The document discusses Bitcoin and its underlying technology, blockchain, emphasizing its decentralized nature and implications for anonymity and forensic investigation. It outlines the functionality of Bitcoin wallets, mining processes, and the importance of consensus in adding blocks to the blockchain. Additionally, it touches on the emergence of smart contracts and the challenges in tracing digital transactions for investigative purposes.

2. Image Source : lucknowbytes.com

3. The views expressed in this
presentation are Mere Apne.
Reference to any specific products,
process ,or service do not
necessarily constitute or imply
endorsement, recommendation, or
views of Min of Def or any Govt
All images used are for illustrative
purposes only & Do not
promote any specific product

5. This PRESENTATION is not going to
make anyone of you a
BITCOIN FORENSIC EXPERT
INVESTIGATOR
BUT may only LEND you few TERMS
OF REFERENCES to build upon and
EXPLORE further

7. Presented by
Anupam Tiwari

13. Paap se Dharti phati-phati-phati, Adharm
se aasmaan,
Atyachaar se kaanpi Insaaniyat,
Raj kar rahe Haivaan ...
Jinki hogi taqat apoorv,
Jinka hoga nishana abhed,
Joh karenge inka sarvanaash ...
………….woh kehlayenge Tridev

16. Name used by the
unknown person who
designed BITCOIN
and created its
original reference
implementation
SATOSHI
NAKAMOTO
कह ाँ गय ,उसे ढूंढो

18. AS OF 07TH OCT 2017
1 BITCOIN IS WORTH
4356 $
SO 1 BITCOIN IS
2,85,079/-
SOURCE : https://blockchain.info/charts/n-transactions

19. 2 6 0 4 3 7
SOURCE : https://blockchain.info/charts/n-transactions

24. ANONYMITY
VS
PSEUDONYMITY
Mark TwainSamuel Clemens
public key addresses similar in function to an
email address, are used to send and receive
Bitcoins and record transactions, as opposed
to personally identifying information.

26. CRYPTOCURRENCY IS AN ATTEMPT
TO BRING BACK A DECENTRALISED
CURRENCY OF PEOPLE, ONE THAT IS NOT
SUBJECT TO INFLATIONARY MOVES BY
A CENTRAL BANK

28. Bitcoin is starting to come
into its own as a Digital
Currency, but the Blockchain
Technology behind it could
prove to be much more
SIGNIFICANT

34. More DETAILS a Forensic
Investigator KNOWS about the TECH
ARCHITECTURE, the CLOSER
he gets to CLOSE the CASE

35. BASICALLY CHUNKS OF INFO
THAT CAN BE USED TO
MATHEMATICAL
GUARANTEE ABOUT MESSAGES

38. Peer-to-
Peer (P2P)
network is
created when
two or
more PCs are
connected &
share
resources
without
going through a
separate
server
computer

39. Distributed Ledger is a Consensus of
Replicated, Shared & Synchronized
digital data geographically spread across
multiple sites & countries

40. Type of Distributed Ledger, comprised
of Unchangeable, Digitally
Recorded Data in packages called
BLOCKS
TAMPER EVIDENT LEDGER

41. MERKLE TREE

43. Linked list data structure, with
each block containing a
hash of the previous block

44. Proof Of Work Is A Piece Of Data
Which Is Difficult To Produce But
Easy For Others To Verify And Which
Satisfies Certain Requirements
Bitcoin Uses
The Hashcash Proof
Of Work System.
PROOF OF WORK

45. Each block is formed by a proof-of-
work algorithms, through which
consensus of this distributed
system could be obtained via the
longest possible chain

47. https://anders.com/blockchain/blockchain.html

48. Thus blockchain provides
the basis for the TRUSTLESS
DISTRIBUTED SYSTEM

50. A block is an aggregated set of data
Data is collected and
processed to fit in a block
through a process called
MINING
Each block could be identified using
a Cryptographic Hash

51. Mining is the process
of writing pages
(blocks) of Bitcoin
transactions into the
‘The Bitcoin
Blockchain’, and
getting rewarded with
newly created bitcoins

52. Block will contain a hash
of the previous block, so
that blocks can form a
chain from the first block
ever (known as the
Genesis Block) to the
formed block

53. FIRST BLOCK : GENESIS

54. Every 10 minutes, all Bitcoin
transactions taking place are bundled
into a block
These blocks linked through a
timestamp signing, form a
chain (blockchain), which goes
back to the first block ever
created (mined)
The time stamping makes it
impossible to alter any part of it
once the network confirms it

