Bitcoin Forensics – A Journey into the Dark Web

There has been a lot of buzz around Tor, Bitcoin, and the so-called “dark web” (or “deep web”) since the FBI shut down the underground website “Silk Road” on Oct 1st.

As many of you already know, Tor is a network of encrypted, virtual tunnels that allows people to use the internet anonymously, hiding their identity and network traffic. Using Tor’s hidden service protocol, people can also host websites anonymously that are only accessible by those on the Tor network. Enter Silk Road.

Silk Road was an online black market where you could buy virtually anything, including but not limited to drugs, weapons, credit card data, contract killers, and more. One of the key “features” of Silk Road was that it was only accessible via the Tor network, hidden from the mainstream web.

With $1.2 billion in sales and nearly a million customers, business was good. The other key privacy aspect of Silk Road is that all transactions on the site were via Bitcoin, a distributed, peer-to-peer, and anonymous digital currency that is based on cryptography principles.

Silk Road is gone but there are other online black marketplaces that will take its place, like the Sheep Marketplace or Black Market Reloaded:

These sites are also only accessible via Tor and use Bitcoin to conduct transactions.

Using Bitcoin is fairly easy. You need a Bitcoin client/digital wallet installed on your computer or mobile device. You then need to obtain bitcoins from a Bitcoin exchange such as Mt. Gox and Bitstamp.

To send someone money, you instruct your Bitcoin client to send an amount of bitcoins to a Bitcoin address which will look something like this: 1N52cffvJp8jZRRamegywrLrD7aLjQbapF.

A transaction message is created and electronically signed by the Bitcoin client using your private key. This transaction is broadcast to the Bitcoin P2P network and is “verified” in a few minutes (sometimes up to 10). Once verified, the transaction is complete.

All Bitcoin transactions are stored publicly and permanently on the Bitcoin network – the balance and transactions of any Bitcoin address are visible to anyone. New addresses can be created for each transaction, however, further increasing the anonymity of Bitcoin transactions.

Support for recovering Bitcoin artifacts was added to IEF in version 6.1 (released this past June). Bitcoin addresses can be recovered from a Bitcoin wallet, as well as queries on the Bitcoin network from log files created by the Bitcoin client software.

Here you can see addresses from a Bitcoin wallet, including labels (if applicable) and whether or not the address has been active. When you create a wallet, a number of addresses are automatically created and put in the “thread pool”.

In this screenshot you can see queries on the Bitcoin P2P network. These may or may not relate to the local user’s activity.

In the IEF Report Viewer, when viewing Bitcoin records, you can right-click on a record and then click “Query Bitcoin Block Chain” to look up more information on that transaction/address on the web.

Above is an example of what you might see for a transaction or address. In this example, you can see the amount of Bitcoin (0.005), dates/times, and the recipient of the transfer.

As you can see, Bitcoin is a tough currency to track or investigate. However, knowing which addresses were in a suspect/victim’s Bitcoin wallet and details about transactions can help you piece the puzzle back together.

I hope you found this post useful and wish you luck in investigations involving these technologies.

Are there specific topics you’d like me to blog about? Please feel free to reach out to me directly at jad(at)magnetforensics(dot)com with any ideas you might have. I’m also always open to and appreciative of your feedback, good or bad, regarding our software and how we can make it better for you.

All the best,
Jad and the Magnet team