Investigating Cryptocurrencies: Understanding, Extracting, and Analyzing Blockchain Evidence
Published by
John Wiley & Sons, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-48058-7
ISBN: 978-1-119-48057-0 (ebk)
ISBN: 978-1-119-48056-3 (ebk)
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or website may provide or recommendations it may make. Further, readers should be aware that Internet websites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2018939042
Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
To Claire, Toby, and Loulé
I love you
Nick
Nick has been playing and working with computers since his parents gave him a Sinclair ZX81 when he was 12. By the age of 14, Nick had designed a computer program to convince his teacher that he had gained access to his bank account.
In the past 20 years, he has provided cyber security, forensics consultancy, and training to companies and law-enforcement institutions in the UK and across Europe, the United States, and Asia, and has lectured on the subject to numerous groups and organisations.
Nick has been specifically involved in the development of data extraction and digital forensic analysis techniques that work on live, running computers, and has had the opportunity to work with some of the top security researchers in the world.
He is currently working with government and corporate teams throughout Europe in various forms of data acquisition, teaching computer memory analysis and carrying out cryptocurrency investigations.
Nick is the Managing Director of CSITech Ltd and Director of the online forensics training company CSILearn Ltd.
Throughout his career, family has always come first. He enjoys spending time and travelling with his wife and son as well as caring for his daughter who suffers with a rare genetic condition (https://www.kleefstrasyndrome.org). In his limited spare time, he enjoys running and sport climbing.
David S. Hoelzer (MSc) is the Director of Operations for Enclave Forensics, Inc., the Dean of Faculty for the SANS Technology Institute, and a Fellow with the SANS Institute. He is well known in the field of cyber security in general and more specifically in intrusion detection and network monitoring circles as an international speaker/teacher on information security topics, having developed a number of both offensive and defensive tools and techniques. For the past few years, he has specialized in covert communications development and scalable back-end communications solutions coupled with threat hunting and counterintelligence. He has more than thirty years of experience in the information technology field, with more than twenty-five of those years engaged in information security, both defensively and offensively. He currently resides in New York.
Firstly, thank you to my Mum for not just teaching me to read as a child, but to learn to love reading and writing. One of the reasons I started writing this book in late 2017 was to take my mind off her finally going to sleep in the July after showing pancreatic cancer who was boss for four years. She would have been really happy that I eventually wrote a book, even if she didn't understand a word of it! (Although she would have tried and told me it was the best book ever!)
Secondly, my “brother from another mother,” Chris Hadnagy, who suggested I write this book and has stood tirelessly at my shoulder through the extraordinary challenges of the past few years.
Next, thank you to the team at Wiley. Jim Minatel, I appreciate you giving me a chance—we need to go watch some racing sometime! And to Kathi Duggan, for your astonishing levels of patience dealing with my writing style and for your personal words of kindness over the past months.
Finally, Dave Hoelzer, thank you for being technical editor. Although we have been friends for years, your direct edits such as “Wrong” and “I don't know what you are talking about” were exactly what I needed and have made this book so much better.
Any novel technology brings with it a wave of early adopters. While some of these are keen to explore the potential societal and economic benefits that may be had by leveraging the technology, others seek to apply the technology as a means to enable nefarious activities. Bitcoin and other cryptocurrencies are no exception. Indeed, it may be very reasonably argued that the first “killer-app” for Bitcoin—responsible for a large influx of users and a significant boosting of economic traction—was the Silk Road dark market, founded in February 2011. Other use cases thriving today include ransomware, unregulated gambling, Ponzi schemes masquerading as high-yield cryptocurrency investment schemes, in-person cryptocurrency muggings, and cryptojacking—that is, the practice of covertly hijacking computers to mine cryptocurrency.
Digital forensic experts need to keep pace with new technologies to ensure relevant objective evidence can be brought forward to throw light on investigations. They face tough challenges, not least an exploding array of new cryptocurrencies, many based on high-privacy foundations. Fortunately they are supported by the fundamental goal of blockchain technology—that is, to create an immutable, decentralised record of transactions. Thus evidence trails are perfectly preserved while both forensic technology and long-running legal processes have an opportunity to play catch up. Indeed, the clustering techniques pioneered by the likes of academic Dr. Sarah Meiklejohn in 2013, and built on by companies such as Chainalysis and Elliptic, have enabled the unmasking of the ownership of large numbers of Bitcoin addresses—including many associated with the Silk Road—something that had previously thought to be impossible.
