Bitcoin Transaction Crime Investigation Guide (Interpol).

Andrey Plat
12 min readOct 7, 2022


First, let’s look at the types of Bitcoin keys:

Open — a public key (aka hash) — is available for each user of the network. Subsequently, the public key is converted into the address, by which the cryptocurrency is received.

2. The private key — is a hash available only to the owner of the purse. The private key gives unlimited access to the wallet, through which you can withdraw money from the wallet.

The private key is usually stored in the file wallet.dat, and can be imported to portable and other devices, as a consequence — imported into another wallet to manage the crypto-assets.

Getting a public key from a private one is simple enough, but the reverse reversal — from public to private — is practically impossible, as it requires a certain sequence of hashing algorithms

There are three types of private keys:

1. hexadecimal: 1E79423A4ED27608A15A2616A2B0E5E52CED330AC530EDCC32C8FFC6A520AED1

2. A private key that is longer than the regular address and begins with the digit 5: 5J3hzQ41KoJX64H5YRTqS9YB9LVGacU2qusL37Ys1eVpJTgnr4u

3. The compressed private key may look similar, but starts with either K or L:

KyoPrrwwmvSZymMrJLRhePV6jTFFpGU6uMVLv5nQhkMM4dpDKaMgG Search for bitcoin wallets on PC:

In this case — the best tool for finding wallets is BTCscan

Attention! Works only with Python version 3.0 and higher!

This tool is developed in Python and has open source code.

It has command line interface.

The only required argument is -i/ — input, which is used to specify the drive, directory or file to be executed

> python -input=”C:\” (attention! Two “-” signs before input)

After executing the command, the researcher is prompted to specify the name of the case that will be part of the

output file

The script then creates a .csv file that shows us the public and private keys.

Note that the tool does not search for

encrypted or compressed items, so suspicious-looking compressed files you might need to manually

unzip them manually before running BTCscan.

Bitcoin Network

The orishinal client for bitcoin is — Bitcoin Core

Requires the user to download the full blockchain to work properly.

Currently, it can take several days for the client to download the cumbersome blockchain and update it

Installing such a client initiates the launch of the node.

There is no financial incentive to launch a full node and move the transaction across the

bitcoin network, which, combined with the rapid increase in blockchain size resulting in

a corresponding increase in storage requirements.

When a node launches, it tries to establish a connection with other nodes in the network. First,

node either tries to connect to the IP addresses of the so-called initial nodes, which are hard-coded in the

client. Users can also manually connect to a node of their choice when they start their node with

bitcoind -addnode=<IP address>. Once the connection is established, the node requests the IP

-addresses of other nodes to which it subsequently connects.

The discovery procedure is then repeated with the user communicating with nodes B and H, which will share

use another set of nodes to which they are connected, and this process is repeated for as long as necessary. В

finally, the client can be connected to a default defined number of nodes consisting of eight nodes.

The most obvious results a researcher will discover include the balance and lists of incoming and

outgoing transactions, as well as bitcoin addresses controlled by the wallet. However,

a closer look reveals something else.

The IP addresses of the nodes to which the client connects can be found in the standard

Bitcoin Core client (Help -> Debug Window -> Peer Nodes on both PC and Mac wallet).

Particular attention should be paid to outgoing transactions and their timestamps. If there is an indication of

of a recent outgoing transaction, RAM should be kept as a priority. Most wallets are

are encrypted, and therefore a password is needed to unlock the private key for the

transaction. Therefore, if the suspect has made a recent transaction, it is likely that the password is still

still stored in RAM. Since there is currently no way around password protection,

extracting the password from RAM greatly increases the likelihood of bitcoin hijacking.

Those who use Wireshark can try to extract bitcoin messages from network

transmissions. Data transmissions passing through port 8333, which is used by bitcoins, can be intercepted by any

packet analyzer, and Wireshark even identifies bitcoin traffic on the ‘Protocol’ tab.

It’s conceivable that it’s possible to detect

Payer IP addresses by analyzing Internet traffic. In order to perform de-anonymization, it would be necessary to

to open a connection to all bitcoin nodes active on the network, and for each

transaction to find the IP address of the client that first broadcast the transaction to the network.

Based on the way bitcoin works, the payer should be the first person to send the transaction to the rest of the bitcoin network

Consequently, detecting the first node that broadcasts the transaction should reveal the IP address of the owner of the input bitcoin addresses. This logic should lead to the

payer identification, unless he or she uses an obfuscation technology such as a proxy server,

VPN or Tor, does not support NAT, or does not use a Bitcoin web wallet. Blockchain wallets and seizure.

