Arran Holmes
A framework for live host-based Bitcoin wallet forensics and triage
Holmes, Arran; Buchanan, William J.
Abstract
Organised crime and cybercriminals use Bitcoin, a popular cryptocurrency, to launder money and move it across borders with impunity. The UK and other countries have legislation to recover the proceeds of crime from criminals. Recent UK case law has recognised cryptocurrency assets as property that can be seized and realised under the Proceeds of Crime Act (POCA). To seize a cryptocurrency asset generally requires access to the private key. Anecdotal evidence suggests that if cryptocurrency is not seized quickly after enforcement action has taken place, it will be transferred to other wallets making it difficult to seize at a future time. We investigate how Bitcoin could be seized from an Electrum or Ledger hardware wallet, during a law enforcement search, using live forensic techniques and a dictionary attack.
We conduct a literature review examining the state-of-the-art in Bitcoin application forensics and Bitcoin wallet attacks. Concluding, that there is a gap in research on Bitcoin wallet security and that a significant proportion of the available literature comes from a small group of academics working with industry and law enforcement (Volety et al. 2019; Van Der Horst et al., 2017; Zollner et al., 2019). We then forensically examine the Electrum software wallet and the Ledger Nano S hardware wallet, to establish what artefacts can be recovered to assist in the recovery of Bitcoin from the wallets. Our main contribution is a proposed framework for Bitcoin forensic triage, a collection tool to recover Bitcoin artefacts and identifiers, and two proof of concept dictionary-attack tools written in Python and OpenCL.
We then evaluate these tools to establish if an attack is practicable using a low-cost cluster of public cloud-based Graphics Processing Unit (GPU) instances. During our investigation, we find a weakness in Electrum's storage of encrypted private keys in RAM. We leverage this to make around 2.4 trillion password guesses. We also demonstrate that we can conduct 16.6 billion guesses against a password protected Ledger seed phrase.
Citation
Holmes, A., & Buchanan, W. J. (2023). A framework for live host-based Bitcoin wallet forensics and triage. Forensic Science International: Digital Investigation, 44, Article 301486. https://doi.org/10.1016/j.fsidi.2022.301486
| Journal Article Type | Article |
|---|---|
| Acceptance Date | Nov 29, 2022 |
| Online Publication Date | Dec 9, 2022 |
| Publication Date | 2023-03 |
| Deposit Date | Dec 10, 2022 |
| Publicly Available Date | Dec 12, 2022 |
| Journal | Forensic Science International: Digital Investigation |
| Publisher | Elsevier |
| Peer Reviewed | Peer Reviewed |
| Volume | 44 |
| Article Number | 301486 |
| DOI | https://doi.org/10.1016/j.fsidi.2022.301486 |
| Keywords | Bitcoin; wallet forensics; triage; cryptocurrency |
| Public URL | http://researchrepository.napier.ac.uk/Output/2975129 |
Files
A Framework For Live Host-based Bitcoin Wallet Forensics And Triage
(3.3 Mb)
PDF
Publisher Licence URL
http://creativecommons.org/licenses/by/4.0/
You might also like
Securing IoT: Mitigating Sybil Flood Attacks with Bloom Filters and Hash Chains
(2024)
Journal Article
An omnidirectional approach to touch-based continuous authentication
(2023)
Journal Article
Downloadable Citations
About Edinburgh Napier Research Repository
Administrator e-mail: repository@napier.ac.uk
This application uses the following open-source libraries:
SheetJS Community Edition
Apache License Version 2.0 (http://www.apache.org/licenses/)
PDF.js
Apache License Version 2.0 (http://www.apache.org/licenses/)
Font Awesome
SIL OFL 1.1 (http://scripts.sil.org/OFL)
MIT License (http://opensource.org/licenses/mit-license.html)
CC BY 3.0 ( http://creativecommons.org/licenses/by/3.0/)
Powered by Worktribe © 2025
Advanced Search