam Firman (46:44.176)
From the founder or reported founder, yeah.
Billy (47:08.44)
So when I first started doing crypto real deep diving investigations, it's amazing how many things I found just by searching for Toshi. And it's not, because they're not limited, Adam, to like one application. There's Metamask wallet, there's Oneinch, Ledger Live, My Ether wallet. What else? There's plenty of others. So, you know, like that's, it's not an obvious keyword, but.
If someone is searching for something like that, they're definitely at the, hey, I'm a crypto first, or I'm at least heading down that path to becoming looking for crypto artifacts.
Adam Firman (47:52.857)
And like we said earlier, finance is going to be involved in most investigations. It's going to be an element because we're going to look for proceeds of crime and things like that. So really running keywords for crypto sort of insights, it's not really a huge change to people's workflows, is it?
Billy (48:11.534)
No, no, definitely not. But it's all about, well, what sort of words, know, like, what am I thinking when I'm thinking about, you am I thinking crypto at all? Because also, you know, you know, looking forward, you know, Adam in this space, know, you might, DF members might not necessarily best be focusing on individual artifacts, they might need to think more of ecosystems, you know,
Adam Firman (48:16.762)
Yeah.
Adam Firman (48:23.579)
Yeah.
Billy (48:41.826)
decentralized activity, DeFi, decentralized finance, like cross-chain movements, non-custodial wallets, all this sort of evidence is becoming more distributed across devices and platforms and the like. So in that context, you may need to change up some of your search terms as to your understanding of the ecosystem.
Adam Firman (49:10.202)
And what would you say happens, if agencies don't adapt to this over the next sort of five years?
Billy (49:19.425)
That's a very tough question to answer, but I'll give you the world according to Billy. This is not the world according to anyone else other than just Billy. But it is a really important question. And it's the same, imagine going back to 2010 and talking to law enforcement saying, now, if you don't adapt to mobile phones over the next five years, what's gonna happen? Now we could all go back and think of that, but.
Let's have a look at some of the like, let's unpack maybe some of the risks here. Because this is not about, you know, keeping up with technology. You know, it's about keeping up with crime. Right? That's the first thing. So it and if agencies don't, you know, adapt, you know, over these next, you know, three to five years, there's definitely going to be some, you know, real risks. The first one is potentially incomplete investigations. So
If crypto continues to grow, which it will, and it becomes basically embedded into everyday activity, then investigations that don't consider crypto, then by definition, they're going to be incomplete, 100%. And also you're only seeing part of the picture, right? If you're not looking at the crypto, because sure, we can look at the devices and the relationships that are on devices, but you're going to be missing that key part, the movement of the value. And in many cases,
You know, that's the most important part. And why? Because of potential missed opportunities around asset recovery. Because, you know, criminals work on the basis that they want money. It's all about money, let's face it. And so, know, so crypto, often these days, it represents the proceeds of crime. So if it's not identified early or it's not preserved, you know, it's not acted on quickly, definitely those assets, they can be moved and
Adam Firman (50:59.791)
Yeah.
Billy (51:15.522)
basically effectively lost. So then if that's lost, then you've got another intelligence gap problem because there's, well, not only that, not only have you got that intelligence gap problem, but you've also got the financial impact. Speed, I've talked about this before, like if criminals,
Adam Firman (51:19.067)
Yeah.
Billy (51:42.543)
are already comfortable using crypto. I mean, I go back to 2010, criminals were using mobile phones, know, criminals are now comfortable using crypto, right? They understand it, they can move the funds, they're using the different chains, they're using obfuscation techniques, they're not waiting, you know, for law enforcement to catch up, are they? So, you know, the agencies, so if the agencies aren't building, you know, capability,
Adam Firman (52:05.628)
Course I not.
Billy (52:12.29)
there's a widening gap then between how crime is conducted and how it's investigated. And that's a pretty key takeaway for me, Adam. And that gap becomes harder to close over time. And I suppose maybe lastly, or close to last, is that dependency thing. If crypto sort of remains, that specialist capability.
And then agencies sort of become reliant on, you know, a small number of experts and instilling five years time, they've still got a small number of experts and they're that external support. Well then, you know, that could work for short term, but it's not going to scale. So it, so if every case, you know, that involves crypto in five years time, which it will, if every one of those needs to be escalated, right. Because of that, you know, because of that dependency then.
Adam Firman (52:57.969)
Yeah.
Billy (53:10.776)
there's a bottleneck and bottlenecks slow investigations down. the risk, know, there's an impasse, not not understanding the obvious missed intelligence. You know, one of the things that crypto gives you is that, know, if you know how to use it, that is that visibility of the, you know, tracing the flows, identifying patterns, you know, connecting the actors. But if you're not looking, you know, at that layer, you're definitely missing those connections.
Adam Firman (53:12.262)
Yeah.
Adam Firman (53:37.787)
Yeah.
Billy (53:40.835)
So there's a few things that agencies, if they don't adapt, there's definitely that risk that crypto could potentially still be seen as, that's too hard, too technical, but that needs to definitely change. But look, I think in reality, on the flip side, if it's reality, it's also really positive.
that you can look at it in another way. that is none of those things I've just talked about requires a complete overhaul. It's not about turning every investigator into a crypto expert. It's just about those small shifts. Because once you do that, crypto becomes part of how you investigate. So for me, definitely over the next five years, and like I said, this for me, agencies that adapt will be the ones that say, recognize crypto early.
integrated into their investigative processes, but treated as part of a standard investigative practice. And honestly, to finish, the ones that don't, well, they potentially will be working with incomplete information, definitely slower processes because of that dependency issue, and obviously, their reliance on others.
Adam Firman (55:02.694)
Mm-hmm.
Billy (55:09.346)
So it's not just about staying current, it's about staying effective.
Adam Firman (55:16.314)
Yeah. And for those of you who have found today show in interesting and insightful, I will put a link to Billy's LinkedIn profile so you can connect and you can establish how TRM could assist your organization. But as always, a huge thank you to Billy for joining me today on Forensic Fix. What I really appreciate about this conversation is the fact that it wasn't just about cryptocurrency as a buzzword or a specialist niche.
It was about mindset. It was about how crime has evolved and how technology reshapes investigations and how we as a community choose to respond. From first computers and early caseworks through to blockchain, Intel and crypto first thinking, there's a clear thread running through the journey that Billy's had. Technology does not sit on the edge of investigations anymore. It's not the road, it's the steamroller. It's central to them. And crypto is not tomorrow's problem.
It's very much today's reality. And for those of you listening who are in law enforcement, private practice or leading digital forensic scene, the question really is not whether crypto matters. It's whether your workflows, your training, your understanding and strategy is going to reflect that reality. As Billy has highlighted the next five years, they're not going to wait for people to catch up. But Billy, thank you again for sharing your experience and your perspective. It's been a real pleasure having you on the show.
And to our listeners, thank you for joining us for episode 26 of Forensic Fix. If you found this episode valuable, please do share it with a colleague. Make sure you're subscribed so you don't miss future conversations as we continue to explore this constantly evolving landscape. And until next time, stay curious, stay sharp and keep fixing forensics. And thank you once again, Billy.
Billy (57:08.473)
Thank you.