transcript
- 1. By : ANUPAM TIWARI anupamtiwari@protonmail.com Research
Scholar, GD Goenka University, Gurugram
- 2. The views expressed in this presentation are Mere Apne.
Reference to any specific products, process ,or service do not
necessarily constitute or imply endorsement, recommendation, or
views of Min of Def or any Govt All images used are for
illustrative purposes only & Do not promote any specific
product
- 3. This PRESENTATION is not going to make anyone of you a
BITCOIN FORENSIC EXPERT INVESTIGATOR BUT may only LEND you few
TERMS OF REFERENCES to build upon and EXPLORE further
- 4. But Keep Calm & Trust Forensics By : ANUPAM TIWARI
EMAIL: anupamtiwari@protonmail.com
- 5. Paap se Dharti phati-phati-phati, Adharm se aasmaan,
Atyachaar se kaanpi Insaaniyat, Raj kar rahe Haivaan ... Jinki hogi
taqat apoorv, Jinka hoga nishana abhed, Joh karenge inka sarvanaash
... .woh kehlayenge Tridev
- 6. Name used by the unknown person who designed BITCOIN and
created its original reference implementation SATOSHI NAKAMOTO
,
- 7. AS OF 24TH OCT 2017 1 BITCOIN IS WORTH 5720.83 US Dollar $
SO 1 BITCOIN IS 3,71,782/- SOURCE :
https://blockchain.info/charts/n-transactions
- 8. 2 6 0 4 3 7 SOURCE :
https://blockchain.info/charts/n-transactions
- 9. ANONYMITY VS PSEUDONYMITY Mark TwainSamuel Clemens public
key addresses similar in function to an email address, are used to
send and receive Bitcoins and record transactions, as opposed to
personally identifying information.
- 10. CRYPTOCURRENCY IS AN ATTEMPT TO BRING BACK A DECENTRALISED
CURRENCY OF PEOPLE, ONE THAT IS NOT SUBJECT TO INFLATIONARY MOVES
BY A CENTRAL BANK
- 11. Bitcoin is starting to come into its own as a Digital
Currency, but the Blockchain Technology behind it could prove to be
much more SIGNIFICANT
- 12. SMART CONTRACTS are computer protocols that facilitate,
verify, or enforce the negotiation or performance of a CONTRACT, or
that make a contractual clause unnecessary. Smart contracts often
EMULATE the logic of contractual clauses. I WILL NOT DIVERT.WILL
FOCUS ON BITCOINS THOUGH!!!!!
- 13. More DETAILS a Forensic Investigator KNOWS about the TECH
ARCHITECTURE, the CLOSER he gets to CLOSE the CASE
- 14. BASICALLY CHUNKS OF INFO THAT CAN BE USED TO MATHEMATICAL
GUARANTEE ABOUT MESSAGES
- 15. MERKLE TREE
- 16. Peer-to- Peer (P2P) network is created when two or more PCs
are connected & share resources without going through a
separate server computer
- 17. Distributed Ledger is a Consensus of Replicated, Shared
& Synchronized digital data geographically spread across
multiple sites & countries
- 18. Type of Distributed Ledger, comprised of Unchangeable,
Digitally Recorded Data in packages called BLOCKS TAMPER EVIDENT
LEDGER
- 19. Linked list data structure, with each block containing a
hash of the previous block
- 20. Proof Of Work Is A Piece Of Data Which Is Difficult To
Produce But Easy For Others To Verify And Which Satisfies Certain
Requirements Bitcoin Uses The Hashcash Proof Of Work System. PROOF
OF WORK
- 21. Each block is formed by a proof-of- work algorithms,
through which consensus of this distributed system could be
obtained via the longest possible chain
- 22. https://anders.com/blockchain/blockchain.html
- 23. Thus blockchain provides the basis for the TRUSTLESS
DISTRIBUTED SYSTEM
- 24. A block is an aggregated set of data Data is collected and
processed to fit in a block through a process called MINING Each
block could be identified using a Cryptographic Hash
- 25. Mining is the process of writing pages (blocks) of Bitcoin
transactions into the The Bitcoin Blockchain, and getting rewarded
with newly created bitcoins
- 26. Block will contain a hash of the previous block, so that
