CHAPTER 10
Following the Money
In the previous chapter, you learned how to do research on recovered addresses and find both direct and indirect evidence that could help you with your investigation. In this chapter, you'll look at ways by which you can manually follow transactions through the blockchain and how you can do this in a structured manner. You will also look at techniques to attempt to cluster addresses together into a single owner.
Initial Hints and Tips
Throughout the book, I have referenced blockchain viewers such as blockchain.info, oxt.me, blockexplorer.com, and others. These online tools are very straightforward to use—just search for an address or a transaction, view the details on the screen, and, as I'm sure you have discovered, click other addresses in a transaction to see previous or following transactions. If you have tried doing this, you will have discovered that you get lost, confused, despondent, and generally spun around very quickly indeed! Because of the Base58 and hex naming of address and transactions, following transactions from address to address can be bewildering. When you're working with these tools, I recommend the following:
- Take it slow. Because you can click from transaction to transaction as quickly as the Internet will let you, it is tempting to click away merrily, and this generally results in … no results. Each time you click and load a new screen, you need to take time to consider and understand what you are looking at.
- Take good notes. Use a notetaking app or software to map out manually what you find, such as addresses, values, dates, and so on.
- Make use of visualization software. In the next chapter, we will look at both free and commercial software tools that enable you to visually map the relationships between transactions. Although these tools are invaluable, once again there is a risk in mapping many transactions quickly and not stopping to think about what you are seeing.
- Stop clicking. Remember in Chapter 9 I spoke about literal and inferred, or indirect, evidence. What can you see, and what can you conclude before clicking again?
Use the first five or six characters of an address when taking notes. The lengthy addresses of Bitcoin, Ethereum, or any cryptocurrency that uses private keys as its addressing system make it complex for the human eye to process. Using just the first five or six characters makes the string easier for your mind to process and recognize if you see it again. The risk, of course, is that the same string of characters repeats itself with the remaining characters you haven't noted as being different. However, the chances of this happening are really remote. Bitcoin addresses always start with a 1, a 3, or bc1 but with six characters in total there are over 1.3 billion possibilities (ignoring the other characters in the address). So, when I note an address, instead of writing 16B2rHA5znfbHyTEF4g8ddg8aLzErQhmpr, I would just write 16B2rH.
Transactions on Blockchain.info
To help you understand the elements of the transaction and how they are displayed, let's take a look at a transaction on blockchain.info. Browse to http://bit.ly/2f4Kx3q. This relates to Bitcoin address 17h6CDrXUb4zVUjedkP6ibkpkieDXd116j
Figure 10-1: Transaction where the target address is an input.
If you take a look at the transaction from the previous hour in Figure 10-2, you see a green arrow. This relates to coin being sent to the address you searched for.
Figure 10-2: Transaction where the target is an output address.
You can also see the transaction ID, the date, and the fee that was charged. The total value is shown in either bitcoin or dollar value and can be switched by clicking the red or green total value button.
In simple terms, here's what you can learn about Bitcoin address 17h6CD:
- At 10:43 on 2017-09-10, 1MWP6s sent a total of 1.05… bitcoin to two addresses:
- 1GMJKt received 0.1146 bitcoin.
- 17h6CD received 0.944… bitcoin.
- Both addresses have since spent the received coins.
- One hour later (at 11:43:35), the target address 17h6CD sent its 0.944… bitcoin to two addresses:
- 1Hjah3 received 0.5186 bitcoin.
- 136dCK received 0.42… bitcoin.
- Both addresses have since spent the received coins.
We have just broken down the life of this address. We know where the funds came from and where they went on the blockchain. What is interesting with both these transactions is that one address sent bitcoin to two other addresses. For example, the 17h6CD address sent the funds to two addresses, but can we discern whether either of these addresses actually belongs to the owner of 17h6CD?
You learned previously that you cannot transact part of the value of an address, so if an address contains 1 bitcoin, then we have to spend that entire bitcoin. If we are only paying a vendor 0.7 of a bitcoin, then we can recover 0.3 as change. This means that one of the addresses belongs to the owner of 17h6CD. This technique can help you to build a picture of addresses assigned to a specific owner.
Identifying Change Addresses
We can look at an easier example to learn how to identify addresses belonging to the same person. Browse to http://bit.ly/2y8fzfv, which resolves to transaction 03ba36a19bb7cb3ede88dd4cca78a9bed380524c8995a6a910e98f944ee91053
What do you see? Who owns which addresses?
