I am conducting a forensic examination on a computer that involves trying to find evidence relating to Bitcoin. I have located the Bitcoin wallet under app data/roaming and there is a wallet listed. I can only view in hex. It looks to me like it's encrypted, however I've been told by others that the wallet is not and that I should be able to locate the key which is supposed to be X amount of digits long and beginning with 2 known characters.
Any thoughts or ideas on how to find this or if anyone has had any experience with this.
I am running FTK V5.3.6 on this case as it's an older case.
Belkasoft supports analysis Bitcoin artefacts.
Honestly. The easiest way is to download the wallet software. Launch it. Close it. Replace the wallet file and then re-open. Let it sync blocks if necessary. You can view balance, wallet address, and transaction history from the GUI much easier.
Most of the wallets allow you to set the directory of the blockchain and data from the command line. something like "bitcoin-qt.exe -datadir=./data/"
Great article, thanks