Abstract
Network forensics is challenging within most police investigation. Adding a cryptocurrency to network forensics makes it an even more complex challenge. One of the cryptocurrencies that can show up during network forensics is Bitcoin. Bitcoin gained popularity over the last years among criminals as an alternative to fiat currencies. Because of this increasing popularity, the use of bitcoins by criminals can be found in more and more police investigations. The bitcoin is a cryptocurrency that completely depends on its participating computers. These computers communicate with the bitcoin network protocol to make everyone aware of the latest changes. The bitcoin network protocol uses a message paradigm to send and receive information between participants. To be able to investigate a protocol like the bitcoin network protocol an investigator needs to have specific knowledge to gain investigative insights regarding the network information that was collected. While there are many (academic) papers written about the bitcoin ledger, very little information is available to investigator to acquire the knowledge to investigate the network protocol. This chapter focuses on the knowledge gap that a police investigator might have when encountering bitcoin network protocol. By conducting an experiment in which the network traffic of a bitcoin client, receiving a small amount bitcoins, the relevant information was investigated. After the experiment was completed the collected data is processed following the phases of the generic process model for network forensics. This chapter identified four bitcoin messages that were marked as possible messages that contain relevant information. After analysing three out the four messages turned out to be relevant. These messages will allow the investigator to identify the following information: (i) Identify the software that was used for communicating with the bitcoin network; (ii) The use of a Bloom filter enables an investigator to test bitcoin addresses to determine if a bitcoin client is interested in them; (iii) With the help of the Bloom filter and open source information the transaction message could be determined; (iv) From the messages of the sending party the unique transaction identifier was calculated, enabling the investigator to retrieve details from this transaction from the block chain. With the help of the Bloom filter and transaction messages it’s possible to determine to a degree close to certainty the transaction sent and received by bitcoin clients. The experiment has a limited amount of messages that were investigated. There might be more information available in the messages that did not get the attention in this experiment, also the bitcoin client used had no history of previous payments which likely has resulted in less network information and less pollution of historic information within the messages. For future experiments or research challenges can be found in investigating heavily used bitcoin clients or the bitcoin messages that did not get the attention within the experiment.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
National Cyber Security Centre: Cyber Security Assessment Netherlands 2016. National Cyber Security Centre, The Hague, Tech. Rep. (2015)
WhatsApp Inc.: WhatsApp Encryption Overview. WhatsApp Inc, Tech. Rep. [Online] (2016). Available: https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf
Herzberg, A., Leibowitz, H.: Can Johnny finally encrypt? evaluating E2E-encryption in popular IM applications. In: STAST ‘16: Proceedings of the 6th Workshop on Socio-Technical Aspects in Security and TrustDecember, pp. 17–28 (2016). https://doi.org/10.1145/3046055.3046059
Viber: Viber Encryption Overview [Online] (2019). https://www.viber.com/en/security-overview. Accessed: 2019-06-02
