A cryptocurrency is a decentralized form of virtual currency. Decentralized means that the virtual currency has no single governing body that regulates that currency. The decentralized currency is designed to operate on a peer-to-peer network relying on cryptography for security and pseudo-anonymity for transactions. However, the blockchain is publicly available. The ledger is distributed across the network and verified by every device that the ledger is distributed.
Knowing that the blockchain is peer-to-peer gives rise to the fact that financial transactions for virtual currency are inherently different than financial transactions occurring in a centralized system. Within a centralized system, the legal process can be served to the centralized authority over that transaction or account. There is no authority to serve the process within the cryptocurrency system. The ledger is public, so all transactions are available for view, search, and verification.
Knowing what cryptocurrency is and how it was designed, how it operates, and how it is stored allows an investigator to trace the money and seize the cryptocurrency.
There are authorities by which investigators have to collect evidence:
Plain View – you can seize what you see. This only allows you to seize items that may contain evidence, not to search the items for evidence.
Consent – gain consent, in writing, from the target to examine computers and mobile devices. The consent form must include language that addresses the seizure and the examination of the item seized. The consent form includes any examinations that may need to be conducted at a later date or location to be completed by a trained Digital Forensic Examiner.
Search Warrant – Search warrants are the preferred method of authority to search for evidence, regardless of what is to be searched, as search warrants are met with the least resistance both on the scene and in court. The search warrant allows an investigator to go through a subject (house, car, container, media) and seize evidence (US Dept of Homeland Security, 2018).
As an investigator collecting evidence from the scene, you want to ensure that you’re gathering all of the evidence related to any type of crime, cyber or otherwise. If this includes mobile devices, be sure to collect all the mobile devices, not just those you believe have active service. Mobile devices can often access Wi-Fi networks without having a cellular connection. Also, keep in mind to collect any SIM cards, SDcards, external hard drives, or any other device that may have the appearance of a flash drive. Many cold storage wallets have the same design as flash drives. Make sure you gather all the items.
If you have a mobile device, make sure that you put that mobile device in airplane mode. Or, if you cannot access the menu to do so, remove the SIM card at least. You want to be able to isolate that device from any cellular and Wi-Fi networks. Isolating the device will reduce the chances of a remote wipe being initiated by a third party. A remote wipe can and will destroy all evidence on that mobile phone. If you cannot access the airplane mode feature on the device and do not have a SIM card, place the device in a faraday bag, or some other RF shielded enclosure. If you do not have a faraday bag, place the device in something such as a paint can that will isolate that device from any mobile network, whether cellular Bluetooth or Wi-Fi.
You also want to keep the device’s battery-powered up, not powering on the device. You may need to connect that mobile device to an external, portable power supply until connected to power at the forensic lab. It could be days before a forensic examiner can get to the device. That device is powered on does not need to lose power due to battery drain; when you isolate a device from a network via a medium such as a Faraday bag, the radios in the device increase the signal power to gain access to a network. It is part of the software design to give a user the best possible reception. In the case of an iPhone, do not power the device off and then power it back on. There are technologies available that could allow the extraction of up to 95% of that mobile device data, even if that device is locked. However, the chances of that happening if the device has been power cycled can drop to zero. Having 95% of data is better than having 0%. So be aware: do not power cycle Apple iOS devices.
Let’s talk for a minute about Android: any android device running Android 5.0 and above has the option to have encryption enabled. However, for Android devices running Android 9.0 and above, the data is encrypted by default. Do not power cycle newer android devices. Newer Android devices have Secure Boot or Secure Start-up enabled by default. Can this decryption be defeated? The answer is it depends. The best practice is not to power cycle devices.
Also, be sure to collect any power cords. Most devices will need to remain powered on or at least powered up as forensic investigation could take several hours and days after the collection. The forensic department may also need the original equipment cables as some cables are proprietary. Some cables are designed to only transfer power and not data. So grab all the cables.
Also, some things to be aware of: Label the cables before you start disconnecting them to help the forensic investigator know what was plugged into the computer and missing items. Also, do not crack open the computer case! There have been documented cases where computer towers were booby-trapped with strong electromagnets designed to wipe the hard drive if someone tampered with the case. Do a secondary sweep for evidence that might be wireless in configuration or utilized wireless technologies such as Bluetooth. Often external drives can be attached to a Wi-Fi network, plugged into a USB port on the back of a wireless router, and data is transferred to an external drive without being connected to the computer. So be sure to do a secondary sweep looking for other devices that can be used as a storage medium and not physically connected to the computer.
Pay attention to the surroundings. After the protective sweep for threats during a warrant execution, search again for threats to evidence. There are documented cases where electromagnets were discovered in the door frame leading out of a room where computer equipment was located. The idea behind this tactic was to create a magnetic field that would be powerful enough to corrupt the data on the hard disc drives in the tower when the computer passed through the doorway. Just be cautious, you could never be too careful with any evidence, and it’s a collection. It’s all about preservation.
Be sure to photograph the state of everything as it was when found. If the computer is off, leave it off. If the computer is on but in a sleep state, shake the mouse or press the space bar to awaken the computer. Then photograph whatever is on display. Be sure to give the forensics unit a call, and it may be beneficial to come out and do a volatile memory dump on that machine. Always better safe than sorry. Let the forensic team make the final decision on that.
If you notice that a computer is actively deleting information or remotely accessed, immediately unplug that machine from power. Be sure to document why you did this; however, you must preserve any evidence that you can by quickly removing power from that device. Disconnecting power can be achieved by either unplugging the cord from the wall or simply unplugging the cord from the back of the computer. In the case of a laptop where you cannot remove the battery, press and hold the power button to shut down the computer. Otherwise, remove the power cord and then remove the battery to power the device off quickly. Once again: document, document, document.
A word of caution on documenting the scene: Never use your personal cell phone to photograph a crime scene. If you use your cell phone to take pictures, your cell phone becomes the custodian of that evidence, and that cell phone should be tagged as evidence. And no one wants their personal device tagged and examined as part of a case.
If the camera is not available to photograph the scene, make sketches and diagrams of the scene. Take measurements to show where the items were located and collected properly. It may seem extreme, but investigate every scene as it were a homicide. Proper documentation will save you a lot of embarrassment later on in a trial.
Do not start using any device to search for evidence on the scene. Let trained forensic investigators do the examination and the analysis. By using the device or accessing the device, changes are being made to that device. Those changes are reflected in timestamps within the devices’ operating system. You are altering evidence and changing the data on that device. While it is also true that you’re changing data or adding data to the device by making any changes, including powering that device off, those changes can be explained and proven to be part of the shutdown process. The goal is to minimize anything that would show any tampering with that device. You want to avoid any action that would cast a shadow of doubt on the investigation.
The main focus of this topic is mobile devices, computers, laptops, and tablets because cryptocurrency is digital. It can be accessed from laptops, desktops, smartphones, tablets, smart TVs with browsers. So you have to grab everything that can access the Internet. Also, search and collect any evidence with passphrases, public keys, private keys, and any other documentation indicating any digital currency or wallet involved. Also, collect any manufacturers’ information that you might see. Often people write down usernames, passwords, passcodes, or PINs on this documentation. So grab everything related to the investigation. If you are ever unsure about what you are looking at, whether it is a PIN, a passphrase, or a password, seize it anyway. Let the digital forensic investigators decide its value.