Blockchain and Digital Forensics

The page view metrics for the blog are starting to come back and I’m starting to see more engagement on what I’m writing because of that. You can follow and communicate with me in public on Twitter, Facebook, and LinkedIn, but I’m finding that most people are comfortable just talking in private.  Twitter direct messages have been quite popular, for example, and I’m fine with however people like to talk. Semper Gumby. 

It turns out I have a bit of a Paul Revere thing going on when it comes to the convergence of blockchain and digital forensics given that I’ve been yelling “The blockchains are coming! The blockchains are coming!” for several posts now that I’ve returned to blogging. Okay, fine, they’ve already been here for years, but I don’t think enough people understand that in the digital forensics world. 

The responses that I’ve gotten from my blockchain posts have ranged from dismissive to agreement that blockchain is here to stay and the law enforcement and digital forensic communities needs to get ramped up on this much quicker.  The responses that spurred me to write this post were the ones that essentially said, “Fine, Eric, I believe you.  What exactly do I need to know?” as wells ones that roughly said, “I’m not saying you’re smoking your socks, but I remain skeptical.”

I think the best place to start is to explain how I tend to view computer crime investigations from a larger conceptual standpoint. There are a variety of models for how both public and private organizations can structure their investigative teams.  Back in the early days of the blog when I was working in northern New Jersey, I got to know some of the members of the NYPD Computer Crime Squad. They were nice enough to invite me to visit them from time to time at 1 Police Plaza which was - at least at the time - their home.  I don’t think I know anyone on the squad these days because given their in-demand skill set and way their retirement program worked, the people on that squad tended to have a Logan’s Run thing going on where they’d “renew” into the private sector pretty quickly after their twenty year seniority mark.

Obscure [ed. note: but clever, darn it] 1970’s 23^rd century dystopian science fiction movie references aside, the NYPD Computer Crime Squad at the time had two main components. There were the detectives who did the computer crime work dealing with investigations like online account compromises, web site defacements, computer tampering, as well as providing computer crime support to traditional NYPD investigations.  The other component were the detectives who did the hands on digital forensic examination work.  The computer crimes people were the first people I saw when I entered their work space so I think of them as the front of the office people and the digital forensics detectives were in the back of the office in a secured lab.

From a front office perspective, computer crimes investigators have to learn blockchain at least at a conceptual level so that they can explain it to the public, judges, juries, prosecutors, and other law enforcement officers.  They’re going to be seen as subject matter experts on this whether they like it or not.  At some point, for example, they’ll be getting a phone call in the middle of the night from a major crimes team saying they have a kidnapping and the bad guys want the ransom paid in Monero….and what the heck is that? They’re also going to have to understand blockchain at enough of a technical level to understand how value is traded using various blockchains so that they can be effective investigators who can also communicate and educate others. For example, they’ll need to explain concepts such as how people can use online digital currency exchanges, how blockchain wallets work, and concepts such as mining and proof of work. 

Basically, the people who investigate computer crime need to learn it well enough to teach others and I’ve found that’s one of the best ways to learn something.  I forgot who told me this first, but if you want to learn something put yourself in a position where you have to teach it.  I find blockchain gloriously frustrating in that respect. Rob Lee injected more than a few things into my vocabulary over the years. I’ll never forget him telling the students in a digital forensics class that he was teaching that being frustrated was good because it meant that they were eager to learn.  He said if they weren’t frustrated, they either already knew the material or they didn’t care.

The back of the house people have the same problem set as the front of the house people (and in some departments, it’s the same people doing everything), but they also have to understand how to do blockchain investigations through the digital forensics process.

So, what does blockchain look like on the digital forensics end of things?

One of the key elements of blockchain technology is the use of wallets.  The wallets can take the forms such as hardware wallets, desktop wallets, mobile phone wallets, and web wallets.  So, you have all of the standard digital forensics artifacts that you could get when you have someone interacting with software on a device or, in the case of the web wallet, interacting with the wallet using a web browser. 

