The Internet says: “A cryptocurrency wallet is a secure digital wallet used to store, send, and receive digital currency like Bitcoin.” I won't tell you where that quote comes from, because I wouldn't want to embarrass them, but it's wrong. In fact, it's technically wrong in virtually every way—a wallet doesn't store your bitcoin, and because it doesn't store them, it can't send or receive them! I'm being a little picky here—I know exactly what they mean by the statement—but the reality is important: the wallet simply maintains a list of private and public keys that it can resolve. By either watching a local copy of the blockchain or communicating with a copy belonging to another full-node user, the wallet simply builds a balance from the transactions it can control.

A forensic lab contacted me some months back and asked if I could “recover a suspect's bitcoin from a hard drive.” I told the analyst that his suspect's computer never had any bitcoin stored on it in the first place. He sounded confused and told me that the suspect had admitted to storing ill-gotten gains in bitcoin on his computer. I sensed that fun could be had, so I told my new friend that I already had his suspect's bitcoin on my computer. Silence. I broke the silence by asking him if he would like me to e-mail those bitcoin to him. Silence continued. I think he was trying to decide if I was joking, serious, or somehow already involved in the case. It was getting a bit embarrassing now, so I asked if he had the Bitcoin addresses used by the suspect. He read me the address that had been published by the suspect on the dark web. About 10 seconds later, I gave him the bitcoin balance on the address. The poor man falteringly asked how I could possibly know that. Of course, I then took the time out to teach him how Bitcoin works.

At the time, I was already thinking of building a course on cryptocurrency for investigators, and it convinced me that any class (or indeed this book) should include some appropriate but significant technical detail on how exactly a cryptocurrency works.

A little later, I visited the lab and gave some of the investigators an overview of how a blockchain works, and we built a simple tool to carve public and private keys from a drive. I was planning to share the tool with you in a later chapter, but then a friend of mine built a better one, so I will put that in the book instead when I get to that topic.

I think I might just say it again for repetition: a wallet does not store any coins, but as I mentioned, it can reference any transactions on the blockchain that it can resolve with stored private keys. As you learned in the previous chapter, using a private key, the wallet can generate a transaction by referencing a transaction a person has a private key to unlock and the address he wants to relock the transaction with. So, although we often talk about a wallet sending and receiving bitcoin, this is just for ease of syntax—in reality, the wallet is just telling the blockchain to unlock and lock a transaction. Alternatively, the wallet can examine what transactions exist on the blockchain that is already locked with a Bitcoin address that the wallet controls and create a balance.

In addition, a wallet may store a local list of transactions it's been involved in as well as user preferences and the constantly updated balance.

In this chapter, I will focus on Bitcoin wallets. The wallets for other currencies work in very similar ways, and if you'd like, you can do a little research on your own to discover the differences.

Wallet Types

For each cryptocurrency, numerous types of wallets exist that can work on desktops, mobiles, and tablets. Some of these wallets connect to the blockchain remotely, while others maintain a complete blockchain locally (known as a full node).

Hardware Wallets

Hardware wallets are physical devices that store your private key and other data such as your account balance. Some primary examples are the Ledger Nano S, the Trezor Wallet, and Keepkey. These three examples are shown in Figure 6-1.

These tools are generally very secure, so if one of them is seized, it will usually require the suspect's cooperation to unlock it. However, each of these tools has recovery capabilities in case you lose your PIN or mislay the device. By understanding the recovery steps, an investigator may be able to gain access to the coins without needing to recover the device or PIN.

Cold Wallets or Cold Storage

As you just learned, a wallet has nothing to do with the storage of actual coins, and storing or even backing up a wallet is just a matter of keeping a record of the private key. This means that you could, if you wished, simply write your private key on a sticky note and put it in your drawer. This is a good example of a cold wallet—a private key on a piece of paper. However, cold storage really defines any key kept offline, and this could be on a USB key, a paper note, or a hardware wallet as defined in the previous section.

Although a key may be stored offline and would need to be imported into a wallet to be able to transfer funds out, the offline wallet can still receive coins from senders. As you learned, this is because it never actually receives the coins but just references the address on the blockchain. So, an address and its private key or a backup such as a mnemonic seed stored on a piece of paper in the safe can still get richer while being completely offline.