blocks can form a chain from the first block ever (known as the
Genesis Block) to the formed block
- 27. FIRST BLOCK : GENESIS
- 28. Every 10 minutes, all Bitcoin transactions taking place are
bundled into a block These blocks linked through a timestamp
signing, form a chain (blockchain), which goes back to the first
block ever created (mined) The time stamping makes it impossible to
alter any part of it once the network confirms it
- 29. These rules are inbuilt in the Bitcoin core software, which
every node in the Bitcoin network runs Before a new block is added
to the blockchain, the Bitcoin network has to reach a consensus on
based on predetermined rules
- 30. Data in a blockchain is internally consistent and immutable
Each blocks hash is derived from the contents of the block Each
block refers to the previous blocks hash, not a sequential
number
- 31. Source : Alex Biryuk et al., Deanonymisation of Clients in
Bitcoin P2P Network Bitcoin network is composed of PEERS connected
to others PEERS over unencrypted TCP channels Each peer attempts to
maintain EIGHT outgoing connections to other peers These eight
peers are called ENTRY NODES
- 32. Transaction and Block messages are propagated in network by
being Relayed through these ENTRY NODES to other peers When X sends
a transaction advertising that he is transferring ownership of 1
BTC to Y, his computer sends an inv message to its immediate peers,
the entry nodes
- 33. The inv message lets the entry nodes know that there are
transactions or blocks Entry nodes relay the data farther
throughout the network by sending inv to their own peers Entry
nodes request full transaction by sending getdata response to Xs
computer
- 34. THE LAST BITCOIN (PROBABLY 21 MILLIONTH COIN) WILL BE MINED
IN THE YEAR 2140
- 35. 206 , 1670 ... . SHA .
- 36. BITCOIN MINING
- 37. A reward system, in the form of a website or app, that
dispenses rewards in the form of a satoshi, for visitors to claim
in exchange for completing a captcha or task as described by the
website. SATOSHI : 1/100th of a Millionth BITCOIN
- 38.
- 39. Number of blocks preceding particular block on a block
chain. Genesis block has a height of zero because zero block
preceded it.
- 40. 20-byte hash formatted using base58check to produce either
a P2PKH or P2SH Bitcoin address
00000000001F1tAaz5x1HUXrCNLbtM*****
- 41. How difficult it is to find a block relative to the
difficulty of finding the easiest possible block. The easiest
possible block has a proof-of- work difficulty of 1. Difficulty is
changed every 2016 blocks based on the time it took to discover
2016 previous blocks.
- 42. A user for CONDUCTING TRANSACTIONS utilizing BITCOIN, he or
she must first DOWNLOAD and setup a BITCOIN WALLET BITCOIN WALLET
can show the total BALANCE of all BITCOINS it CONTROLS and let A
USER PAY a specified AMOUNT
- 43. WALLET contains a USERS PRIVATE KEY, which ALLOWS FOR THE
SPENDING of the BITCOINS, which are located in the BLOCK CHAIN Once
wallet is INSTALLED & CONFIGURED, an ADDRESS is GENERATED which
is SIMILAR to an E-MAIL or PHYSICAL ADDRESS
- 44. WALLET is basically the Bitcoin Equivalent of a Bank
account. Allows to RECEIVE BITCOINS, them, and then SEND them to
others
- 45. Connected to the Internet or is online is said to be HOT
Cold Wallets & Hot Wallets Cold is considered most Secure &
suitable for Storing Large Amounts of bitcoins Hot is suitable for
Frequently Accessed funds COLD implies it is Offline or
Disconnected from the Internet
- 46. Designedto be downloaded & used on Laptops/PCs
DESKTOPWALLETS Armory, Multibit, Msigna and Hive to mention a FEW
Easyto Access. Available for Different OS Windows, Mac OS and
Ubuntu.