Sgaras, C., Kechadi, T., Le-Khac, N.-A.: Forensics acquisition and analysis of instant messaging and VoIP applications. In: Lecture Notes in Computer Science, vol. 8915, pp. 188–199 (2015). https://doi.org/10.1007/978-3-319-20125-2_16
Lewis, J.A., Zheng, D.E., Carter, W.A.: The effect of encryption on lawful access to communications and data. CSIS, Tech. Rep., [Online] (2017). Available: https://csis-prod.s3.amazonaws.com/s3fs-public/publication/170203_Lewis_EffectOfEncrytion_Web.pdf
Ryder, S., Le-Khac, N.-A.: The end of effective law enforcement in the cloud?—to encrypt, or not to encrypt. In: The 9th IEEE International Conference on Cloud Computing, San Francisco, CA USA (2016). https://doi.org/10.1109/CLOUD.2016.0133
Le-Khac, N.-A., Markos, S., Kechadi, M.-T.: Towards a new data mining-based approach for anti money laundering in an international investment bank. In: International Conference on Digital Forensics and Cyber Crime (ICDF2C 2009), Springer, Berlin LNICST 31, 30 Sept–2 Oct, Albany, New York, USA (2009)
Nakamoto, S.: Bitcoin: A Peer-to-Peer Electronic Cash System, p. 9 (2008). Www.Bitcoin.Org [Online]. Available: https://bitcoin.org/bitcoin.pdf
Bonneau, J., Miller, A., Clark, J., Narayanan, A., Kroll, J.A., Felten, E.W.: SoK: research perspectives and challenges for bitcoin and cryptocurrencies. In: 2015 IEEE Symposium on Security and Privacy, pp. 104–121. IEEE (2015)
Protocol Documentation: Protocol Documentation—Bitcoin Wiki [Online]. Available: https://en.bitcoin.it/wiki/Protocol_documentation. Accessed: 2019-03-17
Gervais, A., Capkun, S., Karame, G.O., Gruber, D.: On the privacy provisions of Bloom filters in lightweight bitcoin clients. In: Proceedings of the 30th Annual Computer Security Applications Conference on—ACSAC’14, pp. 326–335. ACM Press, New York, USA (2014)
Pilli, E.S., Joshi, R.C., Niyogi, R.: Network forensic frameworks: survey and research challenges. Dig. Invest. 7(1–2), 14–27 (2010)
Rogers, M., Goldman, J., Mislan, R., Wedge, T., Debrota, S.: Computer forensics field triage process model. J. Dig. Forensics Secur. Law 1(2), 19–38 (2006)
Tafazzoli, T., Salahi, E., Gharaee, H.: A proposed architecture for network forensic system in large-scale networks. Interface (2015) [Online]. Available: https://arxiv.org/ftp/arxiv/papers/1508/1508
Blockchain Luxembourg S.A.: Bitcoin Block Explorer—Blockchain [Online]. Available: https://blockchain.info/. Accessed: 2019-07-08
Wondracek, G., Comparetti, P.: Automatic network protocol analysis. In: Proceedings of the 15th Network and Distributed System Security Symposium (NDSS) (2008)
Cabaj, K.: Network activity analysis of CryptoWall ransomware. PRZEGLA¸D ELEKTROTECHNICZNY 1(11), 203–206 (2015)
Andriesse, D., Rossow, C., Stone-Gross, B., Plohmann, D., Bos, H.: Highly resilient peer-to-peer botnets are here: an analysis of Gameover Zeus. In: Proceedings of the 2013 8th International Conference on Malicious and Unwanted Software: The Americas, MALWARE 2013, pp. 116–123 (2013)
He, J., Yang, Y., Wang, X., Tang, C., Zeng, Y.: PeerDigger: Digging stealthy P2P hosts through traffic analysis in real-time. In: Proceedings—17th IEEE International Conference on Computational Science and Engineering, CSE 2014, Jointly with 13th IEEE International Conference on Ubiquitous Computing and Communications, IUCC 2014, 13th International Symposium on Pervasive Systems, pp. 1528–1535 (2015)
Kato, K., Klyuev, V.: Large-scale network packet analysis for intelligent DDoS attack detection development. In: The 9th International Conference for Internet Technology and Secured Transactions (ICITST-2014), London UK (2014)
Spagnuolo, M., Maggi, F., Zanero, S.: BitIodine: extracting intelligence from the Bitcoin network. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 8437, pp. 457–468 (2014)