It is very easy to set up a paper wallet. In its simplest form, you can just write your private key on a piece of paper and put it somewhere safe. In fact, you might want to put it in a fireproof safe.

You can also generate a public/private key address pair without it ever being online. This is extremely secure because you can generate the key pair and never have the private key appear in a wallet or on a computer in any way until you need to move any funds received to the public key address. An excellent tool to generate a public/private key pair is a free tool called WalletGenerator (see Figure 6-2). Browse to http://bit.ly/2yIHeWu and download the files from the GitHub page. Once the files are downloaded it is sensible to disconnect from the Internet, then locate and then double-click index.html.

Moving your mouse around will generate entropy (essentially, randomness) and when the colored bar is complete, it will display your public and private keys along with their corresponding QR codes. Click the Paper Wallet tab and then Print to PDF. This will generate an output of your keys that you can fold and store wherever appropriate. You are welcome to look at the private key in Figure 6-3, but alas you will find it empty.

Why Is Recognizing Wallets Important?

For the investigator, recognizing wallets is essential to be able to investigate the movement of a suspect's funds within cryptocurrencies and potentially seize assets. The potential insecurities of each method of storage can also work into the hands of the investigator, enabling private keys to be found and seized and hence gain control of funds.

The Wallet Import Format (WIF)

A WIF key is just your private key in a format that's easier to copy and retype. However, once it's gone through its transition from private key to WIF key, it is only shorter by 13 characters: 51 instead of 64. The WIF is in Base58, which means that it's harder to mistake characters such as l or o. It also has built-in error checking, which means that an erroneous WIF key should simply not work rather than a mistake being made copying and a new private key being used without the user's knowledge.

All the wallets I have tested that allow the importing of private keys only support the importing of WIF formatted keys (with the exception of back up files and mnemonic seeds).

Generating a WIF key from a private key manually is quite simple and can be achieved by following these steps:

1. Start with your 64-character private key:

   DB77FBE5B48C46B5A071387CF080F6D6065BA1DE8301135F8ED7D0B67973B63F

2. Add 0x80 to the front of the key:

   80DB77FBE5B48C46B5A071387CF080F6D6065BA1DE8301135F8ED7D0B67973B63F

3. SHA256 the new key from step 2:

   77BF93B1EECE4240EBD9CDE6FAF762AEF2D79F9E811286AA72EF41BDDA80CCAC

4. Run SHA256 over the key from step 3:

   F4FCFFFA78E05A34D9FEC3F95B09967D361A724AF961A34E05BF442EE06170EB

5. Take the first 4 bytes from step 3. This is your checksum:

   F4FCFFFA78E05A34D9FEC3F95B09967D361A724AF961A34E05BF442EE06170EB

6. Add the checksum to the end of the key from step 2:

   80DB77FBE5B48C46B5A071387CF080F6D6065BA1DE8301135F8ED7D0B67973B63FF4FCFFFA

7. Base58-encode the result from step 6:

   5KUwcbfmiHeDn3U1NnGLLrCSbHB9SrfW8ZEBsw9GcWjGSuvVV5s

You now have your private key in WIF format. That all sounds very long-winded to simply create a new shorter value. Why not just Base58-encode the original private key? The answer is the checksum. If you miss-key this, the checksum will not match, and the key will not be valid. Let's take a look at how the checksum works. Follow these steps:

1. Start with your WIF-formatted key:

   5KUwcbfmiHeDn3U1NnGLLrCSbHB9SrfW8ZEBsw9GcWjGSuvVV5s

2. Decode from Base58 back to the hex formatted bytes:

   80DB77FBE5B48C46B5A071387CF080F6D6065BA1DE8301135F8ED7D0B67973B63FF4FCFFFA

3. Remember that the last 4 bytes are the checksum: F4FCFFFA. Drop them from the end of the string:

   80DB77FBE5B48C46B5A071387CF080F6D6065BA1DE8301135F8ED7D0B67973B63F

4. SHA256 the result from step 3:

   77BF93B1EECE4240EBD9CDE6FAF762AEF2D79F9E811286AA72EF41BDDA80CCAC

5. SHA256 the result from step 4:

   F4FCFFFA78E05A34D9FEC3F95B09967D361A724AF961A34E05BF442EE06170EB

Note the first 4 bytes of the result of step 4 is F4FCFFFA. This should match the last 4 bytes from step 2. If you look back at step 2, you will see the last 4 bytes are indeed F4FCFFFA. You can also check that the result of step 2 (converting from the Base58 WIF to hex) starts with 0x80. If these all match, then the key is valid and can be used.

