A framework for live host-based Bitcoin wallet forensics and triage

Organised crime and cybercriminals use Bitcoin, a popular cryptocurrency, to launder money move it across borders with impunity. The UK other countries have legislation recover the proceeds of from criminals. Recent case law has recognised cryptocurrency assets as property that can be seized realised under Proceeds Crime Act (POCA). To seize asset generally requires access private key. Anecdotal evidence suggests if is not quickly after enforcement action taken place, will transferred wallets making difficult at future time. We investigate how Bitcoin could an Electrum or Ledger hardware wallet, during search, using live forensic techniques dictionary attack. conduct literature review examining state-of-the-art in application forensics wallet attacks. Concluding, there gap research on security significant proportion available comes small group academics working industry (Volety et al. 2019; Van Der Horst al., 2017; Zollner 2019). then forensically examine software Nano S establish what artefacts recovered assist recovery wallets. Our main contribution proposed framework for triage, collection tool identifiers, two proof concept dictionary-attack tools written Python OpenCL. evaluate these attack practicable low-cost cluster public cloud-based Graphics Processing Unit (GPU) instances. During our investigation, we find weakness Electrum's storage encrypted keys RAM. leverage this make around 2.4 trillion password guesses. also demonstrate 16.6 billion guesses against protected seed phrase.