Bitcoin investigations usually have two key objectives: to identify the suspect and to seize the bitcoins

that have been stolen or used to facilitate criminal activity. This chapter will look at the different types of

storage methods that law enforcement may encounter.

Note that bitcoins are not actually stored “on” a device; instead, the device stores a wallet

containing a private key that allows bitcoins to be spent. This is illustrated in the figure below.

Thus, gaining access to someone else’s private key means gaining access to someone else’s bitcoins. Software wallets.

There are many desktop bitcoin wallets available for common operating systems

These wallets provide a graphical user interface (GUI) that allows users to

conveniently check balances on their bitcoin addresses and a list of recent transactions, as well as

send/receive bitcoins.

The key difference between the original Bitcoin Core client (formerly also known as Bitcoin-QT) and

many other software wallets is that the former requires a full blockchain download. The balance

is not properly updated until the full blockchain is loaded, which can take several days

Most other wallets are so-called lightweight wallets, which only load the

part of the blockchain that is relevant to the user, rather than the entire blockchain.

Soft wallets store the wallet.dat file on the local drive. The wallet file containing the private keys can

The wallet file containing the private keys can be stored either unencrypted or encrypted. In the first case, access to the suspect’s computer is

all that is required to access the bitcoins and transfer them to the wallet controlled by the file. However, in practice

in practice, the vast majority of users-whether they use bitcoins for legitimate or illegitimate

purposes — encrypt their wallets. Lightweight clients.

These ‘light’ clients do not load the blockchain and therefore have no ability to verify

transactions for the network. This saves users dozens of gigabytes on their hard drives and a fair amount of

amount of computing resources. For this reason, lightweight wallets are especially popular on mobile

devices and smartphones that lack disk space, computing resources, and battery life. Mobile devices.

keys for mobile wallets requires:

1. Unlocking the phone;

2. opening the wallet app, which can be locked with a PIN / fingerprint check.

As with desktop wallets, access requires either the cooperation of the suspect or bypassing the phone’s security, followed by verification using Cellebrite, XRY, Paraben or a similar product. Web wallets

Web wallets require a username or wallet ID, a password, and possibly two-factor authentication codes to access.

Most web wallets allow users to upload their wallet or

export their private key so that users can store them locally.

Paper wallets

Paper wallets store secret keys completely offline. All that is required to access bitcoins is a private key, which can be printed out and stored exclusively on paper.

The private key is often accompanied by a public key and corresponding QR codes.

Since paper wallet generators can generate bitcoin public and private keys offline, an air gap computer is often used to create the keys. The keys are then stored on a piece of paper, and any files created on the computer can be deleted. As you might expect, the paper wallet is resistant to hacking and malware attempts, but the owner must protect it from theft or natural disasters.

A paper wallet is relatively inconvenient for regular use, and those who choose to create one usually store a significant portion of their bitcoin wealth on this type of wallet. If

during an investigation, a paper wallet will be found at the scene, it will allow immediate access to the funds

associated with that private key by importing the private key into any existing wallet software. Most

wallets allow you to import private keys, and this option can usually be seen under File -> Import.

Deterministic wallets

So-called deterministic wallets, which can be software wallets, online wallets, paper wallets or hardware wallets, store secret keys from an initial file, quite often in the form of 10–15 words that may or may not make up a sentence.

A prime example: MetaMask

Hardware wallets.

A hardware wallet is a special type of bitcoin wallet that stores the user’s private keys on a secure hardware device. This wallet securely stores private keys so that they cannot be transferred from the device as plaintext.

Probably the most interesting hardware wallet for those interested in privacy/anonymity is a special Bitlox credit card sized wallet . Since the device sells for between $200 and

$400 — depending on the features offered — it is likely to be used to store large amounts of bitcoins. BitLox allows its owner to create up to 50 invisible wallets, which are not displayed until the owner enters the wallet number and its PIN into the device. This way, the investigator will never be sure if all of the suspect’s wallets have been seized. In addition, the device works well with the Tor operating system and Tails (after connecting to a PC with a USB cable)

Bitcoin seizure

If an investigator identifies a suspect’s bitcoin addresses on a blockchain, it is important to

keep in mind that it is impossible to seize bitcoins remotely (unless the suspect is storing his funds on an online exchange). To seize bitcoins at the suspect’s premises, investigators must find:

1. a Bitcoin wallet on the suspect’s hard drive

2. The suspect’s private key, in which case it must be imported into the wallet;

3. the suspect’s initial recovery value (usually 12–24 random words).