You can do this process online at http://gobittest.appspot.com/PrivateKey. Please remember that entering your private key online is very risky, because the website owner could record the key and gain control of all your funds.

It could be useful to check to see if a recovered private key is legitimate before importing it and trying to locate assets on the cryptocurrency. Carrying out this reverse check would at least tell you if the key is a real private key.

How Wallets Store Keys

Wallets store keys in a number of ways (although some are now old technology and rarely used). These methods define the way that public keys are created from either a single or many private keys. As an investigator, it is important to understand how keys are derived because it can help to track complex wallets, especially those that are used by organizations or individuals with complex transaction needs. These methods break down into the following three primary categories:

Nondeterministic Otherwise known as Type-0, nondeterministic keys are stored in a simple list of public/private key pairs. This is also known as JBOK (Just a Bunch of Keys). This method means that you have a lot of keys to manage, especially if you follow the recommended process of using a new key for each transaction. This also means that there is a lot of data to back up and keep safe.

Deterministic Deterministic wallets are also known as Type-1 or “seeded” wallets. All of the private keys are derived from a single seed that's based on a random number. This method is significantly better because you only need to store and back up the seed to be able to recover all the generated private keys. This makes the wallet much easier to manage.

Hierarchical Deterministic Otherwise known as “HD wallets,” this is the most up-to-date wallet protocol in use and was implemented in Bitcoin Core in 2016. As with standard deterministic wallets, all the private keys are derived from a single seed, but keys in an HD wallet can generate their own private and public keys in a hierarchical tree structure. Once again, the seed can be backed up, and the entire structure of the tree can be recovered from the backed-up seed.

The seed is often represented by a series of 12 to 24 words. The process is fairly straightforward and is known as a BIP39 (a mnemonic named after the Bitcoin Improvement Proposal 29). Here's how it works:

1. Take the seed (random 256-bit sequence).
2. SHA256 the seed.
3. Add a checksum.
4. Divide the result into 11-bit sections.
5. Use each 11-bit section to reference the index of a dictionary of 2048 words.

To see an example of this, browse to http://bit.ly/2lpOWAr. Here you can generate a new seed with its associated mnemonic words (see Figure 6-4). Select the number of words and click the Generate button.

These words can be used to re-create the seed and hence all the derived keys. You will also notice that under the Coin drop-down menu, a large number of cryptocurrencies are supported—in fact, any that support hierarchical deterministic wallets. Word lists such as this are used to back up many wallet types, so it is vital that search teams recognize them. (Chapter 8 discusses this in more detail.)

If you scroll down, you will see a list of all the derived keys including the private key, public key, and Bitcoin address (as shown in Figure 6-5).

However, as I mentioned previously, this is not just a bunch of keys, but rather, a structured tree of private and public keys. Figure 6-6 shows how this works. The seed generates a master key known as k_m. This key can generate further keys as children of the master. These carry a number identifier such as K_m/0, K_m/1, K_m/2, and so on. Each of these keys can generate “grandchild” keys, which would be, for example, K_m/0/0 or K_m/1/1, and so on. It is this naming method that is used to know where a key exists on the hierarchical tree.

Wallets such as Bitcoin Core currently use a simplified version of a hierarchical tree known as BIP32. However, BIP44 extended this method to provide more information and flexibility in the tree and is currently supported by hardware devices such as the Trezor. It seems likely that BIP44 will become the standard in due course. It is structured like this:

m/purpose/coin_type/account/change/address_index

where:

• m is the master key.
• purpose is the BIP implementation (for example, 44 would be BIP44).
• coin_type is currently 0 for Bitcoin, 1 for Bitcoin Testnet, and 2 for Litecoin.
• Account is an interesting capability that really shows the benefits of the hierarchical system. This enables an organization to set up subaccounts for a variety of reasons. Perhaps account branch 1 could be for purchases, 2 could be for simply receiving monies, and so on.
• Change flags the address as an address purely to receive change from a transaction.
• Address_Index is a number representing the numbered receiving address for payments. Remember that numbering starts from 0, so the value 3 would be the receiving address 4 on that branch of the tree.

