Investigating Cryptocurrencies E-Book

Table of Contents

Cover

Foreword

Introduction

Cryptocurrencies: Coming to a Lab near You

Who Should Read This Book

About the Book's Web Resources

Part I: Understanding the Technology

CHAPTER 1: What Is a Cryptocurrency?

A New Concept?

Leading Currencies in the Field

Is Blockchain Technology Just for Cryptocurrencies?

Setting Yourself Up as a Bitcoin User

Summary

CHAPTER 2: The Hard Bit

Hashing

Public/Private Key Encryption

Building a Simple Cryptocurrency in the Lab

Summary

CHAPTER 3: Understanding the Blockchain

The Structure of a Block

Summary

CHAPTER 4: Transactions

The Concept behind a Transaction

The Mechanics of a Transaction

Extracting JSON Data

Analyzing Address History

Creating Vanity Addresses

Interpreting Ethereum Transactions

Summary

CHAPTER 5: Mining

The Proof-of-Work Concept

The Proof-of-Stake Concept

Mining Pools

Mining Fraud

Summary

CHAPTER 6: Wallets

Wallet Types

Why Is Recognizing Wallets Important?

The Wallet Import Format (WIF)

How Wallets Store Keys

Setting Up a Covert Wallet

Summary

CHAPTER 7: Contracts and Tokens

Contracts

Tokens and Initial Coin Offerings

Summary

Part II: Carrying Out Investigations

CHAPTER 8: Detecting the Use of Cryptocurrencies

The Premises Search

Searching Online

Extracting Private and Public Keys from Seized Computers

Working on a Live Computer

Summary

CHAPTER 9: Analysis of Recovered Addresses and Wallets

Finding Information on a Recovered Address

Analyzing a Recovered Wallet

Inferring Other Data

Summary

CHAPTER 10: Following the Money

Initial Hints and Tips

Transactions on Blockchain.info

Other Explorer Sites

Following Ethereum Transactions

Monitoring Addresses

Summary

CHAPTER 11: Visualization Systems

Online Blockchain Viewers

Commercial Visualization Systems

Summary

CHAPTER 12: Finding Your Suspect

Tracing an IP Address

Tracking to a Service Provider

Considering Open-Source Methods

Accessing and Searching the Dark Web

Detecting and Reading Micromessages

Summary

CHAPTER 13: Sniffing Cryptocurrency Traffic

What Is Intercept?

Watching a Bitcoin Node

Sniffing Data on the Wire

Summary

CHAPTER 14: Seizing Coins

Asset Seizure

Practice, Practice, Practice

Summary

CHAPTER 15: Putting It All Together

Examples of Cryptocurrency Crimes

What Have You Learned?

Where Do You Go from Here?

Index

End User License Agreement

List of Illustrations

Introduction

Figure Intro-1: Message in the Genesis block.

Figure Intro-2: Screenshot of a computer locked with the WannaCry ransomware.

Figure Intro-3: Computer locked with the Petya/NotPetya virus.

Chapter 1

Figure 1-1: Stone money of Yap.

Figure 1-2: Dialog box to create a shortcut to run Bitcoin Core.

Figure 1-3: The three options in the Bitcoin Core program group.

Figure 1-4: The Send screen in Bitcoin Core.

Figure 1-5: The Send screen with send address filled in.

Figure 1-6: Blockchain viewer showing a transaction.

Chapter 2

Figure 2-1: Hash a value from a list and compare with the leaked database.

Figure 2.2: Military World War 2 Enigma machine

Figure 2-3: The encryption/decryption life cycle.

Figure 2-4: Every time we reach the max value of 253, we start from the beginning, providing a remainder of 188.

Figure 2-5: A visualization of an elliptic curve on a graph.

Figure 2-6: Intersecting lines on an elliptic curve and reflecting across the x-axis.

Figure 2-7: The

MAX

value means the tangent “leaves” the graph and re-enters reflected in the x- and y-axis.

Figure 2-8: Asteroids!

Figure 2-9: Ship leaving the screen and re-entering reflected in the x- and y-axis.

Figure 2.10: The line in the spreadsheet where the “system” has given you 10 NickCoin.

Figure 2-11: Block hash.

Figure 2-12: miner.py running to find a hash with four zeros at its beginning.

Figure 2-13: Awarding 10 NickCoin to the person who mines the fastest.

Chapter 3

Figure 3-1: Live graph of transactions per block.

Figure 3-2: Block header and its constituent parts.

Figure 3-3: The block header.

Figure 3-4: Visualization of the Merkle tree.

Figure 3-5: UNIX time conversion in Excel.

Figure 3-6: Set the byte width to 32 bytes wide.

Figure 3-7: Set the byte group size to 4.

Figure 3-8: Set the offset base to decimal.

Figure 3-9: Raw hex from a block on the Bitcoin blockchain

Figure 3-10: Visualizing Internal byte order.

Figure 3-11: How each entity is written in the block header.

Figure 3-12: The version in Little Endian.

Figure 3-13: Previous block hash in Internal Byte Order.

Figure 3-14: Merkle root in Internal Byte Order.

Figure 3-15: Timestamp in Little Endian.

Figure 3-16: Counting 80 bytes.

Figure 3-17: Number of transactions bytes prefixed FD.

Figure 3-18: The genesis block with text visible.

Figure 3-19: A mining fork causing an orphan fork to appear.

Figure 3-20: An agreed fork to a new software version.

Figure 3-21: The majority of miners agree, and the old fork fades away.

Figure 3-22: The new fork does not have support and dies.

