Process Memory Investigation of the Bitcoin Clients Electrum and Bitcoin Core

Process Memory Investigation of the Bitcoin Clients Electrum and Bitcoin Core

Bitcoin cryptocurrency is reportedly one widely used digital currency in criminal activities (e.g. used for online purchases of illicit drugs and paying of ransom in ransomware cases). However, there has been limited forensic research of bitcoin clients in the literature. In this paper, the process...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE access 2017-01, Vol.5, p.22385-22398
Hauptverfasser: Van Der Horst, Luuc, Choo, Kim-Kwang Raymond, Nhien-An Le-Khac
Format: Artikel
Sprache:eng
Schlagworte:
Bitcoin
bitcoin client
bitcoin core
bitcoin forensics
Clients
Crime
cryptocurrency forensics
Digital currencies
Digital forensics
electrum forensics
Forensics
memory forensics
Microprocessors
Protocols
Public key
Ransomware
Software
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 22398
container_issue
container_start_page 22385
container_title IEEE access
container_volume 5
creator Van Der Horst, Luuc
Choo, Kim-Kwang Raymond
Nhien-An Le-Khac
description Bitcoin cryptocurrency is reportedly one widely used digital currency in criminal activities (e.g. used for online purchases of illicit drugs and paying of ransom in ransomware cases). However, there has been limited forensic research of bitcoin clients in the literature. In this paper, the process memory of two popular bitcoin clients, bitcoin Core and electrum, is examined with the aims of identifying potential sources and types of potential relevant data (e.g. bitcoin keys, transaction data and passphrases). Artefacts obtained from the process memory are also studied with other artefacts obtained from the client device (application files on disk and memory-mapped files and registry keys). Findings from this study suggest that both bitcoin Core and electrum's process memory is a valuable source of evidence, and many of the artefacts found in process memory are also available from the application and wallet files on the client device (disk).
doi_str_mv 10.1109/ACCESS.2017.2759766
format Article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2455936593</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>8058429</ieee_id><doaj_id>oai_doaj_org_article_82024c2e11714645ad0a2f8c0cb4502c</doaj_id><sourcerecordid>2455936593</sourcerecordid><originalsourceid>FETCH-LOGICAL-c408t-41b21818bea57c80f15ccf21ef9c01fac7baec0d3018143f3790489b668d62843</originalsourceid><addsrcrecordid>eNpNUU1LAzEQXUTBov0FvSx4bs33Jse6VC1YFKrnkM1Oakq70WQr-O-NblEDQ4aZ997M8IpigtEMY6Su53W9WK9nBOFqRiquKiFOihHBQk0pp-L0X35ejFPaovxkLvFqVKyeYrCQUrmCfYif5bL7gNT7jel96Mrgyv4Vyhvf2-C7st556PpULnZg-3jYl6Zr_5ohwmVx5swuwfj4XxQvt4vn-n768Hi3rOcPU8uQ7KcMNwRLLBswvLISOcytdQSDUxZhZ2zVGLCopSijGHW0UohJ1QghW0EkoxfFctBtg9nqt-j3Jn7qYLz-KYS40Sb23u5AS4IIswQwrjATjJsWGeKkRbZhHBGbta4GrbcY3g_5eL0Nh9jl9TVhnCsqcmQUHVA2hpQiuN-pGOlvG_Rgg_62QR9tyKzJwPIA8MuQiEtGFP0C4QKB3g</addsrcrecordid><sourcetype>Open Website</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2455936593</pqid></control><display><type>article</type><title>Process Memory Investigation of the Bitcoin Clients Electrum and Bitcoin Core</title><source>IEEE Open Access Journals</source><source>DOAJ Directory of Open Access Journals</source><source>EZB-FREE-00999 freely available EZB journals</source><creator>Van Der Horst, Luuc ; Choo, Kim-Kwang Raymond ; Nhien-An Le-Khac</creator><creatorcontrib>Van Der Horst, Luuc ; Choo, Kim-Kwang Raymond ; Nhien-An Le-Khac</creatorcontrib><description>Bitcoin cryptocurrency is reportedly one widely used digital currency in criminal activities (e.g. used for online purchases of illicit drugs and paying of ransom in ransomware cases). However, there has been limited forensic research of bitcoin clients in the literature. In this paper, the process memory of two popular bitcoin clients, bitcoin Core and electrum, is examined with the aims of identifying potential sources and types of potential relevant data (e.g. bitcoin keys, transaction data and passphrases). Artefacts obtained from the process memory are also studied with other artefacts obtained from the client device (application files on disk and memory-mapped files and registry keys). Findings from this study suggest that both bitcoin Core and electrum's process memory is a valuable source of evidence, and many of the artefacts found in process memory are also available from the application and wallet files on the client device (disk).