1. 1. By : ANUPAM TIWARI anupamtiwari@protonmail.com Research Scholar, GD Goenka University, Gurugram
2. 2. The views expressed in this presentation are Mere Apne. Reference to any specific products, process ,or service do not necessarily constitute or imply endorsement, recommendation, or views of Min of Def or any Govt All images used are for illustrative purposes only & Do not promote any specific product
3. 3. This PRESENTATION is not going to make anyone of you a BITCOIN FORENSIC EXPERT INVESTIGATOR BUT may only LEND you few TERMS OF REFERENCES to build upon and EXPLORE further
4. 4. But Keep Calm & Trust Forensics By : ANUPAM TIWARI EMAIL: anupamtiwari@protonmail.com
5. 5. Paap se Dharti phati-phati-phati, Adharm se aasmaan, Atyachaar se kaanpi Insaaniyat, Raj kar rahe Haivaan ... Jinki hogi taqat apoorv, Jinka hoga nishana abhed, Joh karenge inka sarvanaash ... .woh kehlayenge Tridev
6. 6. Name used by the unknown person who designed BITCOIN and created its original reference implementation SATOSHI NAKAMOTO ,
7. 7. AS OF 24TH OCT 2017 1 BITCOIN IS WORTH 5720.83 US Dollar $ SO 1 BITCOIN IS 3,71,782/- SOURCE : https://blockchain.info/charts/n-transactions
8. 8. 2 6 0 4 3 7 SOURCE : https://blockchain.info/charts/n-transactions
9. 9. ANONYMITY VS PSEUDONYMITY Mark TwainSamuel Clemens public key addresses similar in function to an email address, are used to send and receive Bitcoins and record transactions, as opposed to personally identifying information.
10. 10. CRYPTOCURRENCY IS AN ATTEMPT TO BRING BACK A DECENTRALISED CURRENCY OF PEOPLE, ONE THAT IS NOT SUBJECT TO INFLATIONARY MOVES BY A CENTRAL BANK
11. 11. Bitcoin is starting to come into its own as a Digital Currency, but the Blockchain Technology behind it could prove to be much more SIGNIFICANT
12. 12. SMART CONTRACTS are computer protocols that facilitate, verify, or enforce the negotiation or performance of a CONTRACT, or that make a contractual clause unnecessary. Smart contracts often EMULATE the logic of contractual clauses. I WILL NOT DIVERT.WILL FOCUS ON BITCOINS THOUGH!!!!!
13. 13. More DETAILS a Forensic Investigator KNOWS about the TECH ARCHITECTURE, the CLOSER he gets to CLOSE the CASE
14. 14. BASICALLY CHUNKS OF INFO THAT CAN BE USED TO MATHEMATICAL GUARANTEE ABOUT MESSAGES
15. 15. MERKLE TREE
16. 16. Peer-to- Peer (P2P) network is created when two or more PCs are connected & share resources without going through a separate server computer
17. 17. Distributed Ledger is a Consensus of Replicated, Shared & Synchronized digital data geographically spread across multiple sites & countries
18. 18. Type of Distributed Ledger, comprised of Unchangeable, Digitally Recorded Data in packages called BLOCKS TAMPER EVIDENT LEDGER
19. 19. Linked list data structure, with each block containing a hash of the previous block
20. 20. Proof Of Work Is A Piece Of Data Which Is Difficult To Produce But Easy For Others To Verify And Which Satisfies Certain Requirements Bitcoin Uses The Hashcash Proof Of Work System. PROOF OF WORK
21. 21. Each block is formed by a proof-of- work algorithms, through which consensus of this distributed system could be obtained via the longest possible chain
22. 22. https://anders.com/blockchain/blockchain.html
23. 23. Thus blockchain provides the basis for the TRUSTLESS DISTRIBUTED SYSTEM
24. 24. A block is an aggregated set of data Data is collected and processed to fit in a block through a process called MINING Each block could be identified using a Cryptographic Hash
25. 25. Mining is the process of writing pages (blocks) of Bitcoin transactions into the The Bitcoin Blockchain, and getting rewarded with newly created bitcoins