Chapter 4

Figure 4-1: Transfer of value from address to address.

Figure 4-2: Transactions form part of a block that is then mined.

Figure 4-3: Transmission of a transaction from peer to peer.

Figure 4-4: IP addresses of peers in a Bitcoin client.

Figure 4-5: Alice is buying a gun and has three transactions to choose from.

Figure 4-6: View of a transaction on the blockchain.

Figure 4-7: Alice transferring Bitcoin to Bob.

Figure 4-8: Snapshot of the mempool.

Figure 4-9: Note the low fee in the second transaction.

Figure 4-10: Unconfirmed transaction.

Figure 4-11: Transaction decoded to JSON.

Figure 4-12: Result of generating an address beginning with 1nick.

Figure 4-13: Using Vanitygen64 to create a vanity address.

Figure 4-14: View of an Ethereum transaction.

Figure 4-15: View of gas price.

Chapter 5

Figure 5-1: Percentage split of Bitcoin mined by mining pools.

Figure 5-2: Some sites where the coin-hive software miner was found.

Chapter 6

Figure 6-1: Examples of hardware wallets.

Figure 6-2: Moving your mouse around the WalletGenerator window creates entropy.

Figure 6-3: A generated public/private key pair ready to print.

Figure 6-4: The seed words that can be used to back up my private key.

Figure 6-5: List of public and private key pairs recovered from the seed words.

Figure 6-6: Hierarchical key tree.

Figure 6-7: Bitcoin for sale for cash.

Chapter 7

Figure 7-1: Marriage contract on Ethereum.

Figure 7-2: The Authorship Token sale.

Figure 7-3: List of purchasers of Authorship tokens.

Figure 7-4: The hash of the contract for the Authorship token.

Figure 7-5: Details of the Authorship token.

Chapter 8

Figure 8-1: Examples of seized addresses.

Figure 8-2: Example of a paper wallet with QR code.

Figure 8-3: List of unrelated words.

Figure 8-4: Example of address in a forum.

Figure 8-5: Searching for addresses just returns blockchain viewers.

Figure 8-6: Searching a specific site.

Figure 8-7: Enter the project name and the location where the files should be saved.

Figure 8-8: Add the URLs to download.

Figure 8-9: Setup of Agent Ransack.

Figure 8-10: Recovery of a Bitcoin address from the website.

Figure 8-11: You can change the default storage location in Bitcoin Core.

Figure 8-12: Hierarchical paths in the recovered text.

Figure 8-13: Finding an address with its prefix.

Figure 8-14: Wallets found in the Recycle Bin and renamed.

Figure 8-15: Recovered addresses with the magic value prefix.

Figure 8-16: Running the Belkasoft RAM capture software.

Figure 8-17: Finding and extracting the wallet file.

Figure 8-18: Subset of the many applications found.

Figure 8-19: Using Bitcoin Core to back up a wallet.

Figure 8-20: Output from the walletinfo command.

Figure 8-21: Output from getnettotals.

Figure 8-22: Output of getnetworkinfo.

Figure 8-23: Output of getpeerinfo.

Figure 8-24: Output of listtransactions.

Chapter 9

Figure 9-1: Metadata about a Bitcoin address.

Figure 9-2: Changing the dollar value to bitcoin.

Figure 9-3: Graph of the address balance over time.

Figure 9-4: Exporting the raw data about the address.

Figure 9-5: Raw JSON of an address balance.

Figure 9-6: Raw transactions from an address.

Figure 9-7: Output from the unspent_n script.

Figure 9-8: Etherscan.io API keys.

Figure 9-9: Checking the Ethereum value of an address.

Figure 9-10: Addresses involved in a multisig transaction.

Figure 9-11: Times that transactions were sent or received by this address.

Figure 9-12: Timestamps between 3 a.m. and 12 p.m.

Figure 9-13: Transaction and block times are close enough to agree.

Figure 9-14: Scatter graph of transaction times.

Figure 9-15: The built-in Bitcoin Core console.

Figure 9-16: The extended private master key.

Figure 9-17: The private keys.

Figure 9-18: The public keys.

Figure 9-19: HD paths.

Figure 9-20: Row of public keys.

Figure 9-21: Totals from the whole wallet.

Figure 9-22: Data on each address in the wallet.

Figure 9-23: Bitinfocharts provides the dollar price at the time of the transaction.

Chapter 10

Figure 10-1: Transaction where the target address is an input.

Figure 10-2: Transaction where the target is an output address.

Figure 10-3: Inferring owned addresses from the change address 19Gmgg.

Figure 10-4: Working out the change address from the transaction.

Figure 10-5: Inferring the change address with fewer inputs and outputs.

Figure 10-6: Inferring change addresses by looking at how often it has been used.

Figure 10-7: The 1 address is likely the change address.

Figure 10-8: Which is the change address?

Figure 10-9: Output address from Figure 10-8 is now an input address with the input address from Figure 10-8.

Figure 10-10: Graphing transactions on paper.

Figure 10-11: A wallet address from www.walletexplorer.com.

Figure 10-12: Clustered addresses are the same as we inferred manually.

Figure 10-13: Graphing the history of an address.

Figure 10-14: Filtering on all blocks mined on a specific day.

Figure 10-15: The chainz.cryptoid.info website has explorers for more unusual cryptocurrencies.

Figure 10-16: Blockexperts.com.

Figure 10-17: Google an address if you do not recognize it.

Figure 10-18: An Ethereum ether transaction.

Figure 10-19: An Ethereum contract transaction.

Figure 10-20: Etherscan transaction layout.

Figure 10-21: Graphing the owners of tokens.

