This book has the subtitle “Understanding, Extracting, and Analyzing Blockchain Evidence,” and it has attempted to provide an appropriate level of theoretical understanding while teaching practical techniques for carrying out an investigation involving cryptocurrencies. Although Bitcoin is still the biggest cryptocurrency, it is arguably not the best, and new pretenders to the throne are being released every day. Although this book has had a Bitcoin focus, I hope it has prepared you and given you the necessary tools to be able to research and develop techniques for any new cryptocurrency that may need your attention.

The different types of crimes that may involve cryptocurrency use are virtually unending and eventually could find their way into almost any category of crime. A few years ago, I gave a talk at a local school about my job as a digital investigator, and before I started, the teacher asked what crimes involved computers. She had assumed it was all hacking and viruses, so she was surprised when I listed burglary, murders, drug dealing, and all the other “real world” crimes. The fact is that in the past 10 years, virtually every crime has some type of digital aspect to it—whether it's cell phone call data, searches made about a crime on Google, or digital CCTV systems—the list is endless. In the United States, a man killed his wife and dumped her body in a lake, and he was convicted partially on the basis of googling “the deepest place in the lake” the previous day. In my hometown, a man murdered his neighbor and was convicted partially on his Google Street View history, which showed him pre-planning the route from his home to the place the body was left.

My point is that cryptocurrencies are here to stay. I predict that within five years, an app will go viral that allows untraceable, cheap micropayments to be made via the blockchain, and that is how people, especially the young, will transact small amounts of money on a daily basis both online and in the real world. It is just a matter of time. This will also mean that investigation of cryptocurrencies will permeate into every type of crime, and investigators need to be ready with the skills and capability to follow the money.

So where do you start applying all you have learned in this book? Practice and get involved in investigations as soon as you can, remembering that they will all be different and no single process will cover each situation. In this final chapter, we'll look at a few examples.

Examples of Cryptocurrency Crimes

Almost every day, I hear of new ways that cryptocurrencies have crept into different types of crimes, but the five examples described in this section will provide you with a reasonable sample of the possibilities that you may encounter.

What Have You Learned?

This book has attempted to teach you how cryptocurrencies work and, to some degree, how they don't work. The phone call I received from an investigator asking me to carve bitcoins from a hard drive would not have been made if they had understood the underlying technology more clearly.

Here is a quick summary of some of the main points covered in this book:

• Understanding How Public and Private Keys Relate to Each Other A Bitcoin address, for example, is fundamentally a public key that anyone who has the private key can transact. This knowledge means that as an investigator, you need to look really hard for the private key, because it will give you control of all of the assets that may be stored in addresses on the blockchain.
• Knowing How the Blockchain Works A reasonable understanding of blockchain technology enables you to apply that knowledge to virtually any cryptocurrency that may be used by a suspect. The relationship between transactions being bundled and hashed into blocks helps you to understand the security and dependability of a blockchain as well as how the transactions can potentially be relied upon in court.
• Considering Dates, Times, and IP Addresses There is much confusion regarding dates and times of transactions, and digital investigators often rely on the solidity of timestamps in re-creating actions of a suspect online or at their computer. The limitations of the timestamps on a blockchain such as Bitcoin enable an investigator to build a case with appropriate levels of confidence on the dates and times that are involved. In the same way, IP addresses saved by sites such as blockchain.info have been mistakenly relied upon to de-anonymize particular transactions. You have learned that these are just relay addresses, and it is much more complex to attribute an IP address to a specific transaction.
• Searching Premises You learned how to search premises for evidence of cryptocurrency use with a particular focus on finding a private key. You considered the different types of paper wallets, hardware devices, mnemonic keys or seed words, and addresses jotted on scraps of paper. The list of possibilities is endless, but front-line officers need to know what they are looking for.
• Working on a Live Computer This book described methods of working on a live computer at a suspect's premises, how you could search for addresses, dump wallets with their private keys, and even cash out a wallet from the live scene. To do this, you have to know that cryptocurrency wallet software is running and how important it is that a live investigator understands the different wallet types available.
• Exporting Wallets You learned how to import a found and exported wallet onto a lab computer, and then how to analyze the contents of the wallet such as the used addresses and the current balance.
• Building Information about an Address The book detailed how to build up information about an identified address, such as the number of transactions the address has been involved with, the dates of those transactions, exporting the raw data, extracting micromessages, and even basic temporal analysis of the times that transactions were done.
• Clustering Addresses Following the money is a complex process. Although some commercial products are available to help, it is vital that an investigator know how to take a single address and apply clustering techniques to infer other addresses owned by a single user, and then follow those addresses to hopefully expose further evidence. If you are unsure about certain aspects of clustering, I urge you to reread the sections in Chapter 12 that deal with those aspects. Understanding how to cluster addresses will help you understand what the commercial tools are doing as well as their pros and cons.
• Following the Money You learned how to use blockchain viewers to surf from transaction to transaction and experienced how quickly you can get lost in the complexities of the blockchain. You learned to take the process slowly and carefully, take detailed notes, and annotate just the first 6 digits of addresses to make notes easier to read and follow.
• Using Visualization Tools To help with the complexities of following transactions, we looked at a number of open-source visualization software tools that help the investigator see connections more clearly. These tools are not a panacea, because they too can quickly become complex if not used with caution. The commercial tools carry out clustering in the same way as you learned to do manually. This means that these tools can infer connections wrongly and their limitations must be understood.
• Finding Real-World Services You studied how to identify real-world resources such as exchanges, mixers, and traders. This provides you with a target to apply legal means to try and acquire data on your suspect. I described how to use open source investigation techniques to search for addresses online, perhaps in forums or other sites and then using clustering to connect backward or forward in the blockchain to a service provider. I also wrote about making micro-payments and withdrawals to service providers to attempt to expose more addresses that could form a cluster of a known entity. Commercial software providers do this regularly.