55. These rules are inbuilt in the
Bitcoin core software, which
every node in the Bitcoin
network runs
Before a new block is added to the
blockchain, the Bitcoin network
has to reach a consensus on
based on predetermined rules

56. Data in a blockchain is
internally consistent
and immutable
Each block’s hash is
derived from the
contents of the block
Each block refers to
the previous block’s hash,
not a sequential number

57. THE LAST BITCOIN
(PROBABLY 21 MILLIONTH COIN)
WILL BE MINED IN THE YEAR
2140

59. “शरीर में 206 हड्डिय ां
है, और सांविध न में
1670 क नून ... हड्िी
से लेकर क नून सब
तोड़त हूूँ….”
SHA तोड़
के दिखा….

62. BITCOIN MINING

64. A reward system, in
the form of
a website or app, that
dispenses rewards in
the form of a satoshi,
for visitors to claim in
exchange for
completing
a captcha or task as
described by the
website.
SATOSHI : 1/100th of a Millionth BITCOIN

65. A user for CONDUCTING
TRANSACTIONS utilizing BITCOIN,
he or she must first DOWNLOAD and
setup a BITCOIN WALLET
BITCOIN WALLET can show the
total BALANCE of all BITCOINS it
CONTROLS and let A USER PAY a
specified AMOUNT

66. WALLET contains a USER’S
PRIVATE KEY, which ALLOWS
FOR THE SPENDING of the
BITCOINS, which are located in
the BLOCK CHAIN
Once wallet is INSTALLED &
CONFIGURED, an ADDRESS
is GENERATED which is
SIMILAR to an E-MAIL or
PHYSICAL ADDRESS

67. WALLET is basically
the Bitcoin Equivalent
of a Bank account.
Allows to RECEIVE BITCOINS,
them, and then
SEND them to others

68. Connected to the Internet
or is online is said to be HOT
Cold Wallets & Hot Wallets
Cold is considered
most Secure &
suitable for Storing
Large Amounts of
bitcoins
Hot is suitable for
Frequently
Accessed funds
COLD implies it is Offline or
Disconnected from the
Internet

69. Designedto be downloaded
& used on Laptops/PCs
DESKTOPWALLETS
Armory, Multibit, Msigna
and Hiveto mention a FEW
Easyto Access.
Available for Different OS
– Windows, Mac OS and Ubuntu.

70. MOBILEWALLETS

71. ONLINEWEBWALLETS

72. PHYSICALWALLETS
Once they are generated, you
print them out on a piece of
paper
Paper Wallets can
Securely hold your BITCOINS
in Cold Storage form for a
long time
Bitaddress.org
or Blockchain.info

73. BitcoinQt is the First ever built
bitcoin CLIENT WALLET
BITCOINCLIENTS
WALLETS
Original bitcoin
wallet used by the
Pioneers of the
currency
COMPUTERS installed with these wallets
FORM PART OF THE CORE
NETWORK & have access to all
transactions on the blockchain

74. HARDWAREWALLETS

77. BITCOIN ARTIFACTS

78. They DON’T EXIST
ANYWHERE, even
on a hard drive

79. When we say SOMEONE HAS
BITCOINS & you look at a
PARTICULAR BITCOIN ADDRESS,
there are NO DIGITAL BITCOINS held
AGAINST that ADDRESS
BALANCE of any BITCOIN
address ISN’T HELD at that
ADDRESS; one MUST
RECONSTRUCT it by looking at
the BLOCKCHAIN

80. Everyone on the NETWORK knows about a
TRANSACTION and THE HISTORY
OF A TRANSACTION can be TRACED
BACK to the point where the BITCOINS
were produced

81. Conduct a
SEARCH based
on BLOCK
NUMBER,
ADDRESS,
BLOCK HASH,
TRANSACTION
HASH or
PUBLIC KEY

83. SOURCE : https://blockchain.info/ip-log

87. LOCK FILE
DEBUG.LOG
PEERS.DAT
WALLET.DAT
BITCOIN-QT FOLDER STRUCTURE
DB LOCK FILE
EXTENSIVE LOGGING
FILE
PEER INFORMATION
STORAGE FOR
KEYS,TXN,METADATA
etc

89. BITCOIN-QT FOLDER STRUCTURE

90. BITCOIN-BLOCK FOLDER ANALYSIS

91. BITCOIN-QT FOLDER STRUCTURE
Blocks – This subdirectory contains
blockchain data and contains a
“blk.dat” file and a “blocks/index”
subdirectory
“blk.dat” stores actual Bitcoin
blocks dumped in raw format
The “blocks/index subdirectory” is a
database that contains metadata
about all known blocks