Figure 10-22: Part of a raw contract with the owner's address.

Figure 10-23: Adding an address to monitor.

Figure 10-24: Graphing the history of a monitored address.

Figure 10-25: Bitnotify.com.

Figure 10-26: Monitoring two addresses.

Figure 10-27: Setting up an Ethereum address monitor.

Chapter 11

Figure 11-1: The View Tree Chart link on blockchain.info.

Figure 11-2: Blockchain.info visualization of the transaction.

Figure 11-3: Following the transaction onward.

Figure 11-4: Ethereum tree of transactions.

Figure 11-5: An example of a Numisight graph.

Figure 11-6: Numisight displaying information on a transaction.

Figure 11-7: Payments made to the Wannacry address moved to two addresses.

Figure 11-8: Choosing Expand Outputs from the right-click menu.

Figure 11-9: The transforms available for the Domain entity.

Figure 11-10: The results of running the To Website [using Search Engine] transform.

Figure 11-11: Install Bitcoin transforms and entities from the Transform Hub.

Figure 11-12: Drag the Bitcoin Transaction entity onto the graph.

Figure 11-13: The transaction has two output addresses.

Figure 11-14: Finding clustered input addresses.

Figure 11-15: Exporting the clustered addresses as a CSV file.

Figure 11-16: Looking for connections between addresses.

Chapter 12

Figure 12-1: Relay address on blockchain.info.

Figure 12-2: Bitcoin peer-to-peer network.

Figure 12-3: Live map of Bitcoin trades.

Figure 12-4: List of current Bitcoin nodes.

Figure 12-5: Metadata from a Bitcoin node.

Figure 12-6: IPs and metadata of Bitcoin nodes from a snapshot.

Figure 12-7: Graph of uptime of node.

Figure 12-8: List of Tor nodes.

Figure 12-9: Lookup of an IP address with and without a VPN.

Figure 12-10: Uploading a CSV file.

Figure 12-11: Large transaction with change address back to itself.

Figure 12-12: Unpeeling a transaction tree with a reducing value of the primary address.

Figure 12-13: Currencies supported by Poloniex.

Figure 12-14: Results of searching using the site: modifier.

Figure 12-15: Options on the Tor Browser.

Figure 12-16: Torch search engine.

Figure 12-17: Dark web spreadsheet at hunch.ly.

Figure 12-18: Wikileaks files downloaded from Bitcoin.

Figure 12-19: Output scripts containing a message.

Figure 12-20: Messages on the blockchain.

Chapter 13

Figure 13-1: A Bitcoin node recorded by Bitnodes.

Figure 13-2: Change the IP address to the target node.

Figure 13-3: Output from the target node using sniffer.py.

Figure 13-4: Wireshark capture options.

Figure 13-5: The main Wireshark window.

Figure 13-6: Packets filtered to just port 8333.

Figure 13-7: Raw transaction packet.

Figure 13-8: Identifying the Bitcoin magic value.

Figure 13-9: The packet type.

Figure 13-10: The size of the payload in bytes.

Figure 13-11: The checksum value.

Chapter 14

Figure 14-1: Select the Multi-signature Wallet option.

Figure 14-2: Seed generation and public key.

Figure 14-3: Enter cosigner address and key generation.

Figure 14-4: Enter private keys to Sweep coins.

Figure 14-5: Sending the coins to your multisig account.

Figure 14-6: Seed values to copy.

Figure 14-7: Exporting the raw private keys.

Guide

Cover

Table of Contents

Begin Reading

Pages

C1

iii

iv

v

vii

ix

xi

xiii

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

1

3

4

5

6

7

8

9

10

11

12

13

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

33

34

35

36

37

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

67

68

70

71

72

73

74

75

76

77

78

79

80

82

83

84

85

86

87

88

90

91

93

95

96

97

98

99

100

101

102

103

104

105

106

107

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

173

175

176

177

178

179

180

181

182

183

184

185

187

188

189

190

191

192

194

195

196

197

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

287

E1

Foreword

Any novel technology brings with it a wave of early adopters. While some of these are keen to explore the potential societal and economic benefits that may be had by leveraging the technology, others seek to apply the technology as a means to enable nefarious activities. Bitcoin and other cryptocurrencies are no exception. Indeed, it may be very reasonably argued that the first “killer-app” for Bitcoin—responsible for a large influx of users and a significant boosting of economic traction—was the Silk Road dark market, founded in February 2011. Other use cases thriving today include ransomware, unregulated gambling, Ponzi schemes masquerading as high-yield cryptocurrency investment schemes, in-person cryptocurrency muggings, and cryptojacking—that is, the practice of covertly hijacking computers to mine cryptocurrency.

Digital forensic experts need to keep pace with new technologies to ensure relevant objective evidence can be brought forward to throw light on investigations. They face tough challenges, not least an exploding array of new cryptocurrencies, many based on high-privacy foundations. Fortunately they are supported by the fundamental goal of blockchain technology—that is, to create an immutable, decentralised record of transactions. Thus evidence trails are perfectly preserved while both forensic technology and long-running legal processes have an opportunity to play catch up. Indeed, the clustering techniques pioneered by the likes of academic Dr. Sarah Meiklejohn in 2013, and built on by companies such as Chainalysis and Elliptic, have enabled the unmasking of the ownership of large numbers of Bitcoin addresses—including many associated with the Silk Road—something that had previously thought to be impossible.

