Saturday, January 20, 2018

Blockchain and Digital Forensics

The page view metrics for the blog are starting to come back and I’m starting to see more engagement on what I’m writing because of that. You can follow and communicate with me in public on Twitter, Facebook, and LinkedIn, but I’m finding that most people are comfortable just talking in private.  Twitter direct messages have been quite popular, for example, and I’m fine with however people like to talk. Semper Gumby. 
It turns out I have a bit of a Paul Revere thing going on when it comes to the convergence of blockchain and digital forensics given that I’ve been yelling “The blockchains are coming! The blockchains are coming!” for several posts now that I’ve returned to blogging. Okay, fine, they’ve already been here for years, but I don’t think enough people understand that in the digital forensics world. 

The responses that I’ve gotten from my blockchain posts have ranged from dismissive to agreement that blockchain is here to stay and the law enforcement and digital forensic communities needs to get ramped up on this much quicker.  The responses that spurred me to write this post were the ones that essentially said, “Fine, Eric, I believe you.  What exactly do I need to know?” as wells ones that roughly said, “I’m not saying you’re smoking your socks, but I remain skeptical.”

I think the best place to start is to explain how I tend to view computer crime investigations from a larger conceptual standpoint. There are a variety of models for how both public and private organizations can structure their investigative teams.  Back in the early days of the blog when I was working in northern New Jersey, I got to know some of the members of the NYPD Computer Crime Squad. They were nice enough to invite me to visit them from time to time at 1 Police Plaza which was - at least at the time - their home.  I don’t think I know anyone on the squad these days because given their in-demand skill set and way their retirement program worked, the people on that squad tended to have a Logan’s Run thing going on where they’d “renew” into the private sector pretty quickly after their twenty year seniority mark.

Obscure [ed. note: but clever, darn it] 1970’s 23rd century dystopian science fiction movie references aside, the NYPD Computer Crime Squad at the time had two main components. There were the detectives who did the computer crime work dealing with investigations like online account compromises, web site defacements, computer tampering, as well as providing computer crime support to traditional NYPD investigations.  The other component were the detectives who did the hands on digital forensic examination work.  The computer crimes people were the first people I saw when I entered their work space so I think of them as the front of the office people and the digital forensics detectives were in the back of the office in a secured lab.

From a front office perspective, computer crimes investigators have to learn blockchain at least at a conceptual level so that they can explain it to the public, judges, juries, prosecutors, and other law enforcement officers.  They’re going to be seen as subject matter experts on this whether they like it or not.  At some point, for example, they’ll be getting a phone call in the middle of the night from a major crimes team saying they have a kidnapping and the bad guys want the ransom paid in Monero….and what the heck is that? They’re also going to have to understand blockchain at enough of a technical level to understand how value is traded using various blockchains so that they can be effective investigators who can also communicate and educate others. For example, they’ll need to explain concepts such as how people can use online digital currency exchanges, how blockchain wallets work, and concepts such as mining and proof of work. 

Basically, the people who investigate computer crime need to learn it well enough to teach others and I’ve found that’s one of the best ways to learn something.  I forgot who told me this first, but if you want to learn something put yourself in a position where you have to teach it.  I find blockchain gloriously frustrating in that respect. Rob Lee injected more than a few things into my vocabulary over the years. I’ll never forget him telling the students in a digital forensics class that he was teaching that being frustrated was good because it meant that they were eager to learn.  He said if they weren’t frustrated, they either already knew the material or they didn’t care.

The back of the house people have the same problem set as the front of the house people (and in some departments, it’s the same people doing everything), but they also have to understand how to do blockchain investigations through the digital forensics process.

So, what does blockchain look like on the digital forensics end of things?

One of the key elements of blockchain technology is the use of wallets.  The wallets can take the forms such as hardware wallets, desktop wallets, mobile phone wallets, and web wallets.  So, you have all of the standard digital forensics artifacts that you could get when you have someone interacting with software on a device or, in the case of the web wallet, interacting with the wallet using a web browser. 

Michael Doran did a fantastic white paper entitled “A Forensic Look at Bitcoin Cryptocurrency” on Bitcoin forensics back in 2015. His paper has a nice introductory portion about Bitcoin and cryptocurrency and then dives into his research on the forensic examination of a desktop wallet. He’s a great example of a sharp digital forensics person who saw a trend early, dug into it, and share his knowledge with the rest of us.  I expect we’ll see someone do something similar down the road on a server set up for blockchain mining.

One the web wallet side of things, most of my research into blockchain has utilized web-based wallets so that I can do research pretty much anywhere I have the time and Internet access. I’ve found the URLs to be really chatty when it comes to things like transaction data.  You can see this transaction as an example of one that I did awhile back.  Thus, you’ll see useful information in your web browser forensic tool and then you would get more information about the transaction when you went to the link yourself.

There is, of course, always going to be the eternal malware issue. Blockchain mining malware analysis is already a thing, of course, which shouldn’t be a surprise to anyone. What I’m really curious about is just how chatty the mining malware is in regards to giving clues on to “who is getting happy” due to the malware.  I had a really great former investigative leader that I worked for who was a former Chicago police officer. He mentored me in investigations and used to tell me one of the things you wanted to know was who was getting happy from a criminal scheme whether it was financial or otherwise.  In other words, who is getting a positive benefit from this malware?

There is also the blockchain tracking aspect of doing these investigations.  I’m a bit ambivalent about that right now in regards to how that is going to play out in the investigative world.  I think it will ultimately be increasingly difficult to do as we see the rise of blockchains that are specifically designed to prevent that from happening. Bitcoin lends itself well to tracking transactions since it’s a pretty open system even if there are ways to obfuscate what is going on. There are firms that offer up software to help the tracking process and there have been people like Kevin Perlow who have done good work educating people on the topic of tracking. Kevin did a presentation awhile back on “Tracking Bitcoin Transactions on the Blockchain” and you can find the slides are here and the presentation here.

I’ll leave you with a quote from blockchain luminare Preethi Kasireddy that we all should be taking to heart when it comes to our responsibilities to learn and educate in the digital forensics world.


  

3 comments:

  1. Eric,

    We still need to know what this stuff looks like...for example, take a look here:

    https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/

    Here's a Cylance blog post I'd linked to back in Aug:

    https://www.cylance.com/en_us/blog/threat-spotlight-cryptocurrency-malware.html


    ReplyDelete
  2. Here's another one from the IR team at SWRX:

    https://www.secureworks.com/blog/unpatched-oracle-weblogic-servers-infected-with-cryptocurrency-software

    ReplyDelete