Forensic Analysis Of Digital Currencies In Investigations –

Digital-currency transactions are invaluable in tracking
down fraudulent activity and maintaining the integrity of
transactions.

Investigations involving digital currencies, or
cryptocurrencies, have become more prominent. Every transaction
involving cryptocurrency is preserved on the blockchain and is
immutable (i.e., it cannot be changed), which helps, rather than
hinders, fraud-related investigations. Digital-currency
transactions are invaluable in tracking down fraudulent activity
and maintaining the integrity of transactions.

Specific to matters involving the use of digital forensics and
related analysis of forensically preserved data sources (computers,
mobile devices, cloud-based repositories, etc.), the following
considerations will aid in identifying critical artifacts and
supporting investigations involving cryptocurrency-related
transactions.

Wallets and Addresses

All cryptocurrency transactions start and end inside a
cryptocurrency address and/or wallet. Addresses are similar to
bank-account numbers and contain a balance and history of
transactions undertaken in the past. A wallet is a collection of
addresses that may exist as a “hot wallet” (where access
to crypto funds are “stored” on a third-party exchange,
for example), a cold wallet (where funds are accessible via
hardware or paper-based wallets-deemed the most secure), or desktop
wallet software (where funds are accessible locally on a computer
and/or mobile app).

Identifying these early in the case will help the investigator
understand the flow of funds involved in the matter. Artifacts such
as wallet.dat files or wallet software such as metamask or
myetherwallet.com could be helpful to recover funds and/or piece
together crypto transactions.

It would also be advisable to Identify hardware devices that may
have been connected to computers involved by checking registry keys
for these device registrations.

Also, cryptocurrency addresses have specific formats that can be
appropriated into search terms, including the use of regular
expressions. A regular expression (shortened as regex) is a
sequence of characters that specifies a search pattern. Usually
such patterns are used by string-searching algorithms for
“find” or “find and replace” operations on
strings, or for input validation. Using these early in an
investigation can help uncover potential addresses of interest in
your case and will be invaluable as the investigation proceeds.

Seed Phrases and Passwords

Having wallet files is a first step; in most cases a “seed
phrase” (12-16 disparate words) would be required to access
the wallet (assuming you have permission to do so).

Analysis of system or user artifacts, such as password vaults,
static text files, notes files, or encrypted archive files, will
help unlock the wallets/addresses being investigated.

Password vaults are also helpful for recovery of crypto assets
for wallet files that need to be cracked. People often use similar
passwords for all their accounts, which can be a helpful tip when
attempting to access wallet files retrieved from an image to be
investigated.

Web Browser History

Browser history offers a wealth of information related to
numerous user activities, which in turn is often quite valuable for
investigations involving cryptocurrency transactions. Web-browser
cache and history helps in identifying exchanges that can be
corroborated with transactions on the blockchain. Usernames and
passwords may often be found in the history or browser cache as
well.

Additionally, there may be searches for specific addresses or
crypto transactions that can be helpful and relevant-e.g., visits
to etherscan.com (Ethereum) or blockchain.com (Bitcoin), as well as
visits to hardware wallet sites such as Trezor or Ledger.

Email and Chat Messaging Services

As with many investigations, email and chat-messaging
repositories (such as web-based email, Slack, or otherwise
chat-messaging platforms such as WeChat, WhatsApp, Telegram,
Signal, etc.) also help offer additional context and framing around
analysis findings, and in particular, often help unearth additional
parties that may be involved and/or methods for helping trace
transactions. Findings can include noteworthy communications
between parties, such as the addition of cryptocurrency addresses,
details of transfers taking place, times/dates, etc.

Once again, search terms and/or regular expressions can be
valuable here to help filter through communications and identify
potentially noteworthy communications.

Blockchain Explorers

As noteworthy addresses and transactions are identified,
blockchain explorers are valuable tools to explore the blockchain
itself and track the flow of funds from one wallet to another.
Public resources such as etherscan or blockchain.com can be
helpful, but commercial products may be necessary for more detailed
analysis.

It should be noted that bad actors may attempt to mask
blockchain transactions by employing tools such as
“mixers” or “tumblers,” which break up the flow
of funds into smaller pieces to make them harder to trace.

The above considerations are far from exhaustive, but as
outlined in the above examples, digital forensic techniques can be
invaluable in cryptocurrency-related investigations. We anticipate
that analysis methodologies will continue to evolve, along with the
burgeoning use of digital currencies as instruments for financial
transactions and investments.

First published on American Bar
Association

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Computer Forensics