chevron-down Created with Sketch Beta.

ARTICLE

Forensic Analysis of Digital Currencies in Investigations

Ryan Rubin and Antonio Rega

Summary

  • Investigations involving digital currencies, or cryptocurrencies, have become more prominent.
  • Artifacts such as wallet.dat files or wallet software such as metamask or myetherwallet.com could be helpful to recover funds and/or piece together crypto transactions.
  • Mail and chat-messaging also help offer additional context and framing around analysis findings.
  • As noteworthy addresses and transactions are identified, blockchain explorers are valuable tools to explore the blockchain itself and track the flow of funds from one wallet to another.
Forensic Analysis of Digital Currencies in Investigations
Ignatiev via Getty Images

Investigations involving digital currencies, or cryptocurrencies, have become more prominent. Every transaction involving cryptocurrency is preserved on the blockchain and is immutable (i.e., it cannot be changed), which helps, rather than hinders, fraud-related investigations. Digital-currency transactions are invaluable in tracking down fraudulent activity and maintaining the integrity of transactions.

Specific to matters involving the use of digital forensics and related analysis of forensically preserved data sources (computers, mobile devices, cloud-based repositories, etc.), the following considerations will aid in identifying critical artifacts and supporting investigations involving cryptocurrency-related transactions. 

Wallets and Addresses

All cryptocurrency transactions start and end inside a cryptocurrency address and/or wallet. Addresses are similar to bank-account numbers and contain a balance and history of transactions undertaken in the past. A wallet is a collection of addresses that may exist as a “hot wallet” (where access to crypto funds are “stored” on a third-party exchange, for example), a cold wallet (where funds are accessible via hardware or paper-based wallets—deemed the most secure), or desktop wallet software (where funds are accessible locally on a computer and/or mobile app).

Identifying these early in the case will help the investigator understand the flow of funds involved in the matter. Artifacts such as wallet.dat files or wallet software such as metamask or myetherwallet.com could be helpful to recover funds and/or piece together crypto transactions.

It would also be advisable to identify hardware devices that may have been connected to computers involved by checking registry keys for these device registrations.

Also, cryptocurrency addresses have specific formats that can be appropriated into search terms, including the use of regular expressions. A regular expression (shortened as regex) is a sequence of characters that specifies a search pattern. Usually such patterns are used by string-searching algorithms for "find" or "find and replace" operations on strings, or for input validation. Using these early in an investigation can help uncover potential addresses of interest in your case and will be invaluable as the investigation proceeds.

Seed Phrases and Passwords

Having wallet files is a first step; in most cases a “seed phrase” (12–16 disparate words) would be required to access the wallet (assuming you have permission to do so).

Analysis of system or user artifacts, such as password vaults, static text files, notes files, or encrypted archive files, will help unlock the wallets/addresses being investigated.

Password vaults are also helpful for recovery of crypto assets for wallet files that need to be cracked. People often use similar passwords for all their accounts, which can be a helpful tip when attempting to access wallet files retrieved from an image to be investigated.

Web Browser History

Browser history offers a wealth of information related to numerous user activities, which in turn is often quite valuable for investigations involving cryptocurrency transactions. Web-browser cache and history helps in identifying exchanges that can be corroborated with transactions on the blockchain. Usernames and passwords may often be found in the history or browser cache as well.

Additionally, there may be searches for specific addresses or crypto transactions that can be helpful and relevant—e.g., visits to etherscan.com (Ethereum) or blockchain.com (Bitcoin), as well as visits to hardware wallet sites such as Trezor or Ledger.

Email and Chat Messaging Services

As with many investigations, email and chat-messaging repositories (such as web-based email, Slack, or otherwise chat-messaging platforms such as WeChat, WhatsApp, Telegram, Signal, etc.) also help offer additional context and framing around analysis findings, and in particular, often help unearth additional parties that may be involved and/or methods for helping trace transactions. Findings can include noteworthy communications between parties, such as the addition of cryptocurrency addresses, details of transfers taking place, times/dates, etc.

Once again, search terms and/or regular expressions can be valuable here to help filter through communications and identify potentially noteworthy communications.

Blockchain Explorers

As noteworthy addresses and transactions are identified, blockchain explorers are valuable tools to explore the blockchain itself and track the flow of funds from one wallet to another. Public resources such as etherscan or blockchain.com can be helpful, but commercial products may be necessary for more detailed analysis.

It should be noted that bad actors may attempt to mask blockchain transactions by employing tools such as “mixers” or “tumblers,” which break up the flow of funds into smaller pieces to make them harder to trace.

The above considerations are far from exhaustive, but as outlined in the above examples, digital forensic techniques can be invaluable in cryptocurrency-related investigations. We anticipate that analysis methodologies will continue to evolve, along with the burgeoning use of digital currencies as instruments for financial transactions and investments.

    Authors