Within this context, Nick Furneaux's book is both timely and relevant. Its comprehensive scope includes not only an accessible introduction to the technology and its history, but also an overview of relevant methods and the critical factors that should be respected in any forensic investigation. Indeed, I have personally observed on more than one occasion how a failure to apply proper methods can mean critical evidence is missed or lost, while a lack of a sufficiently deep level of understanding can mean incorrect conclusions are drawn from the evidence. In either case, the consequences for the integrity of the investigatory process are often terminal. I hope that you will enjoy reading this book, that you will find it as insightful as I did, and that you will find the opportunity to apply its wisdom to some real-world cases.
—Prof William Knottenbelt, Director of the Centre for Cryptocurrency Research and Engineering, Imperial College London
“The Times 03/Jan/2009 Chancellor on brink of second bailout for banks”
Those 69 characters should be much more famous than they are. In the very first Bitcoin block, the enigmatic Satoshi Nakamoto, the inventor of Bitcoin, encoded that message in hexadecimal (see Figure Intro-1).
Figure Intro-1: Message in the Genesis block.
Either by design or coincidence (which seems unlikely), Satoshi both launched the first blockchain-based cryptocurrency and made the semi-covert statement as to the reasons for the development of his or her system (we do not definitively know the sex of Satoshi or even if Satoshi is an individual or a group). It seems that in Satoshi's view, the banks were failing, and his or her system could free people from the control of central banks and exchanges. On a cryptography mailing list, Satoshi wrote the following:
Although Satoshi wrote little about the Bitcoin system, the few comments on forums show that there was at least a small part of his or her motivation that wanted to enable people to step outside the traditional banking and currency systems.
Since those early days, Bitcoin has grown massively both in value and reach. Although at the time of writing, one could not assert that Bitcoin was a mainstream currency, it is certainly in the mainstream consciousness, regularly making headlines on conventional news channels and spawning thousands of column inches of editorial.
Aside from Bitcoin, hundreds of cryptocurrencies are now based on the blockchain concept. Some are very similar; others are trying to do things in very different ways. For example, although Ethereum is a cryptocurrency in its own right, it is based around a complex, programmable contract system. A transaction can include many contractual obligations and could be used for everything from buying a house to getting married. In fact, several couples have already embedded their marriage on the Bitcoin and Ethereum blockchains, including parts of their vows and links to an image of their marriage certificate. Blockchain technology is here to stay, and an investigation involving it is going to land on your desk soon, if it hasn't already.
I've been working specifically in computer forensics and digital investigations for about 14 years. In that time, the equipment coming to the lab and the programs we have had to investigate have changed drastically. About 13 years ago, a computer investigation would focus almost solely on Internet activity in a web browser, perhaps some newsgroups or ICQ and, of course, good old e-mail. Fast-forward to 2018, and the equipment that lands on the check-in desk at the lab has changed beyond recognition. Most smartphones, such as the humble iPhone, have significantly more power and storage than the computers of the early 2000s, and instead of simply looking at visited websites, we now have encrypted chat, messaging programs that come in hundreds of flavors, and social media environments that are investigation centers in their own right, such as Facebook, Snapchat, and many others.
Throughout this time, criminals have continued to carry out nefarious deeds and have found ways to pay for illegal goods and acquire ill-gotten payments from the defrauded and unsuspecting. The problem for the 2005 criminal was the lack of options for sending or receiving monies in an anonymous, untraceable way. For example, criminals could easily carry out a “ransomware” attack where malware encrypts the victim's computer until money is paid and then they are “hopefully” provided with a decryption key. But to have the money sent to the criminal presented significant difficulties. You could publish a bank account number, but that's very hard to set up without ID, and when the money is transferred, the police can easily trace it and move in for the arrest. Because of these problems, criminals and criminal gangs took to setting up post-office (PO) boxes where money could be sent, but again, it was not difficult for the authorities to keep watch until someone turned up to collect the cash. Some went the route of using what amounted to cash mules, who would retain some percentage of the risk involved, adding a layer of misdirection to the payments and cutting into profits. The Internet, though, offered possibilities in the form of Western Union and PayPal, but those are also connected to real-world bank accounts, making it straightforward for the police to trace. I'm somewhat simplifying the methods used, but you get the idea: there was no easy way to pay or get paid without leaving a trail that is easily followed.