92. Chainstate subdirectory- it is a
database with a compact
representation of all currently unspent
transactions and some metadata about
where the transactions originated
BITCOIN-QT FOLDER STRUCTURE

93. Database subdirectory -
Contains database journaling
files
BITCOIN-QT FOLDER STRUCTURE

95. 1.46 × 10^48 possible
Bitcoin Addresses
that gives every
person on Earth
2.05×10^38 Different
Addresses

97. Bitcoin Mixer is an Anonymous
Service, that confuses the trails
of Bitcoin transactions.

108. PROJECT TITANIUM : Main thrust of the European
Union’s Titanium Project is to Monitor blockchains,
deanonymize wallet addresses, surveil dark net
markets, and block terrorists and money launderers.
TITANIUM, which stands for Tools for the Investigation of
Transactions in Underground Markets

109. Private key of the suspect, they can
search for that particular key on the
Blockchain to Trace the purchases
to other potential Suspects.
investigator has the Bitcoin

110. Detecting such attackers is CHALLENGING
any day
Attacking Bitcoin via the Internet
infrastructure using routing attacks
As Bitcoin connections are routed over the
Internet—in clear text and without
integrity checks—any third-party can
eavesdrop, drop, modify, inject, or
delay Bitcoin messages

112. BITCOIN FORENSIC ARTIFACT EXAMINATION
Windows 7 Professional
Multibit
Bitcoin-Qt
Bitminter
Basic USB ASIC Bitcoin
Gateway laptop ML6720
120 GB WD hard drive
(4) USB ASIC Mining
drives
USB powered cooling fan
32 GB USB thumb drive

113. • System Info
• Info about Logged users
• Registry Info
• Remnants of Chats
• Web browsing Activities
• Recent Communications
• Info from Cloud Services
• Decryption Keys for encrypted
volumes mounted
COLLECTION OF BITCOIN ARTIFACTS

114. Utilizing the data from
344
transactions,
Meiklejohn able to
identify the owners of
more than a million
Bitcoin addresses
Sarah Meiklejohn, a Bitcoin focused
Computer Researcher
Extensive Research
in
Bitcoin Blockchain
Found that by looking
blockchain an
investigator can
uncover who owns a
Bitcoin addresses

115. 2015
“In this paper we show that combining TOR and
BITCOIN creates an ATTACK VECTOR for the
stealthy man-in-the-middle attacks. A LOW-
RESOURCE ATTACKER gain FULL
CONTROL of information flows between all users
who chose to use Bitcoin over TOR. In particular the
attacker CAN LINK TOGETHER USER’S
TRANSACTIONS regardless of pseudonyms used”

116. Bitcoin transactions occur via a
Network Connection, an investigator
should seize any Physical Object that
can connect to the Internet in addition
to the hard drive
COLLECTION OF BITCOIN ARTIFACTS

118. Ulbricht
Ross

121. anupamtiwari@protonmail.com
https://about.me/anupam.tiwari

123. Source : Alex Biryuk et al., Deanonymisation of Clients in Bitcoin P2P
Network
Bitcoin network is composed of
PEERS connected to others PEERS
over unencrypted TCP channels
Each peer attempts to
maintain EIGHT outgoing
connections to other peers
These eight peers are called
ENTRY NODES

124. Transaction and Block messages
are propagated in network by being
Relayed through these ENTRY NODES
to other peers
When X sends a transaction advertising
that he is transferring ownership of 1 BTC
to Y, his computer sends an inv message
to its immediate peers, the entry nodes

125. The inv message lets the entry
nodes know that there are
transactions or blocks
Entry nodes relay the data
farther throughout the network by
sending inv to their own peers
Entry nodes request full
transaction by sending
getdata response to X’s
computer

127. SMART CONTRACTS are computer protocols
that facilitate, verify, or enforce the negotiation
or performance of a CONTRACT, or that make a
contractual clause unnecessary. Smart
contracts often EMULATE the logic of
contractual clauses.

128. "A system condition in which system
resources are free from unauthorized access
and from unauthorized or accidental change,
destruction, or loss."

133. तकनीकी शब्िावली
बिटकॉइन

134. Number of
blocks preceding
particular block
on a block chain.
Genesis block has a height of zero
because zero block preceded it.

135. How difficult it is to find
a block relative to
the difficulty of finding the easiest
possible block. The easiest
possible block has a proof-of-
work difficulty of 1.
Difficulty is changed every
2016 blocks based on the time
it took to discover 2016
previous blocks.