A New Category of Search Targets

Police search teams are routinely trained to look for technical equipment or data, whether that is uncovering USB drives, CD-ROMs, or especially finding notes that may contain passwords. In the current technical climate where encryption is being used more often by suspects, finding a password can be very useful indeed. Most people only use three passwords or derivatives of them. If you can find one password, you have around 33 percent of their passphrases.

Search teams also need to be trained to look for evidence of cryptocurrency use both at the premises search and later in the lab when examining computers and mobile devices. This is a new category of search, but it's one that is not complex to train. For many years, search teams have been trained to look for passwords on sticky notes, in notebooks, and written on pieces of paper. Passwords are fairly easy to identify because they are a simple word or phrase written down, often without context. It is even better if a suspect writes down a complex password with numbers and characters, which will then often be clearly identifiable as a passphrase. Finding evidence of cryptocurrency use can be just as straightforward.

Public Addresses

You learned in Chapter 4, “Transactions,” that Bitcoin addresses start with the character 1 or 3, are 34 characters long, and are formatted as Base58. For example:

1AMdziK76JwP6DzEGyB9ruddBxQhM1oeZE

Ethereum addresses start with 0x and are 42 characters long. For example:

0x66febdddc377e2ee0b997c72b76d12c4aa2ce9be

These simple rules make it easy for a search team to learn what to look for. After all, why would someone have a seemingly random series of characters recorded that clearly is not a phone number, bank account number, or something that looks like a very peculiar password?

Some of the places where a search team might find an address or private key are in the following list, and you can see the examples in Figure 8-1. These examples are taken from real-world cases where addresses have been found:

• white board
• Included in a printed e-mail
• Printed on paper in a file
• On a sticky note on the computer monitor
• On a card in a suspect's wallet

Addresses can also be recorded as QR codes (see Figure 8-2). This method is often used because it is easier to send someone an image of a long address than to have to manually type it. If a QR code cannot readily be seized, then a photo can be taken of it that can be scanned later.

Private Keys

You can sometimes find private keys on pre-printed gift cards or other paper-based wallets such as the ones mentioned in the last section. If a paper-based wallet contains the private key, this enables you to take control of the funds. (You'll learn more about this later in Chapter 14, “Seizing Coins.”)

Although users may not protect the public key as much, they tend to be more careful when it comes to the private key. Private keys are unlikely to be written on a piece of paper and discarded, but they could still be found in filing cabinets or safes.

Bitcoin private keys can be in a number of formats, and searchers should be aware of them all. They may be in a standard 256-bit hex format and 64 characters long, or more often, they will be in Wallet Import Format (WIF), 51 characters long, and start with the number 5. There is also a mini-private key format where the string is 21 characters long.

Private keys can also be in the form of a string of mnemonic code words often called a seed. These are used by blockchain.info, the Electrum software wallet, and the Trezor hardware key. Again, this should stand out to a searcher as a list of handwritten or typed words that do not relate to each other (see Figure 8-3). If you find such words, you can reverse the seed back into the private key by using the appropriate software tool such as Electrum or by entering them into an online recovery engine, which will then provide the private key. Remember that it is dangerous to enter or recover a private key online as there is the risk it could be stolen. To recover a private key you can enter a seed into the online form at http://bit.ly/2Bcakgl.

Ethereum private keys are 64 characters long. For example:

aba7e63318ebe4450911b62d5e79139310ad35545338bb89fcb7183365cc3375

Ethereum public keys are 42 characters long and start with 0x. For example:

0x310B065125DDBACeB4822CA5e4F130025F8c9f07

These are all fairly easy to train and for searchers to recognize without having to teach detailed technical information. This ensures that potentially vital information is not missed.

Questioning

Although I am not going to give a lesson on questioning a suspect, just as it is important that search teams are told what to look for in relation to cryptocurrency use, it is also important to provide some instruction to those who will question a suspect. Knowing what to ask is important but not as vital as asking at all! Asking if cryptocurrency is used by a suspect should be a question that is regularly included in fact finding. Of course, a suspect may just give a “no comment” interview, as is common here in the UK; however, there are times when asking the right questions can be very useful.