26. 26. Block will contain a hash of the previous block, so that blocks can form a chain from the first block ever (known as the Genesis Block) to the formed block
27. 27. FIRST BLOCK : GENESIS
28. 28. Every 10 minutes, all Bitcoin transactions taking place are bundled into a block These blocks linked through a timestamp signing, form a chain (blockchain), which goes back to the first block ever created (mined) The time stamping makes it impossible to alter any part of it once the network confirms it
29. 29. These rules are inbuilt in the Bitcoin core software, which every node in the Bitcoin network runs Before a new block is added to the blockchain, the Bitcoin network has to reach a consensus on based on predetermined rules
30. 30. Data in a blockchain is internally consistent and immutable Each blocks hash is derived from the contents of the block Each block refers to the previous blocks hash, not a sequential number
31. 31. Source : Alex Biryuk et al., Deanonymisation of Clients in Bitcoin P2P Network Bitcoin network is composed of PEERS connected to others PEERS over unencrypted TCP channels Each peer attempts to maintain EIGHT outgoing connections to other peers These eight peers are called ENTRY NODES
32. 32. Transaction and Block messages are propagated in network by being Relayed through these ENTRY NODES to other peers When X sends a transaction advertising that he is transferring ownership of 1 BTC to Y, his computer sends an inv message to its immediate peers, the entry nodes
33. 33. The inv message lets the entry nodes know that there are transactions or blocks Entry nodes relay the data farther throughout the network by sending inv to their own peers Entry nodes request full transaction by sending getdata response to Xs computer
34. 34. THE LAST BITCOIN (PROBABLY 21 MILLIONTH COIN) WILL BE MINED IN THE YEAR 2140
35. 35. 206 , 1670 ... . SHA .
36. 36. BITCOIN MINING
37. 37. A reward system, in the form of a website or app, that dispenses rewards in the form of a satoshi, for visitors to claim in exchange for completing a captcha or task as described by the website. SATOSHI : 1/100th of a Millionth BITCOIN
38. 38.
39. 39. Number of blocks preceding particular block on a block chain. Genesis block has a height of zero because zero block preceded it.
40. 40. 20-byte hash formatted using base58check to produce either a P2PKH or P2SH Bitcoin address 00000000001F1tAaz5x1HUXrCNLbtM*****
41. 41. How difficult it is to find a block relative to the difficulty of finding the easiest possible block. The easiest possible block has a proof-of- work difficulty of 1. Difficulty is changed every 2016 blocks based on the time it took to discover 2016 previous blocks.
42. 42. A user for CONDUCTING TRANSACTIONS utilizing BITCOIN, he or she must first DOWNLOAD and setup a BITCOIN WALLET BITCOIN WALLET can show the total BALANCE of all BITCOINS it CONTROLS and let A USER PAY a specified AMOUNT
43. 43. WALLET contains a USERS PRIVATE KEY, which ALLOWS FOR THE SPENDING of the BITCOINS, which are located in the BLOCK CHAIN Once wallet is INSTALLED & CONFIGURED, an ADDRESS is GENERATED which is SIMILAR to an E-MAIL or PHYSICAL ADDRESS
44. 44. WALLET is basically the Bitcoin Equivalent of a Bank account. Allows to RECEIVE BITCOINS, them, and then SEND them to others
45. 45. Connected to the Internet or is online is said to be HOT Cold Wallets & Hot Wallets Cold is considered most Secure & suitable for Storing Large Amounts of bitcoins Hot is suitable for Frequently Accessed funds COLD implies it is Offline or Disconnected from the Internet
46. 46. Designedto be downloaded & used on Laptops/PCs DESKTOPWALLETS Armory, Multibit, Msigna and Hive to mention a FEW Easyto Access. Available for Different OS Windows, Mac OS and Ubuntu.
