A framework for live host-based Bitcoin wallet forensics and triage
Holmes, Arran; Buchanan, William J.
Organised crime and cybercriminals use Bitcoin, a popular cryptocurrency, to launder money and move it across borders with impunity. The UK and other countries have legislation to recover the proceeds of crime from criminals. Recent UK case law has recognised cryptocurrency assets as property that can be seized and realised under the Proceeds of Crime Act (POCA). To seize a cryptocurrency asset generally requires access to the private key. Anecdotal evidence suggests that if cryptocurrency is not seized quickly after enforcement action has taken place, it will be transferred to other wallets making it difficult to seize at a future time. We investigate how Bitcoin could be seized from an Electrum or Ledger hardware wallet, during a law enforcement search, using live forensic techniques and a dictionary attack.
We conduct a literature review examining the state-of-the-art in Bitcoin application forensics and Bitcoin wallet attacks. Concluding, that there is a gap in research on Bitcoin wallet security and that a significant proportion of the available literature comes from a small group of academics working with industry and law enforcement (Volety et al. 2019; Van Der Horst et al., 2017; Zollner et al., 2019). We then forensically examine the Electrum software wallet and the Ledger Nano S hardware wallet, to establish what artefacts can be recovered to assist in the recovery of Bitcoin from the wallets. Our main contribution is a proposed framework for Bitcoin forensic triage, a collection tool to recover Bitcoin artefacts and identifiers, and two proof of concept dictionary-attack tools written in Python and OpenCL.
We then evaluate these tools to establish if an attack is practicable using a low-cost cluster of public cloud-based Graphics Processing Unit (GPU) instances. During our investigation, we find a weakness in Electrum's storage of encrypted private keys in RAM. We leverage this to make around 2.4 trillion password guesses. We also demonstrate that we can conduct 16.6 billion guesses against a password protected Ledger seed phrase.
Holmes, A., & Buchanan, W. J. (2023). A framework for live host-based Bitcoin wallet forensics and triage. Forensic Science International: Digital Investigation, 44, Article 301486. https://doi.org/10.1016/j.fsidi.2022.301486
|Journal Article Type||Article|
|Acceptance Date||Nov 29, 2022|
|Online Publication Date||Dec 9, 2022|
|Deposit Date||Dec 10, 2022|
|Publicly Available Date||Dec 12, 2022|
|Journal||Forensic Science International: Digital Investigation|
|Peer Reviewed||Peer Reviewed|
|Keywords||Bitcoin; wallet forensics; triage; cryptocurrency|
A Framework For Live Host-based Bitcoin Wallet Forensics And Triage
Publisher Licence URL
You might also like
A DNA Based Colour Image Encryption Scheme Using A Convolutional Autoencoder
Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification
A comprehensive survey of authentication methods in Internet-of-Things and its conjunctions
Blockchain-based Platform for Secure Sharing and Validation of Vaccination Certificates