I also discussed methods by which coins could be seized from a suspect and deliberated on the benefits and negatives of holding seized coins securely or cashing them out to a fiat currency. There is a need to consider this carefully and agree to a methodology with management to ensure that it is practical, achievable, and in line with applicable laws. Storage wallets, preferably multi-signature, or accounts with an exchange need to be agreed upon and set up, and the process needs to be practiced over and over. This planning needs to be done before you start any job that may require work on seizing coins—don't wait until you're sitting at the suspect's keyboard. Remember that once coins are moved to your storage wallet, they should be backed up to cold storage such as paper, multiple copies made, and electronic copies securely deleted.

I will not be so short-sighted as to pretend that this book has covered everything, or that the processes suggested are always going to be the most efficient way to proceed. This is a collection of recommendations based on several years of investigating cryptocurrencies and having to regularly find my own solutions to problems when the solutions had not been written down anywhere else. White papers and conference talks have begun to focus on cryptocurrency investigations, but it has only really been since 2015 and 2016 that large police and government investigators have begun to turn their attention to the issues with investigating the technology. Even now in 2018, the level of skills is very low within both the FI world and the digital forensics sphere. I hope that this will change and that this book helps with the dissemination of information.

Although blockchain technology, and Bitcoin specifically, is not actually new, it has only been in the last three years or so that the anonymization features have become more widely used by criminals. In addition, it has only been since the extraordinary growth of Bitcoin values in 2017 that criminals with large amounts of cash saw an opportunity to launder money while also increasing their overall value. This means that standard drug-dealing cases or organized-crime investigations are unveiling the use of cryptocurrencies, and many are unsure how to proceed with this element of the analysis. I hope that I have demonstrated to you that these examinations, although complex and often time-consuming, are achievable and worthwhile.

Where Do You Go from Here?

The information in this book is designed to start your journey into investigating cryptocurrencies, but it is not an end in itself. You should now understand the fundamentals of the technology, but new forks are appearing all the time in different currencies. Bitcoin Cash differs from Bitcoin in subtle ways, Ethereum is changing the way you mine coins, and ZCash has security features very different to the others.

A researcher recently said to me that she believes Bitcoin will be “the MySpace of cryptocurrencies.” Although MySpace was a hugely successful social media platform, it couldn't sustain its own success and eventually paved the way for Facebook and others that have learned from its mistakes and found a way to be relevant in the long term.

Bitcoin has problems with its comparatively high fees, the length of time it takes for confirmations, and wildly fluctuating values. This may, or may not, open the way for other cryptocurrencies to learn from Bitcoin's mistakes and fill the gap in the market for a readily tradable currency. Any new cryptocurrencies that begin to find traction with users, especially criminals, need to be understood by the investigator—preferably before facing the currency in an investigation. I recommend that you make this area a subject of continuous research, watch the cryptocurrency forums, follow the right people on Twitter, and download and try new tools designed to simplify the investigative process.

I have avoided any cryptocurrency investments, apart from small deposits in many of the front-runners, because I am waiting to see what the future holds. This means I missed the Bitcoin value explosion of 2017, but I have been able to think about cryptocurrencies as an investigator rather than an investor. However, I do recommend that you spend a few dollars (or whatever your local currency is) to buy coins on the primary blockchains, transact them, move them around, buy something, and get a feel for how they work, what is good, and what is bad. Then investigate your own transactions and try to answer questions such as these:

• What can you find on your own computer?
• Can you locate magic values and carve transactions?
• Are you able to sniff traffic and locate data in the packet stream?
• What does a blockchain viewer tell you that would be interesting in a live examination?

In the foreseeable future, in order to be good at investigating cryptocurrencies, you will need to be fairly self-sufficient, be able to do some of your own research, work with your colleagues to design processes and methods that work for you, and work within the laws of your country.

Since Sarah Meiklejohn and colleagues wrote arguably the first Bitcoin forensics paper, “A Fistful of Bitcoins,” in 2013 (https://bit.ly/2J4Rg7A), the development of investigation techniques surrounding cryptocurrencies has been slow. I recommend researching and developing your own methods and where possible, share them with the community. It is only this way that internationally accepted investigation standards will be achieved.

Feel free to keep your eye on the www.investigatingcryptocurrencies.com website, which is based on this book. This site will, from time to time, publish updates or corrections to information in the book. It also contains a discount code to take my online or live course.

Happy investigating!