Meiklejohn, S., Pomarole, M., Jordan, G., Levchenko, K., McCoy, D., Voelker, G.M., Savage, S.: A fistful of bitcoins. In: Proceedings of the 2013 conference on Internet measurement conference—IMC’13, pp. 127–140. ACM Press, New York, USA (2013)
Moser, M., Bohme, R., Breuker, D.: An inquiry into money laundering tools in the Bitcoin ecosystem. In: 2013 APWG eCrime Researchers Summit, pp. 1–14. IEEE (2013)
Barber, S., Boyen, X., Shi, E., Uzun, E.: Bitter to Better—How to Make Bitcoin a Better Currency. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 7397, pp. 399–414. LNCS (2012)
Miers, I., Garman, C., Green, M., Rubin, A.D.: Zerocoin: anonymous distributed E-cash from Bitcoin. In: 2013 IEEE Symposium on Security and Privacy, pp. 397–411. IEEE (2013)
Van der Horst, L., Choo, K.K.R., Le-Khac, N.-A.: Process memory investigation of the Bitcoin clients electrum and bitcoin core. IEEE Access 5(1) (2017). https://doi.org/10.1109/ACCESS.2017.2759766
Androulaki, E., Karame, G.O., Roeschlin, M., Scherer, T., Capkun, S.: Evaluating user privacy in Bitcoin. IACR Cryptol. ePrint Arch. 7859, 34–51 (2013)
Zollner, S., Choo, K.K.R., Le-Khac, N.-A.: An automated live forensic and postmortem analysis tool for bitcoin on windows systems. IEEE Access 7 (2019). https://doi.org/10.1109/ACCESS.2019.2948774
Koerhuis, W., Kechadi, T., Le-Khac, N.-A.: Forensic analysis of privacy-oriented cryptocurrencies. Elsevier (2020). https://doi.org/10.1016/j.fsidi.2019.200891
Fantazzini, D., Nigmatullin, E., Sukhanovskaya, V., Ivliev, S.: Everything you always wanted to know about bitcoin modelling but were afraid to ask, p. 49 (2016). [Online]. Available: https://mpra.ub.uni-muenchen.de/71946/
Hurlburt, G.: Might the blockchain outlive Bitcoin? IT Prof. 18(2), 12–16 (2016) [Online]. Available: http://ieeexplore.ieee.org/document/7436669/
Dorri, A., Steger, M., Kanhere, S.S>, Jurdak, R.: BlockChain: A Distributed Solution to Automotive Security and Privacy (2017) [Online]. Available: http://arxiv.org/abs/1704.00073
Biryukov, A., Khovratovich, D., Pustogarov, I.: Deanonymisation of clients in Bitcoin P2P network. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security—CCS ’14, pp. 15–29. ACM Press, New York, USA (2014)
Feld, S., Schönfeld, M., Werner, M.: Analyzing the deployment of Bitcoin’s P2P network under an AS-level perspective. Procedia Comput. Sci. 32, 1121–1126 (2014)
Koshy, P., Koshy, D., McDaniel, P.: An analysis of anonymity in Bitcoin using P2P network traffic. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 8437, pp. 469–485 (2014)
Biryukov, A., Pustogarov, I.: Bitcoin over Tor isn’t a good idea. In: 2015 IEEE Symposium on Security and Privacy, pp. 122–134. IEEE (2015)
Fanti, G., Viswanath, P.: Anonymity Properties of the Bitcoin P2P Network (2017) [Online]. Available: https://arxiv.org/pdf/1703.08761.pdf
Wireshark Foundation: Wireshark Go deep, 27.05.2010 (2010). [Online]. Available: https://www.wireshark.org/
NETRESEC: “NetworkMiner—The NSM and Network Forensics Analysis Tool (2017) [Online]. Available: http://www.netresec.com/?page=NetworkMiner
AOL: Moloch (2017) [Online]. Available: http://molo.ch/
BitcoinJ: Bitcoinj [Online]. Available: https://bitcoinj.github.io/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
van Veldhuizen, C.L., Liyanage, M., Choo, KK.R., Le-Khac, NA. (2020). The Bitcoin-Network Protocol from a Forensic Perspective. In: Le-Khac, NA., Choo, KK. (eds) Cyber and Digital Forensic Investigations. Studies in Big Data, vol 74. Springer, Cham. https://doi.org/10.1007/978-3-030-47131-6_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-47131-6_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-47130-9
Online ISBN: 978-3-030-47131-6
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)