Why Bitcoin Matters in Modern Forensic Investigations

Friday, August 11, 2017

There’s an old adage in investigations: “follow the money.” Popularized in the 1976 docudrama “All The President’s Men,” it’s often (incorrectly) attributed to Deep Throat, the secret informant who helped Woodward and Bernstein break the Watergate scandal. There’s a reason that the expression has become so entrenched: financial transactions often lead to important evidence in traditional investigations. However, when it comes to cryptocurrencies, the landscape is often significantly more challenging.

What is Cryptocurrency?

A cryptocurrency (like Bitcoin, Ethereum, Ripple and Litecoin) is a digital medium of exchange that uses cryptography to secure transactions and control the issuance of new units. Essentially, it’s digital money – and what’s important is that you can transfer cryptocurrency from one address to another without revealing your identity. This factor makes the medium particularly appealing to the criminal element, and in fact, law enforcement agencies around the world announced on July 20, 2017, that they had taken down two dark-web marketplaces: AlphaBay and Hansa, both of which handled illegal transactions via Bitcoin. AlphaBay is reported to have engaged in transactions totaling more than $1 billion since 2014. Authorities have successfully shut down many dark markets – Silk Road, Silk Road 2, Evolution and Agora – only to have another market step in to fill the void.

Bitcoin, probably the most well-known, has many upsides as a currency: it provides a transaction vehicle for the nearly 2.5 billion people worldwide who don’t use bank accounts, has no charge-backs, and offers low transaction fees. However, for most people, the word “Bitcoin” brings spectacular news stories to mind, concerning corruption, ransomware payments, and criminal dark-web activities like purchasing weapons, drugs, credit card numbers, and worse.

Our Professional Responsibility

Cyber criminals almost always demand a ransom for data held captive with ransomware or data that has been exfiltrated, and they often demand it in Bitcoin. For that reason, Incident Response professionals need to understand cryptocurrencies – how they work, how they’re used, and how to manage such ransom demands. Additionally, fraud examiners should understand blockchain transactional analysis and Bitcoin mixing services so that they’re better equipped to trace laundered currencies and track down hidden assets, and forensic investigators should understand Bitcoin as it relates to selling or purchasing contraband items and services.

There’s good news and bad news for forensic investigators doing blockchain transactional analysis. The good news is that Bitcoin’s blockchain is a publicly-accessible ledger containing all the transactions ever conducted in Bitcoin since its inception in January of 2009. The bad news is the pseudonymous nature of those transactions, which don’t refer to names or email addresses. Instead, they use Bitcoin addresses, which look like this: 1yXfRNBg9E2URDEcrdZx5R1ZPxTcUJGTH. The challenge for forensic investigators, as usual, is to put the person behind the keyboard, which may be accomplished with a mixture of traditional investigative and digital forensic techniques.

Bitcoins are stored in “wallets” – basically, the cryptocurrency equivalent of a bank account. Wallets can be hosted on a computer, in the cloud, on a hardware device or even on paper. In almost any investigation of a computer or mobile device, forensic professionals should look for Bitcoin wallets. Examination of a computer wallet can reveal transactions associated with that specific wallet, even if the wallet itself is encrypted to prevent seizure of its Bitcoins.

Given Bitcoin’s growing use in a wide variety of nefarious activities, it is incumbent on examiners to develop expertise in wallet and transactional analysis to support their clients’ needs. As investigative professionals, our code of ethics demands it. What’s more, as technology leaders, it’s our responsibility to ensure that innovations and advances are put to good use – not evil.

For more detailed information about cryptocurrencies and their role in high-tech crime, refer to the following:
A forensic look at Bitcoin Cryptocurrency by Michael Doran
Bitcoin Virtual Currency: Unique Features Present Distinct Challenges for Deterring Illicit Activity. Issued by the FBI Directorate of Intelligence – Cyber Intelligence Section and Criminal Intelligence Section.
A Peer-to-Peer Electronic Cash System by Satoshi Nakamoto




Andy Reid is a seasoned Forensic Investigator, with broad and deep experience in the private sector as a Controller and Operations Manager, as well as significant expertise and a long track record of success in digital forensics, information security, and compliance. Andy has assisted in complex investigations in various offices of the Canadian public service, working with law enforcement and government agents to provide complete, correct analysis of incidents and issues.

More Posts

View all Posts


    Subscribe to receive our
    Experts’ Insights Blog feed.

  • Get in Touch