Within this context, Nick Furneaux's book is both timely and relevant. Its comprehensive scope includes not only an accessible introduction to the technology and its history, but also an overview of relevant methods and the critical factors that should be respected in any forensic investigation. Indeed, I have personally observed on more than one occasion how a failure to apply proper methods can mean critical evidence is missed or lost, while a lack of a sufficiently deep level of understanding can mean incorrect conclusions are drawn from the evidence. In either case, the consequences for the integrity of the investigatory process are often terminal. I hope that you will enjoy reading this book, that you will find it as insightful as I did, and that you will find the opportunity to apply its wisdom to some real-world cases.

Introduction

“The Times 03/Jan/2009 Chancellor on brink of second bailout for banks”

Those 69 characters should be much more famous than they are. In the very first Bitcoin block, the enigmatic Satoshi Nakamoto, the inventor of Bitcoin, encoded that message in hexadecimal (see Figure Intro-1).

Figure Intro-1: Message in the Genesis block.

Either by design or coincidence (which seems unlikely), Satoshi both launched the first blockchain-based cryptocurrency and made the semi-covert statement as to the reasons for the development of his or her system (we do not definitively know the sex of Satoshi or even if Satoshi is an individual or a group). It seems that in Satoshi's view, the banks were failing, and his or her system could free people from the control of central banks and exchanges. On a cryptography mailing list, Satoshi wrote the following:

“You will not find a solution to political problems in cryptography.

Yes, but we can win a major battle in the arms race and gain a new territory of freedom for several years.

Governments are good at cutting off the heads of a centrally controlled networks like Napster, but pure P2P networks like Gnutella and Tor seem to be holding their own.”

Satoshi, https://www.mail-archive.com/[email protected]/msg09971.html

Although Satoshi wrote little about the Bitcoin system, the few comments on forums show that there was at least a small part of his or her motivation that wanted to enable people to step outside the traditional banking and currency systems.

Since those early days, Bitcoin has grown massively both in value and reach. Although at the time of writing, one could not assert that Bitcoin was a mainstream currency, it is certainly in the mainstream consciousness, regularly making headlines on conventional news channels and spawning thousands of column inches of editorial.

Aside from Bitcoin, hundreds of cryptocurrencies are now based on the blockchain concept. Some are very similar; others are trying to do things in very different ways. For example, although Ethereum is a cryptocurrency in its own right, it is based around a complex, programmable contract system. A transaction can include many contractual obligations and could be used for everything from buying a house to getting married. In fact, several couples have already embedded their marriage on the Bitcoin and Ethereum blockchains, including parts of their vows and links to an image of their marriage certificate. Blockchain technology is here to stay, and an investigation involving it is going to land on your desk soon, if it hasn't already.

Cryptocurrencies: Coming to a Lab near You

I've been working specifically in computer forensics and digital investigations for about 14 years. In that time, the equipment coming to the lab and the programs we have had to investigate have changed drastically. About 13 years ago, a computer investigation would focus almost solely on Internet activity in a web browser, perhaps some newsgroups or ICQ and, of course, good old e-mail. Fast-forward to 2018, and the equipment that lands on the check-in desk at the lab has changed beyond recognition. Most smartphones, such as the humble iPhone, have significantly more power and storage than the computers of the early 2000s, and instead of simply looking at visited websites, we now have encrypted chat, messaging programs that come in hundreds of flavors, and social media environments that are investigation centers in their own right, such as Facebook, Snapchat, and many others.

Throughout this time, criminals have continued to carry out nefarious deeds and have found ways to pay for illegal goods and acquire ill-gotten payments from the defrauded and unsuspecting. The problem for the 2005 criminal was the lack of options for sending or receiving monies in an anonymous, untraceable way. For example, criminals could easily carry out a “ransomware” attack where malware encrypts the victim's computer until money is paid and then they are “hopefully” provided with a decryption key. But to have the money sent to the criminal presented significant difficulties. You could publish a bank account number, but that's very hard to set up without ID, and when the money is transferred, the police can easily trace it and move in for the arrest. Because of these problems, criminals and criminal gangs took to setting up post-office (PO) boxes where money could be sent, but again, it was not difficult for the authorities to keep watch until someone turned up to collect the cash. Some went the route of using what amounted to cash mules, who would retain some percentage of the risk involved, adding a layer of misdirection to the payments and cutting into profits. The Internet, though, offered possibilities in the form of Western Union and PayPal, but those are also connected to real-world bank accounts, making it straightforward for the police to trace. I'm somewhat simplifying the methods used, but you get the idea: there was no easy way to pay or get paid without leaving a trail that is easily followed.

Then in January 2009, Satoshi launched the Bitcoin currency, based on a concept called the blockchain. This currency did not need any connections to the real-world banking system or require anyone to sign up to any central system—you could acquire a few bitcoin and pay for goods with seeming total anonymity. Add to this new ability the burgeoning underground marketplace the media loves to call the “dark web”—mostly because it has the word “dark” in it, which makes it sound mysterious, with a hint of evil. Of course, the dark web is anything but dark, with many legitimate services available to assist those in more restricted territories of the world to communicate and be informed online. It would be fair to say, though, that it certainly represents the rough side of town! Because of this association, Bitcoin became the bad guy of finance, and when a computer came into the lab with Bitcoin software on it, the owner was automatically viewed with significant suspicion.

NOTE

I often see this attitude amongst investigators when it comes to anything that obfuscates computer communication or hides data. When investigating a computer with a VPN client on it, if storage encryption is turned on, a Tor client is installed, or even if a browser cache has been recently purged, the assumption is that the owner “must have something to hide.” I regularly argue that many reasons exist why someone would have all or any of these software tools on their computer—they may have something to hide, but it's not actually illegal or they just value their right to privacy. Sadly, I'm usually wrong, and the computer owner generally does have something bad to hide—but it's nice to think the best of people, isn't it?