</description><identifier>ISSN: 2169-3536</identifier><identifier>EISSN: 2169-3536</identifier><identifier>DOI: 10.1109/ACCESS.2017.2759766</identifier><identifier>CODEN: IAECCG</identifier><language>eng</language><publisher>Piscataway: IEEE</publisher><subject>Bitcoin ; bitcoin client ; bitcoin core ; bitcoin forensics ; Clients ; Crime ; cryptocurrency forensics ; Digital currencies ; Digital forensics ; electrum forensics ; Forensics ; memory forensics ; Microprocessors ; Protocols ; Public key ; Ransomware ; Software</subject><ispartof>IEEE access, 2017-01, Vol.5, p.22385-22398</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2017</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c408t-41b21818bea57c80f15ccf21ef9c01fac7baec0d3018143f3790489b668d62843</citedby><cites>FETCH-LOGICAL-c408t-41b21818bea57c80f15ccf21ef9c01fac7baec0d3018143f3790489b668d62843</cites><orcidid>0000-0001-9208-5336</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/8058429$$EHTML$$P50$$Gieee$$Hfree_for_read</linktohtml><link.rule.ids>314,776,780,860,2096,27610,27901,27902,54908</link.rule.ids></links><search><creatorcontrib>Van Der Horst, Luuc</creatorcontrib><creatorcontrib>Choo, Kim-Kwang Raymond</creatorcontrib><creatorcontrib>Nhien-An Le-Khac</creatorcontrib><title>Process Memory Investigation of the Bitcoin Clients Electrum and Bitcoin Core</title><title>IEEE access</title><addtitle>Access</addtitle><description>Bitcoin cryptocurrency is reportedly one widely used digital currency in criminal activities (e.g. used for online purchases of illicit drugs and paying of ransom in ransomware cases). However, there has been limited forensic research of bitcoin clients in the literature. In this paper, the process memory of two popular bitcoin clients, bitcoin Core and electrum, is examined with the aims of identifying potential sources and types of potential relevant data (e.g. bitcoin keys, transaction data and passphrases). Artefacts obtained from the process memory are also studied with other artefacts obtained from the client device (application files on disk and memory-mapped files and registry keys). Findings from this study suggest that both bitcoin Core and electrum's process memory is a valuable source of evidence, and many of the artefacts found in process memory are also available from the application and wallet files on the client device (disk).</description><subject>Bitcoin</subject><subject>bitcoin client</subject><subject>bitcoin core</subject><subject>bitcoin forensics</subject><subject>Clients</subject><subject>Crime</subject><subject>cryptocurrency forensics</subject><subject>Digital currencies</subject><subject>Digital forensics</subject><subject>electrum forensics</subject><subject>Forensics</subject><subject>memory forensics</subject><subject>Microprocessors</subject><subject>Protocols</subject><subject>Public key</subject><subject>Ransomware</subject><subject>Software</subject><issn>2169-3536</issn><issn>2169-3536</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2017</creationdate><recordtype>article</recordtype><sourceid>ESBDL</sourceid><sourceid>RIE</sourceid><sourceid>DOA</sourceid><recordid>eNpNUU1LAzEQXUTBov0FvSx4bs33Jse6VC1YFKrnkM1Oakq70WQr-O-NblEDQ4aZ997M8IpigtEMY6Su53W9WK9nBOFqRiquKiFOihHBQk0pp-L0X35ejFPaovxkLvFqVKyeYrCQUrmCfYif5bL7gNT7jel96Mrgyv4Vyhvf2-C7st556PpULnZg-3jYl6Zr_5ohwmVx5swuwfj4XxQvt4vn-n768Hi3rOcPU8uQ7KcMNwRLLBswvLISOcytdQSDUxZhZ2zVGLCopSijGHW0UohJ1QghW0EkoxfFctBtg9nqt-j3Jn7qYLz-KYS40Sb23u5AS4IIswQwrjATjJsWGeKkRbZhHBGbta4GrbcY3g_5eL0Nh9jl9TVhnCsqcmQUHVA2hpQiuN-pGOlvG_Rgg_62QR9tyKzJwPIA8MuQiEtGFP0C4QKB3g</recordid><startdate>20170101</startdate><enddate>20170101</enddate><creator>Van Der Horst, Luuc</creator><creator>Choo, Kim-Kwang Raymond</creator><creator>Nhien-An Le-Khac</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>ESBDL</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>7SR</scope><scope>8BQ</scope><scope>8FD</scope><scope>JG9</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>DOA</scope><orcidid>https://orcid.org/0000-0001-9208-5336</orcidid></search><sort><creationdate>20170101</creationdate><title>Process Memory Investigation of the Bitcoin Clients Electrum and Bitcoin