Michael Doran did a fantastic white paper entitled “A Forensic Look at Bitcoin Cryptocurrency” on Bitcoin forensics back in 2015. His paper has a nice introductory portion about Bitcoin and cryptocurrency and then dives into his research on the forensic examination of a desktop wallet. He’s a great example of a sharp digital forensics person who saw a trend early, dug into it, and share his knowledge with the rest of us.  I expect we’ll see someone do something similar down the road on a server set up for blockchain mining.

One the web wallet side of things, most of my research into blockchain has utilized web-based wallets so that I can do research pretty much anywhere I have the time and Internet access. I’ve found the URLs to be really chatty when it comes to things like transaction data.  You can see this transaction as an example of one that I did awhile back.  Thus, you’ll see useful information in your web browser forensic tool and then you would get more information about the transaction when you went to the link yourself.

There is, of course, always going to be the eternal malware issue. Blockchain mining malware analysis is already a thing, of course, which shouldn’t be a surprise to anyone. What I’m really curious about is just how chatty the mining malware is in regards to giving clues on to “who is getting happy” due to the malware.  I had a really great former investigative leader that I worked for who was a former Chicago police officer. He mentored me in investigations and used to tell me one of the things you wanted to know was who was getting happy from a criminal scheme whether it was financial or otherwise.  In other words, who is getting a positive benefit from this malware?

There is also the blockchain tracking aspect of doing these investigations.  I’m a bit ambivalent about that right now in regards to how that is going to play out in the investigative world.  I think it will ultimately be increasingly difficult to do as we see the rise of blockchains that are specifically designed to prevent that from happening. Bitcoin lends itself well to tracking transactions since it’s a pretty open system even if there are ways to obfuscate what is going on. There are firms that offer up software to help the tracking process and there have been people like Kevin Perlow who have done good work educating people on the topic of tracking. Kevin did a presentation awhile back on “Tracking Bitcoin Transactions on the Blockchain” and you can find the slides are here and the presentation here.

I’ll leave you with a quote from blockchain luminare Preethi Kasireddy that we all should be taking to heart when it comes to our responsibilities to learn and educate in the digital forensics world.

“I have a passion for understanding things at a fundamental level and sharing it as clearly as possible.” - @iam_preethi (I *love* this)

— Eric Huber (@ericjhuber) December 30, 2017

  

Unfit For Purpose: A Tale of Two Currencies

I initially wrote off cryptocurrencies because of deep Bitcoin skepticism that largely remains with me to this day. I was also turned off by the fact that some of the most enthusiastic early Bitcoin enthusiasts were criminals (because of a healthy aversion to prison) and people who had a political axe to grind particularly when it came to central banking.  Throw in Mt Gox and endless stories of how the underground economy was leading the way on Bitcoin usage and it was easy enough to just write it off.  In my defense, I was working on an MBA so I wasn’t paying close attention to much of anything in this space.  It was probably best that I wasn’t doing much blogging then or I would have beclowned myself early and often on this topic.

I eventually came to a conclusion that while Bitcoin was stupid, blockchain was not. I’ve since decided even that was the wrong approach to take as I’ve come to view Bitcoin as the Wright Flyer of blockchain technology.  It shows everyone what is possible and kicks off a revolution in technology that has immense potential even if the original technology starts to look very old, very quickly.

Bitcoin’s problems are legion with one of the biggest being that it’s simply a wretched currency in its present state.  It’s a horrible store of value given how volatile it is. The fact that it’s rocketed up in value over the past year is an illustration of how unreliable it is as a store of value rather than an argument for it.  As I write this, it’s gone up 1,413% since last year, anything that can go up that fast can go down just as fast and we’ve seen price drops of 15% on some days.

A currency that instable isn’t fit for purpose particularly when it comes to being something you can trust to store your money.   If that’s not enough for you, it’s bat poop crazy to use it for contracts that are defined in Bitcoin.  For example, what possible sense would there be to enter a contract to purchase real estate in Bitcoin? What buyer in their right mind would enter into a contract to purchase a house for 10 Bitcoins worth $145,000 at the time of the contract when in thirty days at the time of close those bitcoins are now worth $207,350 because the price went up 43.55% between contract and close?