First, three addresses are sending coin to two addresses. In the vast majority of cases, you can assume that the three input addresses belong to the same person. (I appreciate that the address could belong to a company or otherwise, but I'm using “person” in this example to keep it simple. Other possibilities exist, such as the addresses being passed through a mixer.)
I usually use a pad and pen to note the values, which makes it easier to do the math. The values in this example are as follows:
Input Values
- Input 1: 1FkRsN is 1 bitcoin.
- Input 2: 16SFxo is .0999… bitcoin.
- Input 3: 1C3NQ is .0789… bitcoin.
Output Values
- Output 1: 19Gmgg is .0788… bitcoin.
- Output 2: 1PsKxK is 2 bitcoin.
What can we discern from this? Any of the input values would pay for Output 1, so it would be pointless to include all three inputs to pay for Output 1 if that was the target address we were paying. However, it takes all three input values to pay for Output 2, because no two inputs add up to a sufficient value. From this, we can infer that the payment was to Output 2, 1PsKxK, and it is likely that the change address is Output 1, 19Gmgg. So, the three inputs and 19Gmgg likely belong to the same person.
If we now have 19Gmgg as a change address, by looking at transactions into this address, we can infer further addresses that possibly belong to the same person. Click the hyperlinked 19Gmgg address, and it will load all the transactions that pertain to this address. At the time of writing, we see eight transactions with five of them being coin moving into the address. By applying the same logic as before, we can see that it appears that 19Fmgg is a change address in each instance. This means that we can infer that the same person also is the owner of the following:
- 1A6GHK
- 1AaEih
- 1CMBbd
- 1Gc3RJ
- 1EJYsC
- 19GCG8
- The three addresses indicated previously
You can see examples of this in Figure 10-3. (Remember, our address of interest starts with 19Gmgg.)
Figure 10-3: Inferring owned addresses from the change address 19Gmgg.
Try this exercise. Browse to http://bit.ly/2xn20dX, which is Bitcoin transaction e5838dbb8b5eb7a1a8ba532e168edb1d7fd0fe072206fb04ef24c6c6806a7682
Figure 10-4: Working out the change address from the transaction.
Six addresses send around 0.127… bitcoin to two addresses:
- Output 1: 1LTShY - 0.010… bitcoin
- Output 2: 16YCvV - 0.117… bitcoin
One of the input addresses, 17Z2c3 (0.08… bitcoin), could pay the 1LTShY amount without the need for the others. This means that 16YCvV is likely the target payment, and 1LTShY is probably the change address. In fact, if you look at the other inputs, it would have been more efficient to use inputs 1 and 2 to pay for 1LTShY if it had been the primary payment (see Figure 10-4).
Now try another exercise that's a little harder. Browse to http://bit.ly/2y8P5dR, which represents the transaction de187bb4248ffd87ced39ae497b452756a7583fd5c7863fd95110656e144a34b
Figure 10-5: Inferring the change address with fewer inputs and outputs.
It's trickier to figure out the change address with this one because there is just one input and two outputs, and the one amount covers both outputs. How can you try and infer the change address and the primary payment? Change addresses are often dynamic in that they are generated by a modern wallet when a transaction is built. If this is the case, you would expect there to be no prior transactions to the addition of the change.
If you click output 1BWRXX, you can see that there are several hundred transactions, with the address being used to both spend and receive coin over a long period of time. However, if you take a look at 1M96jh (Figure 10-6), you see just two transactions: the one you have just been looking at and a second transaction to zero the value of the address. This is normal behavior for change addresses because they are often swept into primary addresses for future transactions.
Figure 10-6: Inferring change addresses by looking at how often it has been used.
There is another way to locate the change address. This is when a user who is making use of a single signature address (which, as you know, always starts with a 1 in Bitcoin) pays a company or person that is making use of a multi-signature or multisig address (which always starts with a 3). If there is an output also starting with a 1, this will be the change address. You can see an example by browsing to http://bit.ly/2CbXD5h, which represents transaction de187bb4248ffd87ced39ae497b452756a7583fd5c7863fd95110656e144a34b
Figure 10-7: The 1 address is likely the change address.
It is the same in reverse, where a multisig address starting with 3 is the input and the outputs are a 1 and a 3 address. The change address will likely be the multisig 3 address.
