Investigating Cryptocurrencies

Nich Furneaux is a cybersecurity and forensics consultant specializing in cybercrime prevention and investigation for law enforcement and corporations throughout the United States, Europe, and Asia. He regularly speaks at industry conferences, including the F3 (First Forensic Forum), NPCC/ACPO Hi-Tech Crime conference, European Network Forensics and Security conference, many others.

Foreword xxi


Introduction xxiii


Part I Understanding the Technology 1


Chapter 1 What Is a Cryptocurrency? 3


A New Concept? 3


Leading Currencies in the Field 8


Is Blockchain Technology Just for Cryptocurrencies? 9


Setting Yourself Up as a Bitcoin User 10


Summary 14


Chapter 2 The Hard Bit 15


Hashing 16


Public/Private Key Encryption 21


RSA Cryptography 23


Elliptic Curve Cryptography 28


Building a Simple Cryptocurrency in the Lab 32


Summary 36


Chapter 3 Understanding the Blockchain 39


The Structure of a Block 40


The Block Header 42


Deconstructing Raw Blocks from Hex 47


Applying This to the Downloaded Hex 51


Number of Transactions 55


Block Height 57


Forks 58


The Ethereum Block 61


Summary 65


Chapter 4 Transactions 67


The Concept behind a Transaction 67


The Mechanics of a Transaction 69


Understanding the Mempool 76


Understanding the ScriptSig and ScriptPubKey 77


Interpreting Raw Transactions 79


Extracting JSON Data 81


Analyzing Address History 82


Creating Vanity Addresses 83


Interpreting Ethereum Transactions 85


Summary 86


Chapter 5 Mining 87


The Proof-of-Work Concept 89


The Proof-of-Stake Concept 90


Mining Pools 90


Mining Fraud 92


Summary 93


Chapter 6 Wallets 95


Wallet Types 96


Software Wallets 96


Hardware Wallets 97


Cold Wallets or Cold Storage 98


Why Is Recognizing Wallets Important? 99


Software Wallets 100


Hardware Wallets 100


Paper Wallets 100


The Wallet Import Format (WIF) 101


How Wallets Store Keys 102


Setting Up a Covert Wallet 105


Summary 107


Chapter 7 Contracts and Tokens 109


Contracts 109


Bitcoin 110


Ethereum 110


Tokens and Initial Coin Offerings 112


Summary 116


Part II Carrying Out Investigations 117


Chapter 8 Detecting the Use of Cryptocurrencies 119


The Premises Search 120


A New Category of Search Targets 121


Questioning 124


Searching Online 125


Extracting Private and Public Keys from Seized Computers 130


Commercial Tools 130


Extracting the Wallet File 131


Automating the Search for Bitcoin Addresses 135


Finding Data in a Memory Dump 136


Working on a Live Computer 137


Acquiring the Wallet File 138


Exporting Data from the Bitcoin Daemon 140


Extracting Wallet Data from Live Linux and OSX Systems 144


Summary 145


Chapter 9 Analysis of Recovered Addresses and Wallets 147


Finding Information on a Recovered Address 147


Extracting Raw Data from Ethereum 154


Searching for Information on a Specifi c Address 155


Analyzing a Recovered Wallet 161


Setting Up Your Investigation Environment 161


Importing a Private Key 166


Dealing with an Encrypted Wallet 167


Inferring Other Data 172


Summary 173


Chapter 10 Following the Money 175


Initial Hints and Tips 175


Transactions on Blockchain.info 176


Identifying Change Addresses 177


Another Simple Method to Identify Clusters 181


Moving from Transaction to Transaction 182


Putting the Techniques Together 184


Other Explorer Sites 186


Following Ethereum Transactions 189


Monitoring Addresses 193


Blockonomics.co 193


Bitnotify.com 194


Writing Your Own Monitoring Script 194


Monitoring Ethereum Addresses 196


Summary 197


Chapter 11 Visualization Systems 199


Online Blockchain Viewers 199


Blockchain.info 200


Etherscan.io 201


Commercial Visualization Systems 214


Summary 215


Chapter 12 Finding Your Suspect 217


Tracing an IP Address 217


Bitnodes 219


Other Areas Where IPs Are Stored 226


Is the Suspect Using Tor? 228


Is the Suspect Using a Proxy or a VPN? 229


Tracking to a Service Provider 231


Considering Open-Source Methods 235


Accessing and Searching the Dark Web 237


Detecting and Reading Micromessages 241


Summary 244


Chapter 13 Sniffi ng Cryptocurrency Traffi c 245


What Is Intercept? 246


Watching a Bitcoin Node 247


Sniffi ng Data on the Wire 248


Summary 254


Chapter 14 Seizing Coins 255


Asset Seizure 256


Cashing Out 256


Setting Up a Storage Wallet 259


Importing a Suspect's Private Key 261


Storage and Security 263


Seizure from an Online Wallet 265


Practice, Practice, Practice 265


Summary 266


Chapter 15 Putting It All Together 267


Examples of Cryptocurrency Crimes 268


Buying Illegal Goods 268


Selling Illegal Goods 268


Stealing Cryptocurrency 269


Money Laundering 269


Kidnap and Extortion 270


What Have You Learned? 270


Where Do You Go from Here? 273


Index 275