Desktop Crypto Wallets: A Digital Forensic Investigation and Analysis of Remnants and Traces on end-User Machines

David Debono; Aleandro Sultana

doi:10.5220/0012313000003648

Desktop Crypto Wallets: A Digital Forensic Investigation and Analysis of Remnants and Traces on end-User Machines

David Debono, Aleandro Sultana

2024

Abstract

Cryptocurrencies have built-in anonymity and privacy features. These currencies can be used for illicit activities, and due to the nature of cryptocurrencies, it is difficult for forensic investigators to extract concrete proof and evidence from a seized system, that such wallets have been used for criminal activities. Evidence heavily depends on the status of the application, whether it is present on the system or has been recently uninstalled. In this study, we examine three mainstream desktop wallet cryptocurrencies Exodus, Electrum and Bitcoin Core and investigate which valuable forensic artefacts the software of these cryptocurrencies leaves behind on a Windows 10 computer system during the different phases of the application lifetime. Volatile and non-volatile memory as well as network traffic are examined. Artefacts included hidden files created from the wallet applications, roaming profiles, application directories, and cached browser history. Artefacts present in volatile memory included personal bank details, seed phrases, wallet names and plain text passwords. The network traffic generated was used to extract DNS records and IP addresses. Roaming profiles were still present after the uninstallation of the wallet applications Exodus and Bitcoin Core and passwords related to Bitcoin Core were found in volatile memory after the uninstallation process, before restarting the system.

Download

Paper Citation

in Harvard Style

Debono D. and Sultana A. (2024). Desktop Crypto Wallets: A Digital Forensic Investigation and Analysis of Remnants and Traces on end-User Machines. In Proceedings of the 10th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP; ISBN 978-989-758-683-5, SciTePress, pages 350-357. DOI: 10.5220/0012313000003648

in Bibtex Style

@conference{icissp24,
author={David Debono and Aleandro Sultana},
title={Desktop Crypto Wallets: A Digital Forensic Investigation and Analysis of Remnants and Traces on end-User Machines},
booktitle={Proceedings of the 10th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP},
year={2024},
pages={350-357},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0012313000003648},
isbn={978-989-758-683-5},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 10th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP
TI - Desktop Crypto Wallets: A Digital Forensic Investigation and Analysis of Remnants and Traces on end-User Machines
SN - 978-989-758-683-5
AU - Debono D.
AU - Sultana A.
PY - 2024
SP - 350
EP - 357
DO - 10.5220/0012313000003648
PB - SciTePress