A few years ago, my friend John and I were asked to assist the UK Child Exploitation and Online Protection unit in carrying out a house search. The suspect was using a very secure type of Linux called TAILS, and the unit wanted more specialized help when they went through the door. The first thing John saw when he entered the suspect's bedroom was the computer screen switched on with a login screen displayed. John asked if the suspect had been read his rights and then simply asked him for his password. The suspect just handed it over. Asking the right question can save a lot of time.

Here are some questions you might ask:

• Do you use cryptocurrencies?
• Which do you use (Bitcoin, Litecoin, Ethereum, and so on)?
• How do you store your private keys?
• Do your private keys require passwords, and if so, what are they?
• Where do you buy and sell your cryptocurrencies?
• What are the passwords for those sites?
• How much currency do you have?
• What do you buy with cryptocurrency?

Obviously, there are many more questions you can ask, depending on the circumstances or the investigation type, but enabling the questioning officers with the right questions can be the difference between success and failure.

Commercial Tools

When a seized computer arrives in the lab, the first thing that happens is the drives are imaged, or forensically copied. Those images are then loaded into a variety of digital investigation tools such as Guidance Software's EnCase, AccessData's Forensic Toolkit (FTK), X-Ways, or one of the other available forensics tools. There are also data-carving tools such as the excellent AXIOM tool from Magnet Forensics.

Here is a brief overview of some of these tools:

• AXIOM This tool is designed to look for file headers and other values to carve data from forensic images and hard drives. As of version 6.1, AXIOM will natively carve Bitcoin addresses from a Bitcoin wallet, as well as queries on the Bitcoin network from log files created by the Bitcoin client software. You can learn more about this tool at http://bit.ly/2i3UBHT.
• EnCase In many labs, EnCase is the default digital investigation tool for computer hard drives, although labs are often polarized between EnCase and FTK from AccessData. They are both excellent tools with their own pros and cons. EnCase does not have Bitcoin extraction capabilities built-in; however, an EnScript finder is available that can locate addresses on drive images or other media using the regular expression that you used earlier in this chapter. You can learn more about this tool at http://bit.ly/2BlXFGI.
• FTK FTK has always been my personal tool of choice, but it does not have the ability to script add-ons like EnCase does. However, you can just use the regular expression searching feature with the expression mentioned previously: [13][1-9A-HJ-NP-Za-km-z]{26,33}<. Although this expression works fairly well on a website as detailed in the previous section, you will find many false positives when searching a hard drive.

Extracting the Wallet File

If possible, it's best to try to find and recover the wallet file. The wallet contains everything you need to investigate Bitcoin usage, private keys, and addresses, records of transactions, and other metadata. If you can get a wallet from a suspect's computer, it's time to celebrate!

Finding the location on a drive of the wallet file for a particular type of cryptocurrency software is usually just a case of googling it, but I'll give you some examples of where the most popular software tools store the wallet file. With most software, you can choose your own installation location (see Figure 8-11), so the default addresses that you can find in the software documentation may not be accurate, but you have the option to search for a wallet file if you can't find it by heading to the default location.

The default wallet locations for the most popular wallet software programs are listed next. The list contains the name of the software, the operating system, the path to the wallet and, if relevant, the name of the wallet in parentheses.

Bitcoin Core

• Windows XP: C:Documents and Settings <username>Application dataBitcoin
• Windows Vista through Windows 10: C:Users <username> AppdataRoamingBitcoin
• Linux: ˜/.bitcoin/
• Mac: ˜/Library/Application Support/Bitcoin

Litecoin

• Linux: /home/ <username> /.litecoin.conf
• Mac: /Users// <username> /Library/Application Support/litecoin.conf
• Windows XP: c:Documents and Settings <username> Application DataLitecoinlitecoin.conf
• Windows Vista through Windows 10: c:Users <username> AppDataRoamingLitecoinlitecoin.conf
• Armory: %appdata%Armory (.wallet)
• Bitcoin Unlimited/Classic/XT/Core: %appdata%Bitcoin (wallet.dat)
• Bither: `%appdata%Bither` (address.db)
• Blockchain.info: (wallet.aes.json)
• MultiBit HD: %appdata%MultiBitHD (mbhd.wallet.aes)
• Electrum:%appdata%Electrumwallets
• mSIGNA: %homedrive%%homepath% (.vault)

But what if a wallet.dat file or similar has been installed to a different location or moved? It is likely that a copy of backup of a wallet.dat file would still have the .dat extension, so you could simply use your digital forensics tool to search first wallet.dat and then just *.dat, although that will result in a significant number of false positives.