Another Simple Method to Identify Clusters
Sometimes you can be looking at a transaction and just cannot decide which is the change address that belongs to your suspect. A simple technique is to look for other transactions that use one of the addresses as part of an input that includes an address you already know belongs to them.
For example, if you look at Figure 10-8, you will see a single address sending coin to two addresses. Either could be the change address, and in fact, if you clicked them both, you would see that neither address has ever been used before. So which address is the change address that belongs to your suspect? In this instance, the 1 address is likely the target and the 3 address is the change address as described in the last section; however, there is another way.
Figure 10-8: Which is the change address?
Now let's say that by looking at the other transactions, you find a later movement of coin from your suspect's address to a single address, likely to consolidate funds into a single address as shown in Figure 10-9. This list of input addresses are primarily the same input address from Figure 10-8 but includes an output address from Figure 10-8. This identifies this address as belonging to your suspect and was likely the change address in the Figure 10-8 transaction.
Figure 10-9: Output address from Figure 10-8 is now an input address with the input address from Figure 10-8.
This technique works well when other methods do not provide any definitive answers. Now you may be wondering why Figure 10-9 shows many inputs from the same address, all with different values. Although an address has a balance in the user's wallet, each transaction into the address is a separate transaction and must be transacted as a separate input. Hence, it is not unusual to see lists of the same address as an input.
Moving from Transaction to Transaction
As you most likely have discovered, you can simply click an address in blockchain.info or any of the other blockchain explorers to move from transaction to transaction. As I mentioned in the introduction to this chapter, you can easily get “click happy” and start clicking addresses like a mad person, which is quickly followed by “click blindness,” where you get completely lost, which is then followed by closing your browser and getting a coffee (or something stronger). To create a map of activity, from one address to the next, really requires a visualization tool such as the ones I will discuss in the next chapter.
Sometimes you just want to get a mental picture of where coins came from and where they are going, so a significant map of transactions isn't always needed. In this case, I simply grab a pad and pen and draw a tree using the first five or six characters of each address. I note which address appears to be a change address and which is the primary payment, and I've developed a sort of shorthand to quickly build a paper map of my transactions (see Figure 10-10). It is not exactly a work of art, but using this approach, I get a rapid visual view of my address of interest. In the example illustrated in the figure, my target address was 17h6C. I went back just one level and then mapped another four levels onward, noting some change addresses and when payments were grouped together.
Figure 10-10: Graphing transactions on paper.
You can use your own technique, but I find this paper-map method really useful, especially if I do not have access to a visualization tool.
Putting the Techniques Together
If you'd like to practice some of the techniques you've learned thus far in this chapter, research Bitcoin address 3EGy678G659RnevCA1pmfzVrrC5DEaiqAt
- What can you find?
- Who does it belong to?
- How many transactions are there?
- Over what period of time?
- What happened to the coins sent to this address?
- By picking an address that sent coin to the target, can you cluster change addresses?
- Can you cluster addresses for this user?
Obtaining these answers is about as far as you want to go with this investigation. If you Googled the address, you will see that it is the donation address for charity The Turing Trust. You can see in blockchain.info that there are (at time of writing) 26 transactions including the address, 24 payments into the address, and two outbound transactions starting 4 March 2016 until 31 December 2017. Clustering change addresses is fairly straightforward for many of the people donating to The Turing Trust due to the target address belonging to the charity being a multisig address. Hence, as long as the input starts with a 1 the change address will always be the address beginning with 1.
On 2 August 2016, the address appears to likely pay 0.1 bitcoin to the address 1Q75AC, and the change is going to 3F1bAR. You know that the 3F1bAR belongs to Turing Trust because you see the address being used, along with payments to the primary address being collated into the single address 13Km9e on 28 August 2016. (See previous Figure 10-9.)
An easier way to see this cluster is to use a site that attempts to group addresses into pseudo-wallets using the same rules you have been learning. Browse to www.walletexplorer.com and search for the target address 3EGy678G659RnevCA1pmfzVrrC5DEaiqAt3EGy678G659RnevCA1pmfzVrrC5DEaiqAt31ebe0d4f5
Figure 10-11: A wallet address from www.walletexplorer.com.