Core</title><author>Van Der Horst, Luuc ; Choo, Kim-Kwang Raymond ; Nhien-An Le-Khac</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c408t-41b21818bea57c80f15ccf21ef9c01fac7baec0d3018143f3790489b668d62843</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2017</creationdate><topic>Bitcoin</topic><topic>bitcoin client</topic><topic>bitcoin core</topic><topic>bitcoin forensics</topic><topic>Clients</topic><topic>Crime</topic><topic>cryptocurrency forensics</topic><topic>Digital currencies</topic><topic>Digital forensics</topic><topic>electrum forensics</topic><topic>Forensics</topic><topic>memory forensics</topic><topic>Microprocessors</topic><topic>Protocols</topic><topic>Public key</topic><topic>Ransomware</topic><topic>Software</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Van Der Horst, Luuc</creatorcontrib><creatorcontrib>Choo, Kim-Kwang Raymond</creatorcontrib><creatorcontrib>Nhien-An Le-Khac</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE Open Access Journals</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics &amp; Communications Abstracts</collection><collection>Engineered Materials Abstracts</collection><collection>METADEX</collection><collection>Technology Research Database</collection><collection>Materials Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>DOAJ Directory of Open Access Journals</collection><jtitle>IEEE access</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Van Der Horst, Luuc</au><au>Choo, Kim-Kwang Raymond</au><au>Nhien-An Le-Khac</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Process Memory Investigation of the Bitcoin Clients Electrum and Bitcoin Core</atitle><jtitle>IEEE access</jtitle><stitle>Access</stitle><date>2017-01-01</date><risdate>2017</risdate><volume>5</volume><spage>22385</spage><epage>22398</epage><pages>22385-22398</pages><issn>2169-3536</issn><eissn>2169-3536</eissn><coden>IAECCG</coden><abstract>Bitcoin cryptocurrency is reportedly one widely used digital currency in criminal activities (e.g. used for online purchases of illicit drugs and paying of ransom in ransomware cases). However, there has been limited forensic research of bitcoin clients in the literature. In this paper, the process memory of two popular bitcoin clients, bitcoin Core and electrum, is examined with the aims of identifying potential sources and types of potential relevant data (e.g. bitcoin keys, transaction data and passphrases). Artefacts obtained from the process memory are also studied with other artefacts obtained from the client device (application files on disk and memory-mapped files and registry keys). Findings from this study suggest that both bitcoin Core and electrum's process memory is a valuable source of evidence, and many of the artefacts found in process memory are also available from the application and wallet files on the client device (disk).</abstract><cop>Piscataway</cop><pub>IEEE</pub><doi>10.1109/ACCESS.2017.2759766</doi><tpages>14</tpages><orcidid>https://orcid.org/0000-0001-9208-5336</orcidid><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 2169-3536
ispartof IEEE access, 2017-01, Vol.5, p.22385-22398
issn 2169-3536
2169-3536
language eng
recordid cdi_proquest_journals_2455936593
source IEEE Open Access Journals; DOAJ Directory of Open Access Journals; EZB-FREE-00999 freely available EZB journals
subjects Bitcoin
bitcoin client
bitcoin core
bitcoin forensics
Clients
Crime
cryptocurrency forensics
Digital currencies
Digital forensics
electrum forensics
Forensics
memory forensics
Microprocessors
Protocols
Public key
Ransomware
Software
title Process Memory Investigation of the Bitcoin Clients Electrum and Bitcoin Core
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-04T07%3A05%3A54IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Process%20Memory%20Investigation%20of%20the%20Bitcoin%20Clients%20Electrum%20and%20Bitcoin%20Core&rft.jtitle=IEEE%20access&rft.au=Van%20Der%20Horst,%20Luuc&rft.date=2017-01-01&rft.volume=5&rft.spage=22385&rft.epage=22398&rft.pages=22385-22398&rft.issn=2169-3536&rft.eissn=2169-3536&rft.coden=IAECCG&rft_id=info:doi/10.1109/ACCESS.2017.2759766&rft_dat=%3Cproquest_cross%3E2455936593%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2455936593&rft_id=info:pmid/&rft_ieee_id=8058429&rft_doaj_id=oai_doaj_org_article_82024c2e11714645ad0a2f8c0cb4502c&rfr_iscdi=true