Basic Introduction to Bitcoin Forensics
Hello, to all you bitcoin and blockchain fans.
To coincide with the recent popularity and hype around bitcoin, the blockchain and the suspicions some people have around it. I managed to put together this article explaining what bits of information can be learn from the blockchain by anyone who is able to understand the mechanics of how it works. Hopefully after reading this article you will also further strenghen your knowledge around this rather 'mysterious' technology that is causing interruption to many industries, I will allow each of you to ponder over whether that interruption is positive or negative.
Intro
Bitcoin is a crypto-currency. It is an attempt to bring back a decentralised currency of people. It is not controlled by any central body. It works on peer to peer network. Bitcoin works on blockchain technology.
Blockchain is a type of distributed ledger. The data is stored in blocks. These blocks contain digitally recorded data that is unchangeable. Linked list is used in which block contains hash of previous block and so on.
Blockchain has several applications like Smart Contracts, Equity, Croudfunding, Health care, Intellectual Property and much more.
Algorithm
Bitcoin uses Elliptic Curve Signature Algorithm. ECDSA is used to generate a public key from the private key. The public key can be used to verify transactions signed using the private key. There are 64-byte public key that are hashed into 20-byte addresses. These 20-byte address are formatted using base58 check to produce either P2PKH or P2SH bitcoin address.
Peer-to-Peer
Bitcoin network is composed of Peers connected to other Peers over unencrypted TCP channels. Each peer attempts to maintain eight outgoing connections to peers. These eight peers are called entry nodes. Transaction and Block messages are propagated in network by being relayed through these entry nodes to the peers
Forensic Steps
Forensic has major four steps. These are:
1. Identification
-Identify specific objects that store important data for the case analysis
2. Collection
-Establish a chain of custody and document all steps to prove that the collected data remains intact and unaltered
3. Analysis & Evaluation
-Determine the type of information stored on digital evidence and conduct a thorough analysis of the media
4. Reporting
-Prepare and deliver an official report
Architecture
Each forensic investigator should know the architecture of blockchain. As currently there is no software tool available for Bitcoin Forensics. so one should look at all the information regarding bitcoin and blockchain in order to learn more about this topic.
Bitcoin don’t exist anywhere not even on your hard drive. For a particular bitcoin address there are no digital bitcoins held against that address. One must reconstruct the balance of bitcoin by looking at the Blockchain. Everyone on the network knows about the transaction and the history can be traced back to the point where the bitcoins were produced
Enumeration
There are several online resources from which information regarding bitcoins can be enumerated. These are:
1. https://anders.com/blockchain/blockchain.info
Used to see the block hashes of bitcoins
Used to get latest block information(Height, Age, Hash, Transaction, Size)
3. https://blockexplorer.com/blocks
Used to get information of blocks by date and timestamps
4. https://blockchain.info/blocks
Used to get block information(Height, Time, Relayed by, Hash, Size)
5. https://blockchain.info/stats
Used to get Block summary, Market summary, Transaction Summary
Data Discovery
The information that can be collected from Bitcoin artifacts are:
1. System Info
2. Info about Logged Users
3. Registry Info
4. Web Browsing Activities
5. Recent Communications
Every forensic investigator should look thoroughly through the transactions happening on Blockchain. It contains a huge number of public addresses which can be looked up in further details. Bitcoin addresses can help in tracing the purchases.