If you click the “show wallet addresses” link at the top of the screen, it will display the addresses that it thinks belong together. The result for this example is shown in Figure 10-12. You can clearly see the two addresses that were previously manually identified as belonging to the same person listed as part of the same wallet. The author of the site is Aleš Janda, who apparently works for Chainalysis as an analyst.
Figure 10-12: Clustered addresses are the same as we inferred manually.
Although this example only had two addresses, the technique works for almost limitless numbers of addresses from the same suspect. For example, the “wallet” for Bitcoin exchange www.coinmotion.com can be found at http://bit.ly/2CyQz70. This wallet contains almost 14,000 addresses that are all related to coinmotion. It would take a significant amount of time to cluster all of these addresses manually, so this is where explorers such as WalletExplorer.com can really help to speed up an investigation.
Although the information is not as complete as walletexplorer.com I also find bitcoinwhoswho.com is sometimes useful to identify address owners.
Other Explorer Sites
Many sites like blockchain.info exist for following transactions. Some just handle a single cryptocurrency, while others provide explorers for many different currencies. One of my favorites is www.BTC.com. If you browse to the site and search for the Bitcoin address of The Turing Trust that was used in the last section, 3EGy678G659RnevCA1pmfzVrrC5DEaiqAt
Figure 10-13: Graphing the history of an address.
This is also my favorite site for exploring the Bitcoin Cash fork. All the techniques just covered for clustering addresses work the same with Bitcoin Cash.
Blockexplorer.com is a useful explorer because it provides a live list of transactions in near real time. You can also list all the blocks mined on a specific date (see Figure 10-14).
Figure 10-14: Filtering on all blocks mined on a specific day.
Another go-to site is chainz.cryptoid.info. It is an explorer like the others, and although it doesn't have some of the “bells and whistles” of the others, it provides blockchain viewers for many unusual cryptocurrencies. See Figure 10-15.
Figure 10-15: The chainz.cryptoid.info website has explorers for more unusual cryptocurrencies.
Another site for exploring lesser-known currencies is blockexperts.com, which is a company that provides block explorer hosting as a service. Again, the currencies are not mainstream but could provide a useful capability if you stumbled across their addresses. See Figure 10-16.
I also quite like the following sites for Bitcoin:
www.blockcypher.comwww.blockchair.com(has a powerful export engine)www.chain.so(has a nice, simple layout)
You may ask, “How would you know what cryptocurrency an odd-looking address belongs to?” Simply googling the address will usually provide an answer. For example, if you found an address AN7x4fANwLWXBDobqdjgNnqwKmVvHEac4pA
Figure 10-17: Google an address if you do not recognize it.
If you want a site for exploring any of the primary cryptocurrencies, I recommend bitinfocharts.com, which provides blockchain explorers for the following (among others):
- Bitcoin
- Bitcoin Cash
- Ethereum
- Ripple
- Litecoin
- Dash
- Monero
Following Ethereum Transactions
Most cryptocurrency blockchain explorers work in similar ways to Bitcoin as the fundamental technology is very comparable. However, cryptocurrencies like Ethereum are different in a number of fundamental ways, and this determines the way that you follow the money. As previously discussed, Ethereum can either trade a currency in the form of Ether or can trade a contract such as a coin offering. This means that you may not be following money but rather following the path of a contract or looking for the investors into an ICO (Initial Coin Offering).
Although a number of sites will allow you to explore the Ethereum blockchain, such as bitinfocharts.com, my go-to site is still etherscan.io with its associated API to access the raw data. The same general rules apply as any cryptocurrency. Public addresses are posted on the blockchain with a value or content that can be transacted with another address. This will then be entered onto the blockchain and distributed to all nodes on the network.
One difference with Ethereum is that you are generally only sending a transaction to one address at a time, but it's worth noting that it is possible to define a contract that will trigger multiple transactions. When you're following a transaction, remember the difference between a “coin” transaction and a contract transaction where no currency changes hands. Although a coin transaction is still technically a contract, it's useful to understand the differences. You can see an example of an ether transaction in Figure 10-18 and a contract transaction in Figure 10-19.
Figure 10-18: An Ethereum ether transaction.
Figure 10-19: An Ethereum contract transaction.
Browse to etherscan.io and search for transaction 0xcc4685ff36ed8552f91b5487c963fef92e20e7c00a87d5a25d9dc9eee8c40b71
Figure 10-20: Etherscan transaction layout.