In recent years, Bitcoin has moved out of the figurative shadows of the dark web and into the light of mainstream commerce. It seems most owners of bitcoins are just holding them for investment as the bitcoin-to-dollar price fluctuates wildly, but generally in an upward direction. If you go to http://bit.ly/2td8ref, you can see the bitcoin-to-dollar exchange rate from its inception in 2009 to now.

Although Bitcoin, Ethereum, and others could stand alone as a trading currency if enough traders accepted them, the reality is that even today, in 2018, what you can buy with a cryptocurrency is limited. Users wanted to be able to buy cryptocurrency with dollars and euros for use online and then sell coin that they had received for currency that they could use in Walmart, for example. To fill this void, currency exchanges began to pop up that would take your real-world money in exchange for commensurate Bitcoin. The process is the same as converting between any currencies. Head to an online site that offers conversion, pay your money by credit card or wire transfer, for example, and you will be credited with the Bitcoin or whatever currency you have asked for. As I discuss in this book, most sites have their own “wallet” system that stores your Bitcoin for you so you can then pay for goods using your coin directly from the website. This means that the company can both take your money and have access to your bitcoins.

NOTE

The volatility of Bitcoin compared to its dollar value in 2017 and 2018, aligned with the growing fees involved to make a Bitcoin purchase, have led some economists to question Bitcoin's use as a currency, rather terming Bitcoin a crypto-asset. Time will tell if Bitcoin or another cryptocurrency manages to become widely available on the high street.

The problems have been significant. Anyone who knows anything about setting up a website that includes a bit of code to accept credit cards could set up a cryptocurrency exchange in very little time. A developer could construct a professional-looking interface, host it on servers in Belize, register it on the primary search engines, and wait for customers. Those customers give money to the website host who in turn transfers bitcoins into his or her wallet on the servers, waits until the wallet contains lots of money and bitcoins, and then quietly closes the door and tiptoes away. This happened early in the life of Bitcoin with the fraudulent Bitcoin Savings and Trust in 2012, and Global Bond Ltd in 2013.

Alternatively, the person who sets up this type of online payment might be completely legitimate but get hacked and lose all their coins. Examples include Mt Gox in 2011, MyBitcoin in 2011, Bitfinex in 2016, Bitstamp in 2015, and NiceHash in 2017. This problem is not exclusively a Bitcoin problem as $500 million worth of a cryptocurrency called NEM coins were lost in a hack of Coincheck in 2018.

Or the person can lose access to his or her master wallet file and lose all the customers’ coins. An example of this is Bitomat in 2011.

Suffice to say that there are large, legitimate exchanges out there. The key is to buy your bitcoin and then transfer it to your own wallet away from the exchange. Then remember to back up your wallet—twice. And add a password—a strong one! Alternatively, save the private key to paper-based cold storage, a method we will discuss later in the book.

No matter what happens to Bitcoin, cryptocurrencies are here to stay, and they will continue to be a strong contender for criminals to receive payments, pay for goods, and launder money. A cryptocurrency investigator does not need to be an expert in Bitcoin specifically, but needs to understand the concepts behind blockchain currencies in order to apply that knowledge to whatever becomes the next payment system of choice.

Who Should Read This Book

If you are like me and spend your life digging through other people's data, whether that is as a digital forensics investigator, a forensic accountant, or even an Open Source Intelligence gatherer, then you need to know about this subject. If not today, then you will tomorrow. Because this book covers a broad range of techniques, you may find that parts of it are very pertinent to your work and other parts are not so relevant. For example, I will teach you how to extract cryptocurrency-related data from hard drives and devices, as well as how to conduct a premises search for this type of information. Although you may never carry out a premises search in your work, being able to communicate your needs to a front-line officer or investigator may prevent vital information being missed.

It is worth downloading and reading the report “National risk assessment of money laundering and terrorist financing 2017,” which you can find at http://bit.ly/2z9513x. Under the section “Money laundering,” the report makes some excellent observations about the use of virtual, or crypto, currencies in international crime. Here's what the article says regarding terrorist financing in conclusion of this section:

“The NCA [UK National Crime Agency] has assessed the risk of digital currency use for money laundering to be relatively low; although NCA deems it likely that digital currencies are being used to launder low amounts at high volume, there is little evidence of them being used to launder large amounts of money.”

—UK HM Treasury,https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/655198/National_risk_assessment_of_money_laundering_and_terrorist_financing_2017_pdf_web.pdf

It is my experience that the reason that law enforcement and governments believe that terrorists are not using cryptocurrencies widely comes down to lack of technical expertise. But, as with all technologies, the skill levels needed to securely operate in a cryptocurrency space are decreasing quickly, and this will not be a barrier for long. Law enforcement bosses draw the same conclusions with money laundering—that the technical know-how needed is holding back many crime groups.

It is worth noting in the report regarding both terrorism and money laundering vulnerabilities they state the following:

“The rapidly developing nature of products and services in this sector puts an imperative on the ability for government, supervisors, firms and law enforcement to respond rapidly to both the opportunities and risks which they pose.”