- 47. MOBILEWALLETS
- 48. ONLINEWEBWALLETS
- 49. PHYSICALWALLETS Once they are generated, you print them out
on a piece of paper Paper Wallets can Securely hold your BITCOINS
in Cold Storage form for a long time Bitaddress.org or
Blockchain.info
- 50. BitcoinQt is the First ever built bitcoin CLIENT WALLET
BITCOINCLIENTS WALLETS Original bitcoin wallet used by the Pioneers
of the currency COMPUTERS installed with these wallets FORM PART OF
THE CORE NETWORK & have access to all transactions on the
blockchain
- 51. HARDWAREWALLETS
- 52. BITCOIN ARTIFACTS
- 53. They DONT EXIST ANYWHERE, even on a hard drive
- 54. When we say SOMEONE HAS BITCOINS & you look at a
PARTICULAR BITCOIN ADDRESS, there are NO DIGITAL BITCOINS held
AGAINST that ADDRESS BALANCE of any BITCOIN address ISNT HELD at
that ADDRESS; one MUST RECONSTRUCT it by looking at the
BLOCKCHAIN
- 55. Everyone on the NETWORK knows about a TRANSACTION and THE
HISTORY OF A TRANSACTION can be TRACED BACK to the point where the
BITCOINS were produced
- 56. Conduct a SEARCH based on BLOCK NUMBER, ADDRESS, BLOCK
HASH, TRANSACTION HASH or PUBLIC KEY
- 57. SOURCE : https://blockchain.info/ip-log
- 58. LOCK FILE DEBUG.LOG PEERS.DAT WALLET.DAT BITCOIN-QT FOLDER
STRUCTURE DB LOCK FILE EXTENSIVE LOGGING FILE PEER INFORMATION
STORAGE FOR KEYS,TXN,METADATA etc
- 59. BITCOIN-QT FOLDER STRUCTURE
- 60. BITCOIN-BLOCK FOLDER ANALYSIS
- 61. BITCOIN-QT FOLDER STRUCTURE Blocks This subdirectory
contains blockchain data and contains a blk.dat file and a
blocks/index subdirectory blk.dat stores actual Bitcoin blocks
dumped in raw format The blocks/index subdirectory is a database
that contains metadata about all known blocks
- 62. Chainstate subdirectory- it is a database with a compact
representation of all currently unspent transactions and some
metadata about where the transactions originated BITCOIN-QT FOLDER
STRUCTURE
- 63. Database subdirectory - Contains database journaling files
BITCOIN-QT FOLDER STRUCTURE
- 64. 1.46 10^48 possible Bitcoin Addresses that gives every
person on Earth 2.0510^38 Different Addresses
- 65. Bitcoin Mixer is an Anonymous Service, that confuses the
trails of Bitcoin transactions.
- 66. PROJECT TITANIUM : Main thrust of the European Unions
Titanium Project is to Monitor blockchains, deanonymize wallet
addresses, surveil dark net markets, and block terrorists and money
launderers. TITANIUM, which stands for Tools for the Investigation
of Transactions in Underground Markets
- 67. Private key of the suspect, they can search for that
particular key on the Blockchain to Trace the purchases to other
potential Suspects. investigator has the Bitcoin
- 68. Detecting such attackers is CHALLENGING any day Attacking
Bitcoin via the Internet infrastructure using routing attacks As
Bitcoin connections are routed over the Internetin clear text and
without integrity checksany third-party can eavesdrop, drop,
modify, inject, or delay Bitcoin messages
- 69. BITCOIN FORENSIC ARTIFACT EXAMINATION Windows 7
Professional Multibit Bitcoin-Qt Bitminter Basic USB ASIC Bitcoin
Gateway laptop ML6720 120 GB WD hard drive (4) USB ASIC Mining
drives USB powered cooling fan 32 GB USB thumb drive
- 70. System Info Info about Logged users Registry Info Remnants
of Chats Web browsing Activities Recent Communications Info from
Cloud Services Decryption Keys for encrypted volumes mounted
COLLECTION OF BITCOIN ARTIFACTS
- 71. Utilizing the data from 344 transactions, Meiklejohn able
to identify the owners of more than a million Bitcoin addresses
Sarah Meiklejohn, a Bitcoin focused Computer Researcher Extensive
Research in Bitcoin Blockchain Found that by looking blockchain an
investigator can uncover who owns a Bitcoin addresses
- 72. Bitcoin transactions occur via a Network Connection, an
investigator should seize any Physical Object that can connect to
the Internet in addition to the hard drive COLLECTION OF BITCOIN
ARTIFACTS
- 73. Ulbricht Ross
- 74. BITCOIN SOON GONNA REPLACE ALL THESE NAMES!!!!!
- 75. anupamtiwari@protonmail.com
https://about.me/anupam.tiwari