As the saying goes, “Follow the money.” Regardless of one’s philosophical argument on the merits of a decentralized currency controlled by the masses and not a single government entity, criminals are utilizing the technology to their own ends specifically because of the lack of a paper trail. “Investigating Cryptocurrencies: Understanding, Extracting, and Analyzing Blockchain Evidence” was written for cyber and financial investigators and provides the necessary background, techniques, and methodologies needed to investigate crimes involving cryptocurrency transactions. Author Nick Furneaux states:
“… a digital forensic investigator, a forensic accountant, or even an Open Source Intelligence gatherer … need to know about this subject.”
Nick Furneaux has 20 years of experience providing cyber security, forensic consultancy, and training to companies and law enforcement institutions in the UK and across Europe, the United States, and Asia. Nick is the Managing Director of CSITech Ltd and Director of the online forensic training company CSILearn Ltd. His experience with both conducting investigations and instructing courses was clearly evident while reading the book, where Nick not only could go quite deep into the content while explaining it in a way that stuck.
Overview of Investigating Cryptocurrencies
While the book primarily focuses on Bitcoin, the author would frequently discuss the technical differences between Ethereum and Bitcoin. Obviously, the book could not cover all cryptocurrencies in existence, but the author points out that from an investigation standpoint all cryptocurrencies work fundamentally in the same way. The techniques and methods you learn when reading “Investigating Cryptocurrency” can easily be applied to any cryptocurrency.
The book contains a total of 275 pages and consists of 15 chapters with the book separated into two parts. Part I Understanding the Technology, consists of seven chapters which provide the reader with the prerequisite knowledge needed before carrying out an investigation on the blockchain. Part II Carrying Out Investigations, contains a total of eight chapters which guide the reader through the different techniques and methods used during the investigation of cryptocurrencies.
Forward & Introduction
“Investigating Cryptocurrencies” begins with a forward from Prof. William Knottenbelt, Director of the Centre for Cryptocurrency Research and Engineering of Imperial College London. The forward illustrates that with any new technology there will be those who use it for good and those who will exploit it for evil. He hits home the point that an investigator’s skill-set must parallel emerging technologies.
The book’s introduction provides some brief history on Bitcoin and illustrates how cryptocurrencies have allowed criminals to carry out nefarious transactions while seemingly maintaining anonymity. The author goes on to describe who should read the book and what you will and will not learn. If you’re looking to get rich trading cryptocurrency or start your own cryptocurrency, this book is not for you.
Part I – Understanding the Technology
The book begins with “Chapter 1 – What is a Cryptocurrency?” by explaining many common questions asked by anyone new to cryptocurrencies. What exactly is a cryptocurrency? How are coins generated? Why do coins have a perceived value? To help answer these questions the author speaks of a community of people on a tiny island named Yap and how they utilized a decentralized ledger and large stone coins as currency. The explanation of the Yap people’s currency does a great job of providing a high-level view of how a cryptocurrency functions. The chapter concludes with the author showing you how to setup a Bitcoin Core full node on your computer and carry out a test transaction using the Bitcoin Testnet.
The author takes no time in pushing you into the deep end with Chapter 2 as he guides you through the fundamental math concepts required for a cryptocurrency. I think it’s no accident the chapter is titled “The Hard Bit”. With that said don’t be discouraged as the author does a great job of explaining the math step-by-step. While it’s certainly not required to understand the math involved, it certainly doesn’t hurt. The chapter discusses one-way algorithms used to produce a hash value which are used extensively in cryptocurrencies. Once again, you dive head first into the math used in RSA cryptography for generating public and private keys. To further hit home the concepts learned in this chapter, the author walks you through creating your very own cryptocurrency with just a shared spreadsheet and a few friends. While this might seem like a futile exercise, I found that it really solidified the fundamental requirements of a cryptocurrency and really helped me visualize the workflow. The author even provides a small Python script to demonstrate how to mine your cryptocurrency blocks. The concepts in chapter two are probably the most complex in the book due to the math, but, with plenty of examples and illustrations along the way, the concepts are easy to follow.
Chapter 3, “Understanding the Blockchain,” dives into understanding the blockchain. You’ll learn how blocks are structured and the information contained within a block’s header. After an explanation on byte orders the fun begins by jumping into some raw hex from the Bitcoin blockchain. The author takes you through dissecting the raw blockchain header by extracting each value from raw hexadecimal. Along the way you’re challenged with little exercises to test your skills on the concepts you’ve learned in the chapter. The chapter closes by explaining blockchain forks, what causes them, why they happen, and how the blockchain manages them.
Chapter 4 takes you to the all-important “Transactions”. This chapter begins with explaining the mechanics behind sending and receiving funds using public keys and how cryptocurrency ownership moves from one address to another. The author walks you through an exercise of interpreting Bitcoin transactions by carving out transaction details from raw blockchain data and how to uncover the entire history of a cryptocurrency address. In addition, the author also includes a section on interpreting Ethereum transactions.
Chapter 5 is a brief chapter about “Mining” cryptocurrencies that discusses the concepts of proof-of-work and proof-of-stake and what role they play in cryptocurrencies. The chapter closes off by explaining the use of mining pools and how they have been used to carry out fraud.
Chapter 6 discusses cryptocurrency “Wallets” and how to extract its data. You’ll learn about the different wallet types (hardware, software, paper), how wallets are stored, and how you can recognize and identify them. The author explains how wallets store their keys and even shows you how to setup a covert wallet.