47. 47. MOBILEWALLETS
48. 48. ONLINEWEBWALLETS
49. 49. PHYSICALWALLETS Once they are generated, you print them out on a piece of paper Paper Wallets can Securely hold your BITCOINS in Cold Storage form for a long time Bitaddress.org or Blockchain.info
50. 50. BitcoinQt is the First ever built bitcoin CLIENT WALLET BITCOINCLIENTS WALLETS Original bitcoin wallet used by the Pioneers of the currency COMPUTERS installed with these wallets FORM PART OF THE CORE NETWORK & have access to all transactions on the blockchain
51. 51. HARDWAREWALLETS
52. 52. BITCOIN ARTIFACTS
53. 53. They DONT EXIST ANYWHERE, even on a hard drive
54. 54. When we say SOMEONE HAS BITCOINS & you look at a PARTICULAR BITCOIN ADDRESS, there are NO DIGITAL BITCOINS held AGAINST that ADDRESS BALANCE of any BITCOIN address ISNT HELD at that ADDRESS; one MUST RECONSTRUCT it by looking at the BLOCKCHAIN
55. 55. Everyone on the NETWORK knows about a TRANSACTION and THE HISTORY OF A TRANSACTION can be TRACED BACK to the point where the BITCOINS were produced
56. 56. Conduct a SEARCH based on BLOCK NUMBER, ADDRESS, BLOCK HASH, TRANSACTION HASH or PUBLIC KEY
57. 57. SOURCE : https://blockchain.info/ip-log
58. 58. LOCK FILE DEBUG.LOG PEERS.DAT WALLET.DAT BITCOIN-QT FOLDER STRUCTURE DB LOCK FILE EXTENSIVE LOGGING FILE PEER INFORMATION STORAGE FOR KEYS,TXN,METADATA etc
59. 59. BITCOIN-QT FOLDER STRUCTURE
60. 60. BITCOIN-BLOCK FOLDER ANALYSIS
61. 61. BITCOIN-QT FOLDER STRUCTURE Blocks This subdirectory contains blockchain data and contains a blk.dat file and a blocks/index subdirectory blk.dat stores actual Bitcoin blocks dumped in raw format The blocks/index subdirectory is a database that contains metadata about all known blocks
62. 62. Chainstate subdirectory- it is a database with a compact representation of all currently unspent transactions and some metadata about where the transactions originated BITCOIN-QT FOLDER STRUCTURE
63. 63. Database subdirectory - Contains database journaling files BITCOIN-QT FOLDER STRUCTURE
64. 64. 1.46 10^48 possible Bitcoin Addresses that gives every person on Earth 2.0510^38 Different Addresses
65. 65. Bitcoin Mixer is an Anonymous Service, that confuses the trails of Bitcoin transactions.
66. 66. PROJECT TITANIUM : Main thrust of the European Unions Titanium Project is to Monitor blockchains, deanonymize wallet addresses, surveil dark net markets, and block terrorists and money launderers. TITANIUM, which stands for Tools for the Investigation of Transactions in Underground Markets
67. 67. Private key of the suspect, they can search for that particular key on the Blockchain to Trace the purchases to other potential Suspects. investigator has the Bitcoin
68. 68. Detecting such attackers is CHALLENGING any day Attacking Bitcoin via the Internet infrastructure using routing attacks As Bitcoin connections are routed over the Internetin clear text and without integrity checksany third-party can eavesdrop, drop, modify, inject, or delay Bitcoin messages
69. 69. BITCOIN FORENSIC ARTIFACT EXAMINATION Windows 7 Professional Multibit Bitcoin-Qt Bitminter Basic USB ASIC Bitcoin Gateway laptop ML6720 120 GB WD hard drive (4) USB ASIC Mining drives USB powered cooling fan 32 GB USB thumb drive
70. 70. System Info Info about Logged users Registry Info Remnants of Chats Web browsing Activities Recent Communications Info from Cloud Services Decryption Keys for encrypted volumes mounted COLLECTION OF BITCOIN ARTIFACTS
71. 71. Utilizing the data from 344 transactions, Meiklejohn able to identify the owners of more than a million Bitcoin addresses Sarah Meiklejohn, a Bitcoin focused Computer Researcher Extensive Research in Bitcoin Blockchain Found that by looking blockchain an investigator can uncover who owns a Bitcoin addresses
72. 72. Bitcoin transactions occur via a Network Connection, an investigator should seize any Physical Object that can connect to the Internet in addition to the hard drive COLLECTION OF BITCOIN ARTIFACTS
73. 73. Ulbricht Ross
74. 74. BITCOIN SOON GONNA REPLACE ALL THESE NAMES!!!!!
75. 75. anupamtiwari@protonmail.com https://about.me/anupam.tiwari