—UK HM Treasury,https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/655198/National_risk_assessment_of_money_laundering_and_terrorist_financing_2017_pdf_web.pdf

You may be reading this and believe that your job role will never pit your skills against a Russian crime group or extremist Islamists, but the use of cryptocurrencies is trickling down into much lower-level and lower-value crime. One example is that of crypto-mining code that is being installed by hackers into websites. When a user browses to an infected site, processor cycles on the visitor's computer are used to mine cryptocurrency coins. Another example is the fraud that has become known as “ransomware,” which I mentioned earlier in this introduction. Ransomware became media-worthy in May 2017 with the WannaCry outbreak. It simply encrypts a computer's files and then displays a message asking for payment.

Figure Intro-2 shows a WannaCry screenshot with a countdown timer (an excellent social-engineering ploy to generate urgency), instructions, and a Bitcoin address. (I particularly like the “bitcoin ACCEPTED HERE” logo!) Because the perpetrators were possibly linked to North Korea, no one thought that the bitcoins would move, but in early August 2017, over $100,000 worth of bitcoin were emptied from the wallets. Again, you may be thinking that this type of international and possibly politically motivated crime is outside your paygrade. But it was noteworthy with both WannaCry ransomware and the Petya/NotPetya virus that came later (see Figure Intro-3) that individuals and small companies were often the victims of these crimes that on a singular level only cost $300 or more dollars. Sadly, in the case of Petya/NotPetya, those who paid never saw a decryption key, and if the victim had no backups, then the potential loss was considerably greater.

Figure Intro-2: Screenshot of a computer locked with the WannaCry ransomware.

Figure Intro-3: Computer locked with the Petya/NotPetya virus.

The question that's raised with each of these examples is, are they international or local crimes? There is every reason to believe that Police Hi-Tech Crime units and private security firms would be receiving many calls from victims asking for help. In the simplest terms, it would be good to be able to monitor the payment addresses and trace any movement. You may reason that all the larger agencies will be doing exactly that, but you may have heard that it was a 22-year-old security researcher, Marcus Hutchins, who found a kill switch to stop the spread of WannaCry, not the US NSA, not the UK NCA, not even the European Anti-Fraud Agency—it was Marcus, from his bedroom in the south of England. We all have a part to play.

The options for criminals to make use of cryptocurrencies are almost endless, ranging from fraud, money laundering, purchasing illegal material, or purchasing legal material with illegally obtained currency through to crime and terrorism financing.

You may already discern the need to learn about cryptocurrencies, but your company or police department may have put their hands in their pockets and purchased software from the likes of Elliptic (https://www.elliptic.co) or Chainalysis (https://www.chainalysis.com). If you can afford one of these tools, buy one—they are both excellent. However, I make that statement in exactly the same way as I would if we were talking about computer forensic investigations and referencing Encase from Guidance Software, FTK from AccessData, or the superb X-Ways. These tools are extremely useful, they take the heavy lifting out of an investigation, and you should use them where you can. But digital investigators should be able to explain to a manager, senior officer, tribunal, or court how they reached a conclusion and be able to interpret the raw data behind some intelligence or evidence.

To illustrate, I can click a button in the FTK forensics software, and the tool will carve deleted files from a hard drive. However, when challenged, I should be able to return to the drive and have the skills to locate the disk offset and carve that file by hand, without relying on the competency of the FTK programmer to have done his or her job right.

This book takes a similar approach. Although tools are available to help with some cryptocurrency investigations, this book will walk you through the manual processes including how to find wallets (payment addresses) on devices and online, how to gather intelligence about payment addresses, and then how to follow the money through to potentially de-anonymizing a user or seizing coins.

What You Will Learn—and Not Learn

It sounds terribly negative to tell you what you are not going to learn in this book, but it's important that you understand where this book will take you and what other reading may be useful for you:

I am not going to tell you how to become rich trading cryptocurrencies.

The book will not help you build your own cryptocurrency.

The book is not a detailed technical deconstruction of the technologies behind cryptocurrencies, although I do cover them in sufficient detail for you to be able to understand the concepts and explain them to others.

What you are going to learn is much more important. Here's a brief walk through the chapters:

Chapter 1

: What Is a Cryptocurrency?

defines what a cryptocurrency actually is and describes where the value of the currency comes from and how it is traded. We will look at some of the leading currencies in the field today and talk about transactions, contracts, and the many possibilities that exist for the technology.

Chapter 2

: The Hard Bit

covers some rather unpleasant mathematics that form the basis for hashing and the cryptography protocols that are used in various cryptocurrencies.

Chapter 3

: Understanding the Blockchain

is a critical chapter where a blockchain and its functions are clearly defined. We will look at how to get at the raw blockchain data via API calls and how to deconstruct a block header from the raw hex.

Chapter 4

: Transactions

drills down to individual transactions, again extracting raw transaction data rather than the data we get from web interfaces online. We will examine how “change” works as well as fees and the Mempool.

Chapter 5

: Mining

covers the concept and technology behind mining and how blocks are added to the blockchain and new “coins” created.

Chapter 6

: Wallets

examines the many different types of wallets. This is an important chapter because investigators need to know what they are looking for in a premises search or a search on a computer or other device. This chapter also covers how a criminal might set up a covert wallet.

Chapter 7

: Contracts and Tokens

looks more deeply into how cryptocurrency contracts work and examines the difference between bitcoin and Ethereum scripts.

Chapter 8

: Detecting the Use of Cryptocurrencies

looks at detecting use of cryptocurrencies by a suspect, from house searches to searching online. I will teach you, in detail, how to find wallets and payment addresses on a disk image or a live machine by extracting and analyzing computer memory (RAM).

Chapter 9

: Analysis of Recovered Addresses and Wallets

will take us into the analysis of recovered payment addresses and wallets, intelligence gathering, and using APIs to get to the raw blockchain data. We also look at utilizing recovered private keys to find public keys and discovering what has been used as well as how to crack encrypted wallets.