Throw in the high transactions fees and the slow settlement time and it’s gotten to the point where even the underground economy is starting to use alternatives such as Litecoin. Anyone who has done research on Bitcoin by doing transactions knows how expensive it gets. It’s certainly some of the most expensive research I’ve ever done.

I also have concerns about “decentralized” cryptocurrencies that relentlessly devour so much energy that the infrastructure is concentrated in a handful of nation-states that can offer up cheap energy to feed the beast.

You can Google to your heart’s content on what makes for a good currency, but at a minimum a good currency will act as a stable store of value that doesn’t go wildly up or down. You have to know that if you put money into that currency that it will remain largely the same value weeks or years down the road.   It also has to be easily transferable (so you can engage in transactions reasonably quickly and easily) and acceptable (people will actually recognize it as a valid currency and will transact with you using it) or it’s just not a viable currency in any meaningful sense.

Ultimately, currency is deeply psychological because it’s about trust.  Once upon a time, currency was all about obtaining precious metals like silver and gold and then turning those commodities into actual coined money.  Eventually, we ended up with paper money that was backed by commodities which is how we ended up with the gold standard.  The gold standard was awesome until it wasn’t. We are now in the fiat-currency era where supply and demand is the primary determiner of value rather than what the currency issuer has stored in its vaults somewhere.  The trust that the market has in the issuer of the currency has a large impact in the value of the currency.

I had a whole section written up for this post that went into more detail on the history of the commodity-backed currencies and fiat-currencies, but even my eyes glazed over when I was trying to edit it for publication so I deleted it.  Suffice it to say that both commodity-backed currencies and fiat-currencies have had successes and failures.  The Great Depression was the beginning of the end of the gold standard because every major currency at the time left the gold standard during that time.

Just as the gold standard showed its limitations at various times in the past century, we’ve seen some spectacular fiat-currency disasters that have helped fuel interested in cryptocurrencies.  The most recent example is the Venezuelan bolívar and the immense amount of human misery that the mismanagement of that currency has created.  I started following the bolívar’s plight even before I started an executive MBA program at the University of Florida, but I really started to understand what I was seeing better after getting a great education in emerging market finance and macroeconomics.  The executive summary is falling oil prices coupled with gross mismanagement of the country resulted in the bolívar essentially being destroyed over just a few years of time.  Like everyone else who is interested in this topic, I’ve followed the story through the dolartoday website.  We’re at the point where the only question I have about the bolívar is whether it ends up like the Zimbabwe dollar simply goes away or whether it remains as a testament to what can happen when a government destroys its currency and economy. 

Even the Venezuelan government knows the gig is up with the bolívar. Their response? Wait for it….wait for it….they’re launching a cryptocurrency called the petro which will be backed with their oil reserves. This will obviously be a wildly successful cryptocurrency and a terrific store of value given how competent the Venezuelan government has been at managing their economy and their previous currency. Wait. I hear it now.

The bolívar is an excellent use case for a stable cryptocurrency that can’t be mucked with by a nation-state.  Many people saw their life savings destroyed by the destruction of the bolívar just as many other people have seen their money disappear in previous fiat-currency disasters.  Even with well managed currencies like the United States dollar and the European Union euro, we’ve seen periods of high inflation and trouble such as the Greek currency controls and Cyprus bank account levies.  

Nation-state economic and monetary mismanagement provides a great use case for well-crafted cryptocurrencies that are truly decentralized and are stable stores of value.  We don’t even need a cryptocurrency that can be used at the grocery store for this to be a successful currency. Something that is a stable store of value and can move money from demand deposit account to demand deposit account relatively quickly and inexpensively can provide an excellent global hedge against nation-state related currency disasters.

So why are you reading this on a cyber crime and digital forensics blog? Because it’s going to be part of your investigative life whether you like it or not.  Being ignorant of blockchain isn’t an option if you intend to be an effective cyber crime investigator or digital forensics examiner.  Anyone who is working on cyber crime cases will have to deal with bad guys moving money around through blockchains. Anyone doing digital forensics exams will be asked by the people doing the cyber crime investigations to provide them evidence that the devices were used to move money via blockchains and to help them determine the classic investigation questions of who, what, why, where, and when.