Perhaps the best method is to search for a “magic value” that always exists inside the wallet.dat file. Similar magic values can be found by installing the cryptocurrency software, extracting the wallet, and analyzing it either in a hex editor or simply by extracting all the strings from it. This is really easy to do but requires the strings.exe tool written for Windows by SysInternals, which you can download from http://bit.ly/2kbz7wY. The strings.exe file will extract all of the ASCII or Unicode strings from any file, by default with three characters or more, although this value can be changed in the command.

If you have a wallet.dat file (which you will if you installed Bitcoin Core in Chapter 2, “The Hard Bit”), locate the file and copy it to the same folder that strings.exe is in. Open a command shell in the folder where the wallet.dat file exists and type the following:

strings wallet.dat > walletstrings.txt

This will create a new file with a long list of human-readable strings. If you scroll down, you will begin to see text that you may remember from Chapter 6, “Wallets” (see Figure 8-12).

These are the Hierarchical Deterministic paths that make up an HD wallet. If you keep scrolling through the list, you will eventually find a Bitcoin address in plain text that looks similar to what's shown in Figure 8-13.

This address has an interesting value prefixing it: name"1. This value, which includes the 1 from the start of a Bitcoin address, has always existed in a wallet.dat file (in my experience). So, now you have a “magic value” that should locate a wallet.dat file, no matter what it is called. Simply use your digital forensics tool to search for name"1, and you should find the correct file (see Figure 8-14).

Notice that four files have been found in this example, including one in the Recycle Bin and one that has been renamed to bitcoincore-wallet.dat. This method is very successful, and you can simply install other wallet-management software and use the same strings technique to locate your own “magic value” to find renamed and hidden wallets.

If you installed Bitcoin Core on your own computer, you can prove this works by using Agent Ransack. Get Agent Ransack to search all of c: for the text name"1 (see Figure 8-15).

Automating the Search for Bitcoin Addresses

If you have some programming experience, it is fairly straightforward to write some tools to automate the extract of information from a blockchain. Especially with access to the reasonably straightforward API URLs, simple scripts can be written to automatically grab virtually anything from transactions to balances. I know that a number of police forces have written their own scripts, and most keep them to themselves; however, a researcher named Chris Cohen posted an excellent Python script to GitHub in 2014 called BTCscan. You can download it at http://bit.ly/2BE6Bbw. It was accompanied by a very informative article published on the Forensic Focus website in January of 2015. You can find this article at http://bit.ly/2iykm73, and I highly suggest that you read it.

In his article, Chris points out that just searching a drive for addresses using the regular expression that you used earlier in this chapter works well, but on a large data set like an entire hard drive, you are likely to get numerous false positives. To counter this, the implementation of Base58 (which, as you may recall, is what Bitcoin addresses are written in) has built-in error checking. By analyzing the checksum of a recovered value, you can confirm whether a recovered value that looks like a Bitcoin address really is. Chris's script does this for you.

The tool is very easy to run and will attempt to recover public and private Bitcoin addresses and/or keys in a variety of formats. The command is built using the primary command and switches in the following list:

• Btcscan.py
• -i—Use this input command to specify the drive, directory, and/or files to search.
• -q—This command signifies Quick mode, which does not search BIP32 HD wallet keys.
• -u—This command signifies Unicode mode, only search for Unicoded items.
• -n—This command signifies Non-Unicode mode, which only searches for non-Unicoded items.

