chevron-down Created with Sketch Beta.
April 05, 2021 Practice Points

Forensic Analysis of Digital Currencies in Investigations

Digital-currency transactions are invaluable in tracking down fraudulent activity and maintaining the integrity of transactions.

By Ryan Rubin and Antonio Rega

Investigations involving digital currencies, or cryptocurrencies, have become more prominent. Every transaction involving cryptocurrency is preserved on the blockchain and is immutable (i.e., it cannot be changed), which helps, rather than hinders, fraud-related investigations. Digital-currency transactions are invaluable in tracking down fraudulent activity and maintaining the integrity of transactions.

Specific to matters involving the use of digital forensics and related analysis of forensically preserved data sources (computers, mobile devices, cloud-based repositories, etc.), the following considerations will aid in identifying critical artifacts and supporting investigations involving cryptocurrency-related transactions. 

Wallets and Addresses

All cryptocurrency transactions start and end inside a cryptocurrency address and/or wallet. Addresses are similar to bank-account numbers and contain a balance and history of transactions undertaken in the past. A wallet is a collection of addresses that may exist as a “hot wallet” (where access to crypto funds are “stored” on a third-party exchange, for example), a cold wallet (where funds are accessible via hardware or paper-based wallets—deemed the most secure), or desktop wallet software (where funds are accessible locally on a computer and/or mobile app).

Identifying these early in the case will help the investigator understand the flow of funds involved in the matter. Artifacts such as wallet.dat files or wallet software such as metamask or could be helpful to recover funds and/or piece together crypto transactions.

It would also be advisable to identify hardware devices that may have been connected to computers involved by checking registry keys for these device registrations.

Also, cryptocurrency addresses have specific formats that can be appropriated into search terms, including the use of regular expressions. A regular expression (shortened as regex) is a sequence of characters that specifies a search pattern. Usually such patterns are used by string-searching algorithms for "find" or "find and replace" operations on strings, or for input validation. Using these early in an investigation can help uncover potential addresses of interest in your case and will be invaluable as the investigation proceeds.

Seed Phrases and Passwords

Having wallet files is a first step; in most cases a “seed phrase” (12–16 disparate words) would be required to access the wallet (assuming you have permission to do so).

Analysis of system or user artifacts, such as password vaults, static text files, notes files, or encrypted archive files, will help unlock the wallets/addresses being investigated.

Password vaults are also helpful for recovery of crypto assets for wallet files that need to be cracked. People often use similar passwords for all their accounts, which can be a helpful tip when attempting to access wallet files retrieved from an image to be investigated.

Web Browser History

Browser history offers a wealth of information related to numerous user activities, which in turn is often quite valuable for investigations involving cryptocurrency transactions. Web-browser cache and history helps in identifying exchanges that can be corroborated with transactions on the blockchain. Usernames and passwords may often be found in the history or browser cache as well.

Additionally, there may be searches for specific addresses or crypto transactions that can be helpful and relevant—e.g., visits to (Ethereum) or (Bitcoin), as well as visits to hardware wallet sites such as Trezor or Ledger.

Email and Chat Messaging Services

As with many investigations, email and chat-messaging repositories (such as web-based email, Slack, or otherwise chat-messaging platforms such as WeChat, WhatsApp, Telegram, Signal, etc.) also help offer additional context and framing around analysis findings, and in particular, often help unearth additional parties that may be involved and/or methods for helping trace transactions. Findings can include noteworthy communications between parties, such as the addition of cryptocurrency addresses, details of transfers taking place, times/dates, etc.

Once again, search terms and/or regular expressions can be valuable here to help filter through communications and identify potentially noteworthy communications.

Blockchain Explorers

As noteworthy addresses and transactions are identified, blockchain explorers are valuable tools to explore the blockchain itself and track the flow of funds from one wallet to another. Public resources such as etherscan or can be helpful, but commercial products may be necessary for more detailed analysis.

It should be noted that bad actors may attempt to mask blockchain transactions by employing tools such as “mixers” or “tumblers,” which break up the flow of funds into smaller pieces to make them harder to trace.

The above considerations are far from exhaustive, but as outlined in the above examples, digital forensic techniques can be invaluable in cryptocurrency-related investigations. We anticipate that analysis methodologies will continue to evolve, along with the burgeoning use of digital currencies as instruments for financial transactions and investments.

Ryan Rubin is a senior managing director and Antonio Rega is a managing director with Ankura.

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.
Ankura is the Litigation Advisory Services Sponsor of the ABA Litigation Section. This article should be not construed as an endorsement by the ABA or ABA Entities.


Copyright © 2021, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Litigation Section, this committee, or the employer(s) of the author(s).