Then in January 2009, Satoshi launched the Bitcoin currency, based on a concept called the blockchain. This currency did not need any connections to the real-world banking system or require anyone to sign up to any central system—you could acquire a few bitcoin and pay for goods with seeming total anonymity. Add to this new ability the burgeoning underground marketplace the media loves to call the “dark web”—mostly because it has the word “dark” in it, which makes it sound mysterious, with a hint of evil. Of course, the dark web is anything but dark, with many legitimate services available to assist those in more restricted territories of the world to communicate and be informed online. It would be fair to say, though, that it certainly represents the rough side of town! Because of this association, Bitcoin became the bad guy of finance, and when a computer came into the lab with Bitcoin software on it, the owner was automatically viewed with significant suspicion.
In recent years, Bitcoin has moved out of the figurative shadows of the dark web and into the light of mainstream commerce. It seems most owners of bitcoins are just holding them for investment as the bitcoin-to-dollar price fluctuates wildly, but generally in an upward direction. If you go to http://bit.ly/2td8ref, you can see the bitcoin-to-dollar exchange rate from its inception in 2009 to now.
Although Bitcoin, Ethereum, and others could stand alone as a trading currency if enough traders accepted them, the reality is that even today, in 2018, what you can buy with a cryptocurrency is limited. Users wanted to be able to buy cryptocurrency with dollars and euros for use online and then sell coin that they had received for currency that they could use in Walmart, for example. To fill this void, currency exchanges began to pop up that would take your real-world money in exchange for commensurate Bitcoin. The process is the same as converting between any currencies. Head to an online site that offers conversion, pay your money by credit card or wire transfer, for example, and you will be credited with the Bitcoin or whatever currency you have asked for. As I discuss in this book, most sites have their own “wallet” system that stores your Bitcoin for you so you can then pay for goods using your coin directly from the website. This means that the company can both take your money and have access to your bitcoins.
The problems have been significant. Anyone who knows anything about setting up a website that includes a bit of code to accept credit cards could set up a cryptocurrency exchange in very little time. A developer could construct a professional-looking interface, host it on servers in Belize, register it on the primary search engines, and wait for customers. Those customers give money to the website host who in turn transfers bitcoins into his or her wallet on the servers, waits until the wallet contains lots of money and bitcoins, and then quietly closes the door and tiptoes away. This happened early in the life of Bitcoin with the fraudulent Bitcoin Savings and Trust in 2012, and Global Bond Ltd in 2013.
Alternatively, the person who sets up this type of online payment might be completely legitimate but get hacked and lose all their coins. Examples include Mt Gox in 2011, MyBitcoin in 2011, Bitfinex in 2016, Bitstamp in 2015, and NiceHash in 2017. This problem is not exclusively a Bitcoin problem as $500 million worth of a cryptocurrency called NEM coins were lost in a hack of Coincheck in 2018.
Or the person can lose access to his or her master wallet file and lose all the customers’ coins. An example of this is Bitomat in 2011.
Suffice to say that there are large, legitimate exchanges out there. The key is to buy your bitcoin and then transfer it to your own wallet away from the exchange. Then remember to back up your wallet—twice. And add a password—a strong one! Alternatively, save the private key to paper-based cold storage, a method we will discuss later in the book.
No matter what happens to Bitcoin, cryptocurrencies are here to stay, and they will continue to be a strong contender for criminals to receive payments, pay for goods, and launder money. A cryptocurrency investigator does not need to be an expert in Bitcoin specifically, but needs to understand the concepts behind blockchain currencies in order to apply that knowledge to whatever becomes the next payment system of choice.
If you are like me and spend your life digging through other people's data, whether that is as a digital forensics investigator, a forensic accountant, or even an Open Source Intelligence gatherer, then you need to know about this subject. If not today, then you will tomorrow. Because this book covers a broad range of techniques, you may find that parts of it are very pertinent to your work and other parts are not so relevant. For example, I will teach you how to extract cryptocurrency-related data from hard drives and devices, as well as how to conduct a premises search for this type of information. Although you may never carry out a premises search in your work, being able to communicate your needs to a front-line officer or investigator may prevent vital information being missed.
It is worth downloading and reading the report “National risk assessment of money laundering and terrorist financing 2017,” which you can find at http://bit.ly/2z9513x. Under the section “Money laundering,” the report makes some excellent observations about the use of virtual, or crypto, currencies in international crime. Here's what the article says regarding terrorist financing in conclusion of this section:
It is my experience that the reason that law enforcement and governments believe that terrorists are not using cryptocurrencies widely comes down to lack of technical expertise. But, as with all technologies, the skill levels needed to securely operate in a cryptocurrency space are decreasing quickly, and this will not be a barrier for long. Law enforcement bosses draw the same conclusions with money laundering—that the technical know-how needed is holding back many crime groups.