The tool requires Python 3.5, which you can download from www.python.org/downloads. If you have been following along with instructions in the book, you will already have both Python 2 and 3 installed, so you need to tell your computer which version you wish to use. You do this in the command shell by prefixing the btcscan command with the command py -3.

Open a command shell in the folder where the btcscan program exists. You can then run the software tool against anything from a raw hard drive image to a folder or even a mobile phone dump.

To search an imaged hard disk file, you will need to have a single raw image. For example, if your image is called HD_01.dd, then the command would be:

py -3 btcscan -i HD_01.dd

If you want to search a folder, the command would be:

py -3 btcscan -i="C:folder"

The output creates a comma-delimited file that can easily be imported into a spreadsheet for analysis.

The output is also useful in that it provides an offset of where the address was found in the image file you have searched. This enables you to use your favorite digital forensics tool to go and find the value manually and see it in its context.

Finding Data in a Memory Dump

Computer memory or RAM (random access memory) contains a significant amount of recoverable data. Investigators can mistakenly think that RAM is overwriting itself all the time and there is nothing useful to recover, when in fact, nothing could be further from the truth. There is a significant amount of data to be found, including files, passwords, encryption master-keys, and so on.

Imaging RAM creates significant controversy in the digital forensics world because it means, in most cases, running an executable on the suspect's computer. However, investigators know that “best evidence” means making no changes to the suspect's data sets and that running any software tool will make only minor changes to the drive. With the size of RAM increasing to significant levels in recent years and with tools available that can acquire vast amounts of data from the memory, the small changes made are seen as an appropriate offset to imaging 4, 8, 16, or more gigabytes of evidence. In the past five years, the thinking has changed and most primary police and government digital-forensics departments image RAM as a matter of priority if a computer is on when they search a suspect's premises.

You may wonder why it's worth imaging and searching the RAM when you have the disk. Of course, any addresses loaded into RAM from a wallet file will likely be recoverable from the disk. But what about in the situation where RAM is imaged, the computer is powered down, and the disk is imaged only to discover that the disk is fully disk-encrypted or that the cryptocurrency software is in an encrypted container? An undercover unit may only have access to a computer for a short time—not long enough to image the entire disk but sufficient time to get the memory. In these instances, the RAM may be all you have. Also, a recovery seed may have been generated which could still be recoverable from RAM but was never written to the disk.

Imaging RAM is fairly straightforward. Personally, I am a fan of the RAM imager tool by forensics company Belkasoft, which you can download from http://bit.ly/2BvPTdr. Although this tool can be run from the command line, you can simply double-click the executable file (choosing either the 32- or 64-bit build), provide an output path and name, and click Capture! (see Figure 8-16).

Running the Belkasoft imager tool will create a .mem file that is a raw dump of the memory. Once you have your memory dump, you can do a number of things to look for cryptocurrency artifacts.

One thing you can do is use Chris Cohen's tool BTCscan as discussed previously. It works very well against RAM dumps and is a quick win to see if there is anything extractable. With a command shell open in the folder where BTCscan resides, you can just run the following:

py -3 btcscan -i <path_to_RAM_dump>

For example:

py -3 btcscan -i c:	emp201811.mem

The output will be the same as from a disk, but of course, it will run much more quickly against the smaller data set.

Alternatively, you can simply use Agent Ransack to either search the memory dump for the regular expression [13][1-9A-HJ-NP-Za-km-z]{26,33}< that you used previously or just search for the name"1 string.

Acquiring the Wallet File

Many first-responder toolkits can be adjusted to acquire specific data types or filenames; however, this can also be achieved successfully with a simple batch file. My favorite text tool is Notepad++, which you may have installed back in Chapter 2. Let's use it to write a very simple script to find and copy out any wallet.dat file that it can find on the system. This works best from an external drive, so I suggest that you find a USB key, portable hard drive, or something similar to run the batch file from. Then follow these steps:

1. Open Notepad++ and type the following into a document:

   xcopy "%systemdrive%walle*.dat" /s

2. Save the document as walletfind.bat onto your USB drive.
3. Browse to the batch file and run it.

   The xcopy command has been around for many years and can be found on virtually all versions of Windows. The command will search the entire system drive (which is usually c:) and look for anything with a filename pattern walle*.dat, and the /s parameter will search all subdirectories. Any results will be written back to your USB key in the folder structure that it found on the disk.

