Bitcoin Forensics

I remember reading an article on the Bitcoin forum in regards to "forensics", I'll have a look for you.

Official Bitcoin forum
http//bitcointalk.org/

I remember reading an article on the Bitcoin forum in regards to "forensics", I'll have a look for you.

Official Bitcoin forum
http//bitcointalk.org/

Any luck finding that article? I appreciate it!

I saw something last week that was talking about how BitCoin transactions were not as anonymous as once thought. I'll try to find it again.

I know security now podcast had a episode on bitcoin so that might help giving you a feel for how it works and what not.

Further I am aware there was a hack involving stealing bitcoin wallets. Again it was another podcast from security now with steve gibson.

From what I understand your bit coin wallet is all you have. Meaning if I was to steal your wallet that is it. There is not much you can do persay to try to attempt to get it back via some dispute or reporting someone stole your wallet.

The good thing about the podcast is it is in transcript / text form so once you hear the info you need you can search for the verbiage.

It might not hurt just actually reaching out to steve gibson and asking him as well.

I remember reading an article on the Bitcoin forum in regards to "forensics", I'll have a look for you.

Official Bitcoin forum
http//bitcointalk.org/

Any luck finding that article? I appreciate it!

Sorry,

I looked however I have no idea where I read the article, it was a link from a link from a link type scenario.
oops

I cant find the exact link that i used, but here are two sites. The first link has lots of sub links and a vast amount of information.

http//www.itworld.com/security/186297/bitcoin-not-anonymous
http//anonymity-in-bitcoin.blogspot.com/2011/07/bitcoin-is-not-anonymous.html

If you google "bit coins not anonymous" there are lots of links and information about how to trace bit coin transations. I know this only answers two of your questons, but maybe it will help you stumble on what you're looking for.

has anyone had any luck decrypting the wallet.dats?

I am working on something involving bitcoins, a crypto-currency. I am wondering if anyone has had any experience doing forensics involving bitcoins yet?

Maybe I'm missing something that is really terribly obvious, but what exactly is "forensics involving bitcoins", and how does it differ from other types of forensics?

I am specifically looking for help with the following questions

1.) Have you ever encountered a bitcoin wallet (wallet.dat) file before?
2.) If so, how do you parse out the information within the file?
3.) Is there a way to fully decrypt the keys listed in the file? A previous attempt with Python scripts (found at https://github.com/gavinandresen/bitcointools) only gives the first 4 and last 4 characters of each key.
4.) Does the bitcoin software have to be connected to the internet in order to view transactions from the wallet.dat file?
5.) Because a single user can have multiple bitcoin addresses, is there a way to tie a single address to a specific user?

Maybe it's just me, but it sounds like someone's trying to access a bitcoin wallet.

Yup pretty obvious. BitCoin can be used to purchase illegal materials…

Essentially if you have someone's BitCoin wallet then you can prove transactions - That's where the forensics bit comes in 😉

Unfortunately the wallet.dats are encrypted.. See below

Wallet encryption uses AES-256-CBC to encrypt only the private keys that are held in a wallet. The keys are encrypted with a master key which is entirely random. This master key is then encrypted with AES-256-CBC with a key derived from the passphrase using SHA512 and OpenSSL's EVP_BytesToKey and a dynamic number of rounds determined by the speed of the machine which does the initial encryption (and is updated based on the speed of a computer which does a subsequent passphrase change). Although the underlying code supports multiple encrypted copies of the same master key (and thus multiple passphrases) the client does not yet have a method to add additional passphrases.
At runtime, the client loads the wallet as it normally would, however the keystore stores the keys in encrypted form. When the passphrase is required (to top up keypool or send coins) it will either be queried by a GUI prompt, or must first be entered with the walletpassphrase RPC command. This will change the wallet to "unlocked" state where the unencrypted master key is stored in memory (in the case of GUI, only for long enough to complete the requested operation, in RPC, for as long as is specified by the second parameter to walletpassphrase). The wallet is then locked (or can be manually locked using the walletlock RPC command) and the unencrypted master key is removed from memory.