The Bitcoin-Network Protocol from a Forensic Perspective

Abstract

Network forensics is challenging within most police investigation. Adding a cryptocurrency to network forensics makes it an even more complex challenge. One of the cryptocurrencies that can show up during network forensics is Bitcoin. Bitcoin gained popularity over the last years among criminals as an alternative to fiat currencies. Because of this increasing popularity, the use of bitcoins by criminals can be found in more and more police investigations. The bitcoin is a cryptocurrency that completely depends on its participating computers. These computers communicate with the bitcoin network protocol to make everyone aware of the latest changes. The bitcoin network protocol uses a message paradigm to send and receive information between participants. To be able to investigate a protocol like the bitcoin network protocol an investigator needs to have specific knowledge to gain investigative insights regarding the network information that was collected. While there are many (academic) papers written about the bitcoin ledger, very little information is available to investigator to acquire the knowledge to investigate the network protocol. This chapter focuses on the knowledge gap that a police investigator might have when encountering bitcoin network protocol. By conducting an experiment in which the network traffic of a bitcoin client, receiving a small amount bitcoins, the relevant information was investigated. After the experiment was completed the collected data is processed following the phases of the generic process model for network forensics. This chapter identified four bitcoin messages that were marked as possible messages that contain relevant information. After analysing three out the four messages turned out to be relevant. These messages will allow the investigator to identify the following information: (i) Identify the software that was used for communicating with the bitcoin network; (ii) The use of a Bloom filter enables an investigator to test bitcoin addresses to determine if a bitcoin client is interested in them; (iii) With the help of the Bloom filter and open source information the transaction message could be determined; (iv) From the messages of the sending party the unique transaction identifier was calculated, enabling the investigator to retrieve details from this transaction from the block chain. With the help of the Bloom filter and transaction messages it’s possible to determine to a degree close to certainty the transaction sent and received by bitcoin clients. The experiment has a limited amount of messages that were investigated. There might be more information available in the messages that did not get the attention in this experiment, also the bitcoin client used had no history of previous payments which likely has resulted in less network information and less pollution of historic information within the messages. For future experiments or research challenges can be found in investigating heavily used bitcoin clients or the bitcoin messages that did not get the attention within the experiment.