To capture bitcoins, it is not enough to simply copy the wallet.dat file, import the private key, or enter the initial recovery value into the software managed by the file. This would simply allow a researcher to discover the corresponding public keys along with the number of unspent bitcoins. At this point, bitcoins cannot be considered “seized” because the suspect himself or another person in control of the private key could move the funds to another address. In order to take possession of the bitcoins, an additional step is required to complete the transfer of funds. The investigator must move them to a bitcoin address controlled by law enforcement. Ideally, a secure wallet should have its own blockchain and be well vetted by the community, so the Bitcoin Core wallet is a very good candidate. It goes without saying that the official bitcoin address

must be in place prior to the seizure, and the personnel conducting the search/seizure must have it on paper or a USB key so they can transfer bitcoins without any delay. Therefore, if this is not the case, or if there is a requirement to seize bitcoins at the scene and the postal bitcoin address is unknown, the investigator should use the next best solution available — creating the bitcoin address on

on the fly. Probably the fastest and relatively safest way to do this is to use A pure JavaScript site that generates a private key and corresponding bitcoin address based on the user’s mouse movement, thereby creating a very good source of randomness. Ideally, the website should be accessed from a trusted computer over a secure connection, and the website should be saved offline and only then used to generate the private key and corresponding addresses. The capture will be completed by moving bitcoins to the newly generated bitcoin address.

Export and import private keys (using Bitcoin Core as an example. All commands are entered in the program console (debug windows)) The private key can be printed out on paper or stored in a wallet.dat file on the suspect’s computer, phone, or USB key. If the latter occurs, the key can be retrieved using the dumpprivkey command followed by a specific bitcoin address. This command reveals the corresponding private key in wallet import format (WIP). Note that encrypted wallets must have the suspect password on them in order to reveal the secret key. Also note that the command dumpprivkey

When the suspect’s secret key is retrieved, it must be imported into the wallet so that the bitcoins can be transferred to an address that is in the exclusive possession of law enforcement. The import procedure is different for each wallet. For the standard Bitcoin Core wallet, you must select Help -> Debug Window and enter the importprivkey, followed by the private key. Extracting all bitcoin addresses stored in the wallet

Regardless of whether the seizure was successful or not, the investigator must retrieve a list of all bitcoin-addresses that were stored in the suspect’s wallet. The listaddressgroups command can be used to list all bitcoin addresses along with their spent or unspent balances. It is important to get this list so that all bitcoin addresses can be tracked later using free or commercial transaction tracking tools. Note that this command does not require knowledge of the user’s password and therefore can be executed even on an encrypted wallet. The transaction list can also be retrieved without knowing the password. This can be done using the Bitcoin Core wallet GUI on the transaction tab, which exports all transactions along with dates, amounts, labels and transaction IDs into a neat CSV file.

Working with encrypted wallets. Using real-time data forensics

1. When you open the bitcoin console (in Bitcoin Core wallet it is hidden in the Help -> Debug Window section), the console command line will show the recently executed commands. Pressing the ‘up cursor’ key is all it takes to view the history. Each

key can open a command that was previously entered by the user.

2. On Linux systems, the ‘history’ command, entered without any parameters, displays a list of the last running commands entered by the user. Even if there is no wallet password, there is a possibility that some other password was recently entered. Since people tend to reuse variants of their passwords, they can be saved for later use in a dictionary attack.

3. Where possible, it is advisable to do a memory dump before shutting down the computer.

There are several tools available for capturing RAM; one of the most popular and easiest to use is FTK Imager, which can

take snapshots of both RAM and hard disk. FTK Imager is available both as a graphical user interface and as a command line tool.

The memory dump can then be analyzed later using the Volatility tool, which can successfully extract the corresponding bitcoin wallet password. An alternative is to use the strings command to search for all the text strings in memory. All relevant strings can be saved to a file, which will serve as a dictionary for a brute-force attack. Note that passwords are stored in RAM in unencrypted

How to investigate bitcoin transactions in a nutshell.

All bitcoin transactions since early 2009 have been recorded in the bitcoin blockchain, a large publicly accessible database that stores all data in unencrypted form. The blockchain is not stored centrally — it is stored by thousands of individuals and companies around the world using bitcoin clients. Anyone can download the blockchain files and try to analyze the data, import it into a database and query it. However, because this would be a cumbersome task, most researchers rely on publicly available and free to use blockchain researchers.

Exchange Definition.

You can use the tool to define an exchange.

Unfortunately, the tool has stopped being updated, but it still “listens” to the network.

Once an exchange or other entity is identified, it can be queried for a suspicious transaction or bitcoin address. Since the vast majority of exchangers are compliant, it is usually only a matter of time.



Andrey Plat

Blockchain projects, promotion and development. Open source intelligence (OSINT). Non-standard tasks, with non-standard execution.