Presentation I gave at 4th International Information Security Meet in the Hakon 2017 conference on 08th Oct 2017.Covers technical overview of the concept and take off essentials for Bitcoin crime investigators.Details at http://www.hakonindia.org/hakon-2017-speakers/
3. The views expressed in this
presentation are Mere Apne.
Reference to any specific products,
process ,or service do not
necessarily constitute or imply
endorsement, recommendation, or
views of Min of Def or any Govt
All images used are for illustrative
purposes only & Do not
promote any specific product
4.
5. This PRESENTATION is not going to
make anyone of you a
BITCOIN FORENSIC EXPERT
INVESTIGATOR
BUT may only LEND you few TERMS
OF REFERENCES to build upon and
EXPLORE further
43. Linked list data structure, with
each block containing a
hash of the previous block
44. Proof Of Work Is A Piece Of Data
Which Is Difficult To Produce But
Easy For Others To Verify And Which
Satisfies Certain Requirements
Bitcoin Uses
The Hashcash Proof
Of Work System.
PROOF OF WORK
45. Each block is formed by a proof-of-
work algorithms, through which
consensus of this distributed
system could be obtained via the
longest possible chain
50. A block is an aggregated set of data
Data is collected and
processed to fit in a block
through a process called
MINING
Each block could be identified using
a Cryptographic Hash
51. Mining is the process
of writing pages
(blocks) of Bitcoin
transactions into the
‘The Bitcoin
Blockchain’, and
getting rewarded with
newly created bitcoins
52. Block will contain a hash
of the previous block, so
that blocks can form a
chain from the first block
ever (known as the
Genesis Block) to the
formed block
54. Every 10 minutes, all Bitcoin
transactions taking place are bundled
into a block
These blocks linked through a
timestamp signing, form a
chain (blockchain), which goes
back to the first block ever
created (mined)
The time stamping makes it
impossible to alter any part of it
once the network confirms it
55. These rules are inbuilt in the
Bitcoin core software, which
every node in the Bitcoin
network runs
Before a new block is added to the
blockchain, the Bitcoin network
has to reach a consensus on
based on predetermined rules
56. Data in a blockchain is
internally consistent
and immutable
Each block’s hash is
derived from the
contents of the block
Each block refers to
the previous block’s hash,
not a sequential number
64. A reward system, in
the form of
a website or app, that
dispenses rewards in
the form of a satoshi,
for visitors to claim in
exchange for
completing
a captcha or task as
described by the
website.
SATOSHI : 1/100th of a Millionth BITCOIN
65. A user for CONDUCTING
TRANSACTIONS utilizing BITCOIN,
he or she must first DOWNLOAD and
setup a BITCOIN WALLET
BITCOIN WALLET can show the
total BALANCE of all BITCOINS it
CONTROLS and let A USER PAY a
specified AMOUNT
66. WALLET contains a USER’S
PRIVATE KEY, which ALLOWS
FOR THE SPENDING of the
BITCOINS, which are located in
the BLOCK CHAIN
Once wallet is INSTALLED &
CONFIGURED, an ADDRESS
is GENERATED which is
SIMILAR to an E-MAIL or
PHYSICAL ADDRESS
67. WALLET is basically
the Bitcoin Equivalent
of a Bank account.
Allows to RECEIVE BITCOINS,
them, and then
SEND them to others
68. Connected to the Internet
or is online is said to be HOT
Cold Wallets & Hot Wallets
Cold is considered
most Secure &
suitable for Storing
Large Amounts of
bitcoins
Hot is suitable for
Frequently
Accessed funds
COLD implies it is Offline or
Disconnected from the
Internet
69. Designedto be downloaded
& used on Laptops/PCs
DESKTOPWALLETS
Armory, Multibit, Msigna
and Hiveto mention a FEW
Easyto Access.
Available for Different OS
– Windows, Mac OS and Ubuntu.