Chapter 7, “Contracts and Tokens”, is the last chapter of Part I and explains how some cryptocurrencies can encode contracts into a transaction and has led to tokens and Initial Coin Offerings (ICOs) to raise money. The author also highlights the inherent risk and potential fraud with these ICOs.
Overall, Part I was a fantastic introduction to this fascinating topic gripping the world. Not only does it lay the proper foundation needed to conduct the investigations detailed in Part II, it also makes for a find stand-alone tome for the uninitiated.
Part II – Carrying Out Investigations
Chapter 8 focuses on “Detecting the Use of Cryptocurrencies” when performing on-premises searches and when analyzing seized computers. The author discusses common locations to look for cryptocurrency keys and mediums in which keys might be stored. You’ll learn the benefits of questioning suspects and how to discern additional information by searching online for seized cryptocurrency addresses. The author touches on topics such as searching entire drives for wallet files, searching for data in memory dumps, and extracting available transaction data. The chapter concludes with discussing considerations of working with live computers and provides a step-by-step process for locating wallet files and extracting public/private keys from seized computers.
Chapter 9 is “Analysis of Recovered Addresses and Wallets”. You learn how to extract data from wallet files and how-to use online APIs to access data from a blockchain about a suspect’s addresses. In addition, the author discusses how to handle encrypted wallet files and infer information about a suspect from just their cryptocurrency addresses and transactions.
Chapter 10 takes you even deeper into the investigation by showing you how one should be “Following the Money” IE transactions through the blockchain. The author walks you through analyzing the transaction history for a specific Bitcoin address and how to uncover additional addresses used by a suspect. The chapter also includes a section on following Ethereum transactions through the blockchain. The chapter completes by exploring different methods you could implement to live monitor Bitcoin addresses and receive email notifications on any balance changes.
At this point in the book it becomes evident that following transactions through the blockchain was not going to be a simple task. This was not lost on the author as Chapter 11 introduces you to “Visualization Systems” which significantly help with browsing and understanding the blockchain data. The author reviews several tools used for visualizing and browsing the Bitcoin blockchain and outlines the different features of each tool. Utilizing such tools can make an investigation much more efficient.
Chapter 12 discusses the techniques used for “Finding Your Suspect” and was the chapter I was most interested in reading. You learn how to attempt to locate a suspect in the real world from their cryptocurrency address by using an IP address to find the source of a transaction. He discusses ways of tracking transactions to or from service providers and how to use open source information gathering tactics to discover additional information on a suspect. If you’re an investigator these methods can get you close enough to the suspect to enable the use of legal means to compel a business or service provider to divulge information on a suspect. There’s no guaranteed method in de-anonymizing a cryptocurrency address, but the author illustrates the possibility is real.
Chapter 13 is a short chapter that discusses how to sniff and monitor cryptocurrency traffic. The author walks you through an example of monitoring a Bitcoin node and tracking all blocks and transactions that are being broadcasted by that node. The chapter concludes with showing you how to capture and analyze raw transaction data packets using WireShark and extract information on these transactions.
At this point in the book you’ve managed to capture your suspects cryptocurrency private keys but now what? Chapter 14 answers this question by walking you through the process and important considerations of “Seizing Coins” from a suspect. The author takes you step-by-step through seizing cryptocurrency assets from a suspect’s computer and discusses the considerations once you have control of a suspect’s coins. You’re shown how you can cash out seized coins or how to seize coins but not cash them out. Next, the author shows an example of how to setup a new wallet in Ethereum and import a suspect’s seized private key and take control of the suspect’s cryptocurrency. The chapter concludes by expressing the importance of properly storing any seized cryptocurrency keys and safeguards you might want to consider.
Chapter 15, “Putting It All Together”, is the final chapter and provides the reader with a summary of the book’s content and the skills learned. The author leaves you with the fact that new forks are constantly appearing in cryptocurrencies and one day Bitcoin may not be the desired cryptocurrency of criminals.
This book was such a good read I had a hard time putting it down. The chapters flow nicely, and I found the content was very well structured with many step-by-step examples that solidify the skills learned. The author clearly communicates the concepts being explained and the examples always provided me with the clarity I needed whenever I found myself in doubt. Numerous illustrations and screenshots are also provided throughout the book which greatly assist the reader with understanding the concepts being taught. With that said, I did notice there were a few screenshots where the text was hard to read. This could possibly have been a printing issue with just my book, and I’m happy to say they did not detract from my ability to understand the content.
While I’m not a digital investigator I do believe Nick Furneaux has done a fantastic job of taking what some might view as a challenging topic and breaking it down into small, easy to comprehend pieces. I believe that anyone with little to no cryptocurrency experience can become confident in carrying out their own cryptocurrency investigations with the help from this book and a little practice.
See All EH-Net Book Reviews
Phillip Aaron is best known for his HackHappy YouTube Channel where he produces information security and software development content. He has worked in the software industry for over 15 years and has maintained roles as principal developer and software development manager over industry critical ERP systems. Phillip has been a passionate security enthusiast since the 1990s and is the author of a soon to be released Python 3 programming book for hackers. When he isn’t busy bug hunting or creating content, you might find him at the local hackerspace working with microcontrollers, fabricating, or teaching a programming workshop.
*** This is a Security Bloggers Network syndicated blog from The Ethical Hacker Network authored by Phillip Aaron. Read the original post at: http://feedproxy.google.com/~r/eh-net/~3/FKR76fsfBiI/