Many forensic tools can be adjusted to acquire specific data types or filenames. You can also easily do this by creating a simple batch file. An easy text tool to install and use is, Notepad++”:https://notepad-plus-plus.org/, which can be downloaded free https://notepad-plus-plus.org/.
You can write a simple script to find and copy any wallet.dat file on a particular system. This works best to use an external drive, USB drive, portable hard drive, etc., to run the batch file.
Here’s how to do it:
- Open Notepad++ and type the following into a new document: xcopy “%systemdrive%\walle**.dat” /s
- Save the document as walletfind.bat onto your external drive.
- Browse to the batch file and run it.
The xcopy command is a common command on virtually all versions of Windows. It allows a search of the entire system drive (usually c:) and looks for anything with a filename pattern walle*.dat. The /s parameter searches all subdirectories, with the results being written back to your USB drive in the folder structure found on the disk.
The way to determine if there are any cryptocurrency programs installed on the computer is to run a tool built into Windows 7, 8, and 10. To run the command, add it to the walletfind.bat script that you have just written, following these steps:
- Add this line to your script: WMIC product get name, version > installedapps.txt
- Save the batch file to your USB drive and run it.
By doing this, a text file called installedapps.txt is created. When you open the text file, you will see a large list of installed applications.
The only problem is that the WMIC command will only list installed applications. Executable files that were not saved from being installed would be missed. For this reason, it is a good idea to add a second xcopy line to the batch file that copies all executable files on the system to your USB drive. This will likely be a lengthy list. Add the following line to your walletfind.bat batch file: xcopy “%systemdrive%\**.exe” /s
Now you will have all the lists of all installed applications and executable files extracted and installed on your USB drive, allowing you to search for known cryptocurrency wallet applications.
In this module, you have learned how to find and acquire cryptocurrency data. Even more importantly, you have learned how to conduct searches, look for evidence of cryptocurrency, find known wallet addresses online, and how to search for addresses in downloaded websites. You have also been exposed to different ways to find addresses on acquired hard drives through computer memory and work on a live-running computer and find and extract addresses in that environment.
The legal obligations that may exist in your country of extracting data or imaging systems vary from country to country and jurisdiction to jurisdiction. We will cover some of the more common laws and regulations in a later module. Please research any legal considerations specific to your jurisdiction before performing an investigation or acquisition of data.