It is worth noting in the report regarding both terrorism and money laundering vulnerabilities they state the following:
You may be reading this and believe that your job role will never pit your skills against a Russian crime group or extremist Islamists, but the use of cryptocurrencies is trickling down into much lower-level and lower-value crime. One example is that of crypto-mining code that is being installed by hackers into websites. When a user browses to an infected site, processor cycles on the visitor's computer are used to mine cryptocurrency coins. Another example is the fraud that has become known as “ransomware,” which I mentioned earlier in this introduction. Ransomware became media-worthy in May 2017 with the WannaCry outbreak. It simply encrypts a computer's files and then displays a message asking for payment.
Figure Intro-2 shows a WannaCry screenshot with a countdown timer (an excellent social-engineering ploy to generate urgency), instructions, and a Bitcoin address. (I particularly like the “bitcoin ACCEPTED HERE” logo!) Because the perpetrators were possibly linked to North Korea, no one thought that the bitcoins would move, but in early August 2017, over $100,000 worth of bitcoin were emptied from the wallets. Again, you may be thinking that this type of international and possibly politically motivated crime is outside your paygrade. But it was noteworthy with both WannaCry ransomware and the Petya/NotPetya virus that came later (see Figure Intro-3) that individuals and small companies were often the victims of these crimes that on a singular level only cost $300 or more dollars. Sadly, in the case of Petya/NotPetya, those who paid never saw a decryption key, and if the victim had no backups, then the potential loss was considerably greater.
Figure Intro-2: Screenshot of a computer locked with the WannaCry ransomware.
Figure Intro-3: Computer locked with the Petya/NotPetya virus.
The question that's raised with each of these examples is, are they international or local crimes? There is every reason to believe that Police Hi-Tech Crime units and private security firms would be receiving many calls from victims asking for help. In the simplest terms, it would be good to be able to monitor the payment addresses and trace any movement. You may reason that all the larger agencies will be doing exactly that, but you may have heard that it was a 22-year-old security researcher, Marcus Hutchins, who found a kill switch to stop the spread of WannaCry, not the US NSA, not the UK NCA, not even the European Anti-Fraud Agency—it was Marcus, from his bedroom in the south of England. We all have a part to play.
The options for criminals to make use of cryptocurrencies are almost endless, ranging from fraud, money laundering, purchasing illegal material, or purchasing legal material with illegally obtained currency through to crime and terrorism financing.
You may already discern the need to learn about cryptocurrencies, but your company or police department may have put their hands in their pockets and purchased software from the likes of Elliptic (https://www.elliptic.co) or Chainalysis (https://www.chainalysis.com). If you can afford one of these tools, buy one—they are both excellent. However, I make that statement in exactly the same way as I would if we were talking about computer forensic investigations and referencing Encase from Guidance Software, FTK from AccessData, or the superb X-Ways. These tools are extremely useful, they take the heavy lifting out of an investigation, and you should use them where you can. But digital investigators should be able to explain to a manager, senior officer, tribunal, or court how they reached a conclusion and be able to interpret the raw data behind some intelligence or evidence.
To illustrate, I can click a button in the FTK forensics software, and the tool will carve deleted files from a hard drive. However, when challenged, I should be able to return to the drive and have the skills to locate the disk offset and carve that file by hand, without relying on the competency of the FTK programmer to have done his or her job right.
This book takes a similar approach. Although tools are available to help with some cryptocurrency investigations, this book will walk you through the manual processes including how to find wallets (payment addresses) on devices and online, how to gather intelligence about payment addresses, and then how to follow the money through to potentially de-anonymizing a user or seizing coins.
It sounds terribly negative to tell you what you are not going to learn in this book, but it's important that you understand where this book will take you and what other reading may be useful for you:
What you are going to learn is much more important. Here's a brief walk through the chapters:
Code files to support this book are available at www.wiley.com/go/cryptocurrencies and at www.investigatingcryptocurrencies.com. The second site also contains a voucher code for the online course at csilearn.learnupon.com.
As digital investigators, we have a tendency to want to get straight to the proverbial coal face and start looking at the data. However, with cryptocurrencies, it is important to understand the underlying technologies and how blockchains function to be able to effectively and accurately investigate the evidence.