If you click the To address, 0x77677, a list of all transactions involving this address will be displayed and tagged with either the transaction value “in” or “out.” The major difference with Ethereum is that there are no change addresses. Instead of needing to transact the value of an address and recover the difference as change, with Ethereum, you can simply transact an exact part of the overall balance of the address. As values are transacted, you'll see the balance of the address fluctuate. This generally means that single Ethereum addresses are used rather than a large number of addresses that need to be clustered.
To be able to investigate Ethereum, you also need to recognize the different types of transactions. As I mentioned earlier in this chapter, these are primarily just value and contract transactions that can be broken down into the following four primary types:
- Value transaction (technically still a contract)
- Contract transaction that triggers another contract that moves a coin value
- Contract transaction that acts as an agreement
- Contract transaction that transacts a token
You could argue that the third and fourth bullet items are essentially the same, but it is important to understand the differences. If you glance back to Figure 10-18, you can see an example of a straight value transaction: just a From address, a To address, and a Value. Figure 10-19, on the other hand, shows an example of a contract transaction that moves a token or “coin that does not have any inherent value.” You see a From address, but the To address is a contract that triggers a second contract that moves 30 ERC20-compliant tokens, described as IBCCoin, from one address to another. The value is stated as zero. If you are interested in looking at a particular coin or token transaction, you can search on the contract address or search etherscan.io for the token name.
For example, if you search etherscan.io for the token name Ethos, you'll get a list of information on the Ethos token, the contract address used, and the token transactions that have taken place. At the time of writing, there were well over 80,000 transactions of Ethos tokens. If you were investigating a fraudulent ICO (Initial Coin Offering), then this would be a good place to start. Although you can click each and every transaction and try to start de-anonymizing each purchaser, or try to figure out the owner of the ICO, a few tools are available that can help you.
If you have browsed to the Ethos page as described previously, you will see four tabs above the list of transfers. The Token Holders tab provides a list of all Ethereum addresses that hold Ethos tokens. This list only has 12,000 holders, which is somewhat less than the 80,000 transactions. Obviously, there are more transactions than holders because it is likely that coins are traded, bought, and sold by the same address, but with a lower number of actual coin owners. This list can actually be much smaller if a fraudulent ICO carries out a large number of internal transfers to make the token offering look popular.
The page also has a TokenHolders Chart button. This can help you to see how tokens are distributed and whether the majority are in the hands of a single owner (see Figure 10-21).
Figure 10-21: Graphing the owners of tokens.
The next tab is Read Smart Contract. This is the raw contract for the token and provides the name, the total supply of tokens, and the address that belongs to the ICO owner (see Figure 10-22). This can help you to focus on one address to investigate if there is any doubt as to the physical owner of the token offering.
Figure 10-22: Part of a raw contract with the owner's address.
There is also a Comments tab. In this example, you see a posting that directs you to a story on medium.com about Ethos rebranding from an earlier name, Bitsequence. Comments can be a useful resource to understand the history of a token, thoughts of other traders, bad experiences, or even people reporting what they consider to be fraudulent activity.
If you clicked the Contract Address at the top of the screen to the right of the Total Supply field, you would be presented with a tab that enables you to read actual source code of the contract. Clicking Contract Source will provide a listing of the code that can be interpreted by a programmer to figure out exactly what the contract is doing. (I will not pursue that level of detail in this book.)
Monitoring Addresses
Being able to monitor an address can be very useful. Perhaps you are investigating a live kidnapping, a ransomware virus has published an address, or a company has been specifically targeted and the attackers have provided a Bitcoin address. This can also be useful when you have a large number of addresses that you wish to monitor. Rather than sitting and watching a blockchain site for movement, you can have a site watch an address and notify you of any activity.
Blockonomics.co
One of my favorite sites to monitor addresses is www.blockonomics.co. You need to have a Google ID to log in, so if you don't have one, or you don't want to use an existing ID, head to Google and set up a new ID.
Although you can add multiple addresses, which is useful if you have recovered the xPub key from a device, you can monitor all of their public key addresses just by adding the xPub address. When you add an address, you can also add an ID tag to help you identify the owner of the address, which is especially useful if you are running multiple investigations.
Choose any Bitcoin address you may have on hand, or browse to a blockchain explorer and find an address to monitor. Click New Address + (Add). You can now click the History link, and you will see transaction history for the address or addresses over the period of time you select (see Figure 10-23 and Figure 10-24).