Chapter 10

: Following the Money

will help you to understand how to follow the flow of money, avoiding “address blindness” and following blocks through hard forks. This chapter also covers automatically monitoring addresses and using the Bitcoin Core command line to interrogate the blockchain offline.

Chapter 11

: Visualization Systems

explores tools you can use to visualize connections between transactions. Visualization can both help and hinder because it tends to create a lot of data, so we look at ways to manage the tools.

Chapter 12

: Finding Your Suspect

focuses on attempting to de-anonymize a user on the blockchain. You will learn clustering methods so you can identify groups of addresses owned by a single user. In this chapter, we'll look at logged IPs, how we can crawl for IP addresses of Bitcoin users, and even figure out if they are using Tor. We also consider how to use open-source methods to connect a payment address to a real-world person. A short section looks at the use of the blockchain to send micromessages.

Chapter 13

: Sniffing Cryptocurrency Traffic

covers extracting data from wiretaps and watching activity of nodes on the Bitcoin network.

Chapter 14

: Seizing Coins

explores methods for asset seizures once you have identified coins in use by a suspect.

Chapter 15

: Putting It All Together

helps you to use all the skills you have learned and apply them in a methodical way to investigate a crime involving cryptocurrencies.

About the Book's Web Resources

Code files to support this book are available at www.wiley.com/go/cryptocurrencies and at www.investigatingcryptocurrencies.com. The second site also contains a voucher code for the online course at csilearn.learnupon.com.

Part IUnderstanding the Technology

As digital investigators, we have a tendency to want to get straight to the proverbial coal face and start looking at the data. However, with cryptocurrencies, it is important to understand the underlying technologies and how blockchains function to be able to effectively and accurately investigate the evidence.

CHAPTER 1What Is a Cryptocurrency?

Over the past few years, the term cryptocurrency has become a well-used term in financial circles, new business plans, and news headlines. Often the term is associated with criminal activity on the so-called “dark web,” but more recently with the increasing value of currencies like Bitcoin, the word, concept, and products are entering mainstream consciousness.

But what really is a cryptocurrency and how does it work? In this chapter, we will examine the concept, the history, and the uses for cryptocurrencies and look at how to set up a Bitcoin trading node.

Why does an investigator need to know this? Understanding the concept of these online currencies can help you form a good foundation to build a more comprehensive technical understanding. It can also help you to see the criminal uses of these currencies.

A New Concept?

In the far western Pacific region of Micronesia is a tiny cluster of islands named Yap. Conspicuous against the deep blue of the ocean, this tiny group of “high islands” comprises rolling hills covered with dense, lush forest. The islands share a coral reef that provides sustenance for the islanders from the fish that seek protection from ocean predators.

As far back as the thirteenth century, the sultan of Egypt referenced islands at the far east of the Persian Empire, where the only currency was millstones. This was later confirmed by the Spanish when they “discovered” the island group in 1528. If you visit today, you can still see the stone coins that made up the primary currency of the islanders for many centuries; in fact, they are still used today in trades involving land or marriages.

The stones are a variety of sizes—some as small as 3.5 centimeters—but the ones that draw the most attention are up to 4 meters in diameter (see Figure 1-1). The Internet boasts many pictures of tourists standing next to these vast doughnut-shaped disks of calcite named Rai coins.

Figure 1-1: Stone money of Yap.

The stones do not originate on Yap but are mined and shipped from other islands such as Palau, which is 450 kilometers away. For centuries, these coins were loaded onto sail-driven rafts, and brought across the open ocean to the island, unloaded, and moved to a location somewhere on the island where they would generally stay put forever.

You may be wondering: How do the islanders use such huge coins in actual transactions? How do they value them? How do they know who owns each coin?

The Rai coins are interesting because they almost exactly prefigured the way a blockchain in a cryptocurrency works—in fact, similar questions can be asked about a cryptocurrency. How can you trade something that doesn't really exist, such as a Bitcoin? How is a blockchain-based coin valued, and how can you know who owns a coin with no central bank controlling the movement of funds? Examining the Yapese currency helps us to understand the blockchain currency concept.

So why does a large stone disk have value? Let's say that Bob from Yap wants a 3-meter coin. First, the coin must be mined. Consider the difficulty involved. Workers have to be employed and sent in boats to an island 450 kilometers away. Calcite must then be mined, and the resulting stone carved into the distinctive doughnut shape. This final “coin” must then be loaded onto a boat and sailed back across the stretch of Pacific Ocean with its obvious dangers. The work and considerable expense involved to mine the coin are what gives it its perceived and agreed value to the islanders. Indeed, the bigger the coin, the higher the difficulty—so the value is commensurately greater.

One of the first questions I am asked about cryptocurrencies is where does the money come from? The answer, of course, is that the money comes from nowhere, but that is not really a fair answer. If you know anything about any cryptocurrency, you will know that new coins are “mined.” This concept will be discussed later, but in simple terms, computers work to solve really, really hard mathematical problems, and when they find a solution, they are rewarded with “new” coins. But just like mining a Yapese Rai coin, work is involved that carries a very real cost. Although Bitcoin miners, for example, are not chartering a ship and crossing oceans, they must spend real money on expensive, specialized custom ASICs (application specific integrated circuits) capable of carrying out trillions of calculations a second. They must then spend money on providing considerable amounts of electricity for running the computers and keeping them cool. Just like their stone counterparts, it's difficult and expensive to mine cryptocurrency coins, which gives them a perceived and generally agreed value due to their scarcity and the fact that eventually Bitcoin will “mine out,” where all coins will be mined and no more can be produced.