72. PHYSICALWALLETS
Once they are generated, you
print them out on a piece of
paper
Paper Wallets can
Securely hold your BITCOINS
in Cold Storage form for a
long time
Bitaddress.org
or Blockchain.info
73. BitcoinQt is the First ever built
bitcoin CLIENT WALLET
BITCOINCLIENTS
WALLETS
Original bitcoin
wallet used by the
Pioneers of the
currency
COMPUTERS installed with these wallets
FORM PART OF THE CORE
NETWORK & have access to all
transactions on the blockchain
79. When we say SOMEONE HAS
BITCOINS & you look at a
PARTICULAR BITCOIN ADDRESS,
there are NO DIGITAL BITCOINS held
AGAINST that ADDRESS
BALANCE of any BITCOIN
address ISN’T HELD at that
ADDRESS; one MUST
RECONSTRUCT it by looking at
the BLOCKCHAIN
80. Everyone on the NETWORK knows about a
TRANSACTION and THE HISTORY
OF A TRANSACTION can be TRACED
BACK to the point where the BITCOINS
were produced
91. BITCOIN-QT FOLDER STRUCTURE
Blocks – This subdirectory contains
blockchain data and contains a
“blk.dat” file and a “blocks/index”
subdirectory
“blk.dat” stores actual Bitcoin
blocks dumped in raw format
The “blocks/index subdirectory” is a
database that contains metadata
about all known blocks
92. Chainstate subdirectory- it is a
database with a compact
representation of all currently unspent
transactions and some metadata about
where the transactions originated
BITCOIN-QT FOLDER STRUCTURE
95. 1.46 × 10^48 possible
Bitcoin Addresses
that gives every
person on Earth
2.05×10^38 Different
Addresses
96.
97. Bitcoin Mixer is an Anonymous
Service, that confuses the trails
of Bitcoin transactions.
98.
99.
100.
101.
102.
103.
104.
105.
106.
107.
108. PROJECT TITANIUM : Main thrust of the European
Union’s Titanium Project is to Monitor blockchains,
deanonymize wallet addresses, surveil dark net
markets, and block terrorists and money launderers.
TITANIUM, which stands for Tools for the Investigation of
Transactions in Underground Markets
109. Private key of the suspect, they can
search for that particular key on the
Blockchain to Trace the purchases
to other potential Suspects.
investigator has the Bitcoin
110. Detecting such attackers is CHALLENGING
any day
Attacking Bitcoin via the Internet
infrastructure using routing attacks
As Bitcoin connections are routed over the
Internet—in clear text and without
integrity checks—any third-party can
eavesdrop, drop, modify, inject, or
delay Bitcoin messages
111.
112. BITCOIN FORENSIC ARTIFACT EXAMINATION
Windows 7 Professional
Multibit
Bitcoin-Qt
Bitminter
Basic USB ASIC Bitcoin
Gateway laptop ML6720
120 GB WD hard drive
(4) USB ASIC Mining
drives
USB powered cooling fan
32 GB USB thumb drive
113. • System Info
• Info about Logged users
• Registry Info
• Remnants of Chats
• Web browsing Activities
• Recent Communications
• Info from Cloud Services
• Decryption Keys for encrypted
volumes mounted
COLLECTION OF BITCOIN ARTIFACTS
114. Utilizing the data from
344
transactions,
Meiklejohn able to
identify the owners of
more than a million
Bitcoin addresses
Sarah Meiklejohn, a Bitcoin focused
Computer Researcher
Extensive Research
in
Bitcoin Blockchain
Found that by looking
blockchain an
investigator can
uncover who owns a
Bitcoin addresses
115. 2015
“In this paper we show that combining TOR and
BITCOIN creates an ATTACK VECTOR for the
stealthy man-in-the-middle attacks. A LOW-
RESOURCE ATTACKER gain FULL
CONTROL of information flows between all users
who chose to use Bitcoin over TOR. In particular the
attacker CAN LINK TOGETHER USER’S
TRANSACTIONS regardless of pseudonyms used”
116. Bitcoin transactions occur via a
Network Connection, an investigator
should seize any Physical Object that
can connect to the Internet in addition
to the hard drive
COLLECTION OF BITCOIN ARTIFACTS
123. Source : Alex Biryuk et al., Deanonymisation of Clients in Bitcoin P2P
Network
Bitcoin network is composed of
PEERS connected to others PEERS
over unencrypted TCP channels
Each peer attempts to
maintain EIGHT outgoing
connections to other peers
These eight peers are called
ENTRY NODES
124. Transaction and Block messages
are propagated in network by being
Relayed through these ENTRY NODES
to other peers
When X sends a transaction advertising
that he is transferring ownership of 1 BTC
to Y, his computer sends an inv message
to its immediate peers, the entry nodes
125. The inv message lets the entry
nodes know that there are
transactions or blocks
Entry nodes relay the data
farther throughout the network by
sending inv to their own peers
Entry nodes request full
transaction by sending
getdata response to X’s
computer
126.
127. SMART CONTRACTS are computer protocols
that facilitate, verify, or enforce the negotiation
or performance of a CONTRACT, or that make a
contractual clause unnecessary. Smart
contracts often EMULATE the logic of
contractual clauses.
128. "A system condition in which system
resources are free from unauthorized access
and from unauthorized or accidental change,
destruction, or loss."
135. How difficult it is to find
a block relative to
the difficulty of finding the easiest
possible block. The easiest
possible block has a proof-of-
work difficulty of 1.
Difficulty is changed every
2016 blocks based on the time
it took to discover 2016
previous blocks.