Figure 10-23: Adding an address to monitor.
Figure 10-24: Graphing the history of a monitored address.
If you click the Settings link, you can choose to subscribe to a transaction notification e-mail. This is very useful if you are monitoring addresses over a long period.
Lastly, by clicking the Export link, you can export the transactions just from the addresses you are watching and specify the date range. You have options to export as either CSV or Excel, and I find this very useful to produce evidence about a specific series of addresses over a defined time period. It exports the date, time, the hyperlinked transaction ID, and the amount.
Just bear in mind that it waits until a transaction has two notifications or blocks before an e-mail is sent, so it's not immediate.
Bitnotify.com
I am a big fan of bitnotify.com because, although it doesn't have the excellent capabilities and functions of bitonomics, the site is light and easy to use. It really couldn't be simpler. The site consists of one screen where you can enter your e-mail address and the Bitcoin address you want to monitor (see Figure 10-25).
Writing Your Own Monitoring Script
Using sites like bitnotify and blockonomics does mean losing a little privacy, because you have to supply an e-mail address that can likely be linked to your IP address that is also linked to the addresses you are monitoring. It could be that this is too much information supplied to a third party during your investigation. For most investigations, I set up my own monitor using the API supplied by blockcypher.com. If you would like to do this as well, follow these steps:
- Open Notepad++ and add the following HTML code to a new note:
Please note that each<iframe src="https://live.blockcypher.com/widget/btc/17h6CDrXUb4zVUjedkP6ibkpkieDXd116j/balance/" style="overflow:hidden;" frameborder="0"></iframe><iframe src="https://live.blockcypher.com/widget/btc/18cBEMRxXHqzWWCxZNtU91F5sbUNKhL5PX/balance/" style="overflow:hidden;" frameborder="0"></iframe><iframe src=...</iframe>17h6CD18cBEM
Figure 10-26: Monitoring two addresses.
- Cut and paste the
iframeObviously, there is a screen limit to how many addresses you can have displayed side-by-side depending on your resolution, but adding the following to the end of a line will generate a line break and drop any subsequent results into a new line:
<br/>
This method means that you will not need to provide an e-mail address, but remember that you will still leak your IP address to BlockCypher connected to whatever addresses you are monitoring embedded in the URL.
One of the nice things about the BlockCypher API is that you can use the same technique to monitor addresses on any of the blockchains it supports. At the time of writing, these include the following:
- Bitcoin
- Litecoin
- Dogecoin
- Dash
If you want to adjust your web page to monitor a Litecoin address, for example, you would change the btcltc
<iframe src="https://live.blockcypher.com/widget/ltc/<Address to monitor>/balance/" style="overflow:hidden;" frameborder="0"></iframe>
Here are the codes to use after /widget/
- Bitcoin:
btc - Litecoin:
ltc - Dogecoin:
doge - Dash:
dash
Monitoring Ethereum Addresses
You can monitor Ethereum addresses in the same way as other cryptocurrencies using the standard etherscan.io because it has a built-in capability. Browse to etherscan.io and find an address to analyze or browse to the example at http://bit.ly/2lXEHjD. If you look in the header part of the address information, you will find the field Address Watch and a button marked Add To Watch List. Clicking this button will require that you log in to etherscan.io, but it sets up a list of watched addresses that you can tag with a description and specify whether you wish to receive e-mail notifications (see Figure 10-27).
Figure 10-27: Setting up an Ethereum address monitor.
Summary
As I discussed in this chapter, following the money across a blockchain can be a daunting task—the mechanics of following transactions are as simple as clicking an address, but it can be very easy to get lost, fast! So, as we learned, it is important for the investigator to focus on what can be achieved with each target address. Identifying change addresses, send addresses, and others can help you cluster addresses together under a single owner. This in turn enables you to set up monitoring on those addresses to know when they are used. Being able to look at the balance of addresses to try to ascertain the primary storage address, if used, can help you target the right address should you get to the point of asset seizure.
I often speak to investigators who feel that following the money is all about clicking from address to address, but this method ignores the huge amount of data that can be recovered and inferred by just looking at a transaction, a balance, or the relationships between addresses to find ownership patterns.
If you really want to follow the money from address to address to eventually discover storage addresses, currency conversion addresses, or payments to vendors, it is considerably easier to use the visualization tool that's discussed in the next chapter.