   As you can see in Figure 8-17, I ran the command straight from a command shell. It recovered two wallet.dat files, which it wrote to the root of where I ran the command from. In the case of the batch file saved to the USB key, this will save the results straight to the key.

It can also be useful to know if any cryptocurrency programs are installed on the computer. For this, I use a tool that is built into Windows 7, 8, and 10. The easiest way to run the command is to add it to the walletfind.bat script that you have just written. Follow these steps:

1. Add this line to your script:

   WMIC product get name, version > installedapps.txt

2. Save the batch file to your USB key and run it.

   This will create a text file called installedapps.txt. If you open the text file, you will see a large list of installed applications (see Figure 8-18).

   

   The problem here is that the WMIC command only lists installed applications and would miss any programs that ran from an executable file without installing. For this reason, it can be a good idea to add a second xcopy line to the batch file that will copy all the executable files on the system to your USB key. This will be a lengthy list, but at least you won't miss anything. Just add the following line to your walletfind.bat batch file:

   xcopy "%systemdrive%*.exe" /s

This works well and gives you a fairly quick way of ascertaining what is installed on the system without poking around Windows Explorer windows and changing all the Last Accessed Dates, which is not a good thing when working on a suspect's system! With the extracted lists of all installed applications and executable files on your USB key, you can browse the list for known cryptocurrency wallet applications.

Exporting Data from the Bitcoin Daemon

Copying a wallet from an operating system can have problems. For example, if the wallet.dat file was being written to when you copy it, there is always the chance of corruption. In fact, I have had this happen. The original file was not corrupted, but the version copied to my USB key was. Windows should handle this, but you never know.

Another way of extracting data from a cryptocurrency program such as Bitcoin Core is to run commands from its console interface. If you want to try this, you will need to have Bitcoin Core installed, which was detailed back in Chapter 1, “What Is a Cryptocurrency?”

To use this data-extraction method on a system with Bitcoin Core installed, follow these steps:

1. Open a command shell and change to the following folder:

   C: C:Program FilesBitcoindaemon

2. Type the following line in the command shell:

   bitcoind

   It is likely that Windows will pop up a Security Alert window. If that happens, click the Allow Access button.
3. Minimize (do not close) the command shell.
4. Open a second command shell and browse to:

   C: C:Program FilesBitcoindaemon

5. To cleanly dump the wallet from Bitcoin Core, run the following command from this second command shell:

   bitcoin-cli backupwallet <pathtoUSB>

   For example:

   bitcoin-cli backupwallet e:

   This will dump the wallet file out to your USB key as illustrated in Figure 8-19.

There are some other very useful commands that you can run while the computer is live to obtain information that will be extremely difficult to get once the drive is imaged and you are searching via a digital forensics tool. For example, you can run the following command:

bitcoin-cli walletinfo

This command will write out some very useful information about the wallet including the current balance, the unconfirmed balance (transactions not yet confirmed), and the number of transactions the wallet has done (see Figure 8-20).

It is possible to output this information to a text file by adding > and an output path. For example:

bitcoin-cli walletinfo > walletinfo.txt

You may wish to extract information on the network usage. The following command will provide information on the number of bytes sent and received (see Figure 8-21):

bitcoin-cli getnettotals

You can also use the following command to get information on the type of signaling that is being used to send and receive data (see Figure 8-22):

bitcoin-cli getnetworkinfo

You can use this command to find out whether the Bitcoin Core client is configured to use the TOR Onion network.

Try using the following command to see information on the peers that the Bitcoin Core node is currently connected to (see Figure 8-23):

bitcoin-cli getpeerinfo

This command will enable you to see the IP address of the peer as well as data such as the time offset from UTC, the amount of data sent, and received and the ping time.

