Bitcoin Forensics Part II: The Secret Web Strikes Back

In last week’s post, we talked about Bitcoin, Tor and some of the hidden websites only accessible via Tor, such as Silk Road, which was shut down by the FBI on October 1st.

Well, just over a month later and Silk Road is back online:

Bitcoin Forensics - Silk Road

You can reach the new site at this link (again, only via Tor) if you’d like to check it out: http://silkroad6ownowfk.onion

It only took a day and they already had over 20,000+ users on the site:


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Bitcoin Forensics - Silk Road

The new admin of the site? “Dread Pirate Roberts”. How’s that possible, he’s been arrested right? Those familiar with the movie “The Princess Bride” will get the joke here – the Dread Pirate Roberts was not one man, but rather a series of individuals who periodically pass the name and reputation on to a chosen successor.

Time will tell how long the new Silk Road lasts, but it’s clear that these secret websites and Tor aren’t going away anytime soon, and neither is the currency that drives these sites, Bitcoin.

We received a lot of positive feedback on the last Bitcoin post and some suggestions for follow-up posts. One of the themes was around identifying Bitcoin wallets, especially on a USB flash drive or other removable media.

First, let’s take a look at the Bitcoin wallet software out there:

Bitcoin Forensics - Wallets

As you can see, there are a few different options. This time I’ll focus on the Bitcoin-Qt client, which is a full Bitcoin client and builds the backbone of the network, the standard client used.

If you’re examining an image with the Bitcoin-Qt client present you’ll see a folder structure and files under the Users\[username]\AppData\Roaming\Bitcoin folder similar to this:

Bitcoin Forensics - Files

Note the “wallet.dat” file and “debug.log”. The wallet.dat file is (you guessed it!) the file containing the wallet data for the user. The debug.log file contains (you guessed it again) debugging information, including communication on the Bitcoin P2P network, including timestamps in some cases.

The wallet.dat file is easy to identify by filename, but backups of the wallet can be made, and can be called whatever the user chooses. If you are examining removable media or other locations where you suspect you are dealing with a Bitcoin wallet file (from the Bitcoin-Qt client), you can check a couple bytes at offset 0x12 for the string “b1” which may identify the file as being a Bitcoin wallet:

Bitcoin Forensics - Wallet Identification

Another easy check is to export the file and rename it to “wallet.dat”. Run IEF on that file by using the “Files/Folders” button on the main screen and then unchecking all the artifacts except for the Bitcoin artifact on the artifact selection screen. Here is a sample of what you’d see recovered from the wallet by IEF:

Bitcoin Forensics - Internet Evidence Finder

I hope this answers some of the questions you may have had after my last post on Bitcoin forensics.

We’ll do our best to continue bringing you interesting topics in future posts, and as always, I’m eager to hear your suggestions for what you’d like to see in future blog posts. Please feel free to email suggestions, feature requests, and feedback on IEF to jad(at)magnetforensics(dot)com.

Have a great week!
Jad and the Magnet team

1 thought on “Bitcoin Forensics Part II: The Secret Web Strikes Back”

Leave a Comment