It is notable that in 1874, a captain named David O'Keefe imported a large number of coins from Palau to trade with the Yapese. Interestingly, this “had its disadvantages, not least the introduction of inflation, caused by the sudden increase in the stock of money” (see https://www.smithsonianmag.com/history/david-okeefe-the-king-of-hard-currency-37051930/). In the same way, if the “difficulty of work” to mine cryptocurrency coins became easier, it would directly affect their accepted value.

How do the Yapese trade their coins? Most of the coins are too big to move, so the Yapese use a very simple but effective form of what we would now call a distributed ledger. For example, let's say there was villager named Bob, and when Bob's coin arrived by boat from Palau, it would be placed near a pathway or some other visible place. All the villagers would know that the coin “on the path by the beach” belonged to Bob, because everyone would be told this and would add it to their individual mental note that included the other large coins on the island. If Bob wanted to buy some land from Alice, they would agree on the transfer of coin for land, and they would then tell all the villagers that the coin “on the path by the beach” now belonged to Alice. With no centralized person keeping a record or ledger, the possibilities of fraud are massively reduced. If a pretender named Nick told others that he owned the coin “on the path by the beach,” the majority of villagers could reject the claim due to their collective knowledge of ownership.

Amazingly, blockchain-based cryptocurrencies work in almost exactly the same way. When you wish to pay for goods or services, a record of the transaction is sent to every (full-node) user of the currency (covered in more detail in “Setting Yourself Up as a Bitcoin User” at the end of the chapter). This means that there isn't just one record of the transaction, but thousands all around the world. You are, in effect, saying, “Hi everyone, the coin you can find at this address now belongs to Alice.” Should anyone else try to claim ownership of a coin, the large number of ledgers around the world can disagree, preventing any fraud.

It was reported that a coin being transported to Yap was lost overboard in a storm, but as all the villagers knew of the mishap, the owner was still credited with the coin, and although no one had ever seen it, it was still traded as “the coin in the bay.” This demonstrates that a coin does not need a physical manifestation to be accepted as real, tradable tender. A cryptocurrency coin such as a bitcoin or Ethereum ether coin never has a physical representation, but because all the users of the currency trust its existence and accept the work that went into mining it, its value is accepted as real and hence it can be traded.

Now back to the original question: What is a cryptocurrency? There is considerable debate over the definition of a currency when related to so-called cryptocurrencies. The cryptology community is uncomfortable with the widening and often inaccurate use of the term “crypto” in news headlines and press releases and even financiers are suggesting that the term “currency” in cryptocurrency should be replaced with the word “asset.” However, a currency is generally understood to be a tradable system of money. But in reality, anything can be a currency if it is accepted as representing an agreed value; effectively, we are using a barter system where we perceive value in the currency that we trade for goods and services. Although we tend to think of a currency as the monetary notes in our purse or wallet, we use many tradable “tokens” in our everyday life. Perhaps you recently paid for a flight with air miles or used a coupon to get a free item when you bought another. Although these “tokens” do not have a traditional monetary value in the same way as a dollar bill or euro note, they are still tradable at an agreed rate or even flexible rate.

Here's an analogy: A parent or teacher may use simple marks on a board to indicate when a child has behaved well or achieved something. There may be an agreement that 10 marks equal a certain treat, trip, or other benefit. In this situation, the marks on the board become a currency of sorts. They have a value that can be traded, even if it's in a very limited way.

As we have seen, a stone slab at the bottom of the ocean can be a tradable currency, so using the same reasoning, a block of text in a database that states that it carries a particular value—for example, one bitcoin—can also be traded. But that doesn't answer the “crypto” part of a cryptocurrency.

On Yap, the system of trust works because collectively the villagers are believed to be reliable witnesses. If many villagers clubbed together and formed a majority, they could then prove that a coin belonged to someone other than its rightful owner, but that would put their own coins at risk should they fall out of the new dishonest collective. This creates a paradigm of dependability where the majority can always be trusted. The same concept works in cryptocurrency. Users of a cryptocurrency such as Ethereum, Bitcoin, or others are encouraged to run a “full node”—that is, a complete record of every single transaction that has ever happened on the currency. This prevents individuals from dishonestly claiming ownership of currency, as the rest of the world's full nodes will disagree. The “crypto” part forms the underlying basis for authenticating the ownership of coins. In fact, cryptographic systems are used in every part of the process.

The definition of cryptography in its simplest form is from the Greek meaning “secret writing.” Today, we define it as generating codes that allow information to be kept secret. With a cryptocurrency, we are not keeping information about a transaction secret—quite the opposite, every transaction can be read by everyone. We are using the techniques applied in messaging cryptography to enable people to prove that they are the rightful owner of monies, or more accurately, that they are the rightful owner of a transaction where they were the approved receiver of the money. Bitcoin, for example, uses a mixture of SHA256 hashing, Elliptic Curve cryptography, and others to not just secure a transaction but keep securing it repeatedly, forever. You will learn more about those systems in Chapter 2, “The Hard Bit.”

The idea of being able to pay for goods and services over the Internet is not new. David Chaum developed Digicase in the late 1980s, which was arguably the first concept of Internet money. But it wasn't until 1998 that an attempt at public online payments based on the concept on an online wallet appeared and became successful with PayPal, which was led by the now hugely successful businessman Elon Musk. As I mentioned in this book's Introduction, PayPal still relies on the legacy banking world to handle the storing of money, and PayPal accounts are still primarily linked to real-world bank accounts today.