You would hence read the tree like this:

• m/44'/0'/0'/0/2This can be read as the third receiving public key for the primary bitcoin account.
• m/44'/0'/2'/1/13This can be read as the change address for the third Bitcoin account.

Setting Up a Covert Wallet

A person may have the need to set up a wallet and assign funds to it covertly. This could be for criminal reasons or if he or she is looking to avoid surveillance by a nation state. I do not want to outline the detailed steps to set up a wallet and operating it covertly, but I think it is worth investigators knowing what they would be looking for. You will need the following three primary things to remain anonymous:

Anonymous Hardware and OS That Cannot Easily Be Infected with Malware or Spyware An investigator would be interested if during a premises search USB devices were found with operating systems such as TAILS installed on it.

Anonymous Data Transmission Is the suspect using a virtual private network (VPN) or the TOR network to communicate? As most cryptocurrency data is unencrypted due to its open nature, a suspect may decide to use an encrypted tunnel of some type to obfuscate—for example, communication with a Bitcoin peer. But both TOR and VPN clients leave traces for a digital forensics investigator. Also, acquisition of RAM (computer memory) allows the extraction of data packets, and even if packets are encrypted, the From and To IP addresses are always unencrypted.

Secure Payments to Their Wallet It is no good setting up covert hardware and network traffic if you simply buy coins from a primary exchange where you have to provide your name, address. and other personal information. We have considered how you can set up a paper wallet without it ever being online, which would work well, but how do you get coins in the first place? You could set up a miner and mine the coins yourself, sell something in exchange for some coins, have some gifted to you, or buy bitcoin for cash using a Bitcoin ATM. Several sites are also available that will connect you with bitcoin sellers who will gladly take your cash—but much care is needed! The website www.localbitcoins.com is an example (see Figure 6-7).

These three methods are not foolproof, but they would certainly help a person stay anonymous. Therefore, they are areas an investigator could look for to see evidence of someone trying to hide his or her tracks.

As an investigator, there may be times when you want to set up a type of covert wallet as alluded to previously. If you are working as an online undercover investigator, there may be times when you need to do covert purchases or money transfers; hence, the steps in this section could apply to you. You would also need to consider your “opponent.” Is the suspect a person in a bedroom somewhere in the world who would have no way of demanding that a company provide account details of your activities, or is it a nation state that can make a request for information? If it's a nation state, you may want to get your bitcoin via less-direct means than through a standard exchange where their request for information would provide them with the name and address of the police station you work from! Not good tradecraft.

You may also want to set up a wallet to investigate data recovered from a suspect's machine. For example, in Chapter 10, “Following the Money,” we will look at how you can use Bitcoin Core to analyze a wallet file recovered from a computer. In this instance, you may not want to use your primary wallet to do any transactions so as not to corrupt anything you might do on the suspect's wallet and, of course, to avoid any corruption of your own wallet.

You may also want to set up a wallet purely to seize assets from a suspect. In this instance, you will need to document everything you do, and you may wish to have a multi-signature address procedure in place so that there can be no suggestion of malpractice on the part of the investigator. We will look at this setup in Chapter 9, “Analysis of Recovered Addresses and Wallets,” and in Chapter 14, “Seizing Coins.”

Summary

Many types of wallets exist, and investigators would do well to be familiar with the primary types and their various features for cryptocurrencies that they may encounter. It is also important for premises search teams to understand what to look for in case hardware or paper wallets are being used and stored offline.

With Bitcoin addresses, it is also useful to check a private address that may have been recovered to see if it is valid using the checksum method that was outlined earlier in the chapter.

Investigators should also consider their processes and “tradecraft” for setting up wallets to be used covertly or as storage for seized funds.