The following daemon command is one of my favorites because it lists all the transactions that the node has done (see Figure 8-24):

bitcoin-cli listtransactions

This shows all the addresses that the suspect has transacted with, which is vital information for an investigator. You can also see the local addresses the suspect has used, so you'll have a huge head start in tracking payments. This can be a large list, so I recommend that you always use > after the command to output the results to a text file.

You can also see all the unspent transactions by running the following command:

bitcoin-cli list unspent

The commands I've introduced to you in this section are invaluable to extract actionable data from Bitcoin Core. However, they are quite complex to remember, so I suggest that you write them into a batch script by following these steps:

1. Open a new Notepad++ document and type the following:

   cd "%systemdrive%program filesitcoindaemon"
   bitcoind –d

2. Save this document to your hard drive with the name start_server.bat.
3. Open a new Notepad++ document and type the following:

   cd "%systemdrive%program filesitcoindaemon"
   bitcoin-cli getwalletinfo > c:	empwalletinfo.txt
   bitcoin-cli getnettotals > c:	emp
   ettotals.txt
   bitcoin-cli getnetworkinfo > c:	emp
   etworkinfo.txt
   bitcoin-cli getpeerinfo > c:	emppeerinfo.txt
   bitcoin-cli listtransactions "*" 1000 > c:	emp	ransactions.txt
   bitcoin-cli listunspent > c:	empunspent.txt

4. Save this file to your hard drive as getdata.bat.
5. Create a folder at c: emp for the results.
6. Browse to your USB key and first double-click the start_server.bat file and then double-click the getdata.bat file.

   Your USB key should now contain a list of files with significant data from the Bitcoin Core node. This is an excellent way of quickly gathering data that is invaluable to an investigator but will be difficult to extract later from a disk image.

Extracting Wallet Data from Live Linux and OSX Systems

I won't spend significant time detailing the methods you can use to search for and extract data from Linux and OSX systems, because they are very similar to Windows. For example, all of the bitcoin-cli commands in Bitcoin Core work exactly the same in Linux as they do in Windows. When you install Bitcoin Core for Linux, the daemon is also installed into the system path. This means that you can simply open a terminal and type the following command to start the server:

bitcoind -daemon

Another terminal will then allow you to run all the cli commands. These commands are the same as in Windows, including getnetworkinfo, getnettotals, and gettransactions.

By default, Bitcoin is installed on Linux here:

˜/.bitcoin/

And it is installed on OSX here:

˜Library/Application Support/Bitcoin

There is also an easy way to search for the wallet file in both Linux and OSX. You can use this method to find the wallet file as well as to copy it out of the OS to a connected drive. The command is simply:

find / -name wallet.dat

To copy the file out, you either need to know the path to your connected USB device or have a shell script, similar to a batch file, on the key that you run. The command looks like this:

find / -name wallet.dat -exec cp {} <path_to_USB> ;

It may be that you have to run the command as an Administrator user to have success. In that case, you'll need to prefix the command with sudo and provide the associated password.

Although I will not cover writing shell scripts in any detail, they are very similar to the batch scripts. One difference is that you must start the script with the path to a terminal such as the following:

#!/bin/sh

And you exit your script with something like this:

exit 0

So, for example, you can run the bitcoin-cli commands in Linux as follows:

1. Open a text editor in your Linux operating system and type the following:

   #!/bin/sh
   bitcoin-cli getwalletinfo > walletinfo.txt
   bitcoin-cli getnettotals > nettotals.txt
   bitcoin-cli getnetworkinfo > networkinfo.txt
   bitcoin-cli getpeerinfo > peerinfo.txt
   bitcoin-cli listtransactions * 1000 > transactions.txt
   bitcoin-cli listunspent > unspent.txt
   exit 0

2. Save the file as bitcoin-cli.sh.
3. This next step needs to be done with the file on a Linux OS because you need to make the file executable. This is straightforward—you just need to open a terminal in the same folder as your .sh file and type the following:

   chmod +x bitcoin-cli.sh

4. Copy the .sh file to a USB key, plug it into a Linux system that has Bitcoin Core installed on it, and double-click the shell script you created. This will run the commands and write the output to the USB key just as it does in Windows.