Technology Overview

Blockchain technology is an essential element of cryptocurrencies — without the functionality that blockchain provides, digital currencies like Bitcoin would not exist. Blockchain is a database that contains a list of records (digital transactions) in a ledger through nodes in a distributive network (the Internet). The nodes represent users and their computers, who write entries into a record of information (ledger) and control how the record of information is amended and updated. As a result, no central authority approves the ledger entries, and no one person controls the information. The proof of the accuracy of data is verified and maintained through the many nodes in the network.

Understanding the blockchain conceptually is important for investigators. Without this conceptual knowledge, and during the scrutiny of questioning by prosecuting and defense attorneys during a trial, an investigator will have their competency doubted if they cannot convincingly articulate the blockchain concept. A thorough understanding of blockchain will assist investigators in comprehending and explaining how criminals leverage the technology to facilitate and hide their criminal undertakings.

The Structure of a Block
In basic terms, a blockchain is a chain of blocks containing many transactions and cryptographic hashes clustered into a block by mining. Each block contains the history of the block that came before it, down to the second it was edited. When a block is successfully mined, it is, in essence, locked and confirmed, meaning that nothing within the block can be changed or added. Those mined blocks are then “stacked” on top of each other, in essence creating a chain — or blockchain.

Bitcoin transactions are formed into blocks by miners by solving mathematical equations (puzzles) at roughly ten-minute intervals. These transactions are either part of a mined block or in the mempool. Ethereum, on the other hand, receives transactions much faster, about every fifteen to twenty seconds, from either the transaction pool (txpool) or within a mined block.

It is easy to track the transactions included in a block on Bitcoin over time by following this link: https://www.blockchain.com/charts/n-transactions-per-block?timespan=all (Figure 1).

Figure 1: Bitcoin Transactions Per Block (Source: blockchain.info)

The Headers of a Block
Using one of the most popular cryptocurrencies, Bitcoin, as an example, each mined block has a header that contains an enormous amount of information. The header tops off the block are usually 80-bytes and are hashed repeatedly to create proof of work. Bitcoin’s block is always less than 1 MB; others such as Bitcoin Cash can have blocks reaching 8 MB in size.

A block consists of the following elements (Antonopoulos, 2014 ):

Then we further dissect the block header into five distinct parts, which consist of 80 bytes (Antonopoulos, 2014 ):

Version

This section will find the version value used to track software and protocol upgrades (Bitcoin.org, N.D.).

• Version 1 was introduced in the genesis block (January 2009).
• Version 2 was introduced in Bitcoin Core 0.7.0 (September 2012) as a soft fork. As described in BIP34, valid version 2 blocks require a block height parameter in the coinbase. Also described in BIP34 are rules for rejecting certain blocks; based on those rules, Bitcoin Core 0.7.0 and later versions began to reject version 2 blocks without the block height in coinbase at block height 224,412 (March 2013) and began to reject new version 1 blocks three weeks later at block height 227,930.
• Version 3 blocks were introduced in Bitcoin Core 0.10.0 (February 2015) as a soft fork. When the fork reached full enforcement (July 2015), it required strict DER encoding of all ECDSA signatures in new blocks as described in BIP66. Transactions that do not use strict DER encoding had previously been non-standard since Bitcoin Core 0.8.0 (February 2012).
• Version 4 blocks specified in BIP65 and introduced in Bitcoin Core 0.11.2 (November 2015) as a soft fork became active in December 2015. These blocks now support the new OP_CHECKLOCKTIMEVERIFY opcode described in that BIP.
  

Previous Block Hash
The previous block hash is the hash of the parent block in the blockchain. It provides a direct link to the block that precedes it on the blockchain. Only the header of a block is hashed, and it will always contain a unique value. The Merkle Root, timestamp, difficulty target, and nonce will be different; however, they will be part of the same version.

Merkle Root
Simply put, the Merkle Root is a hash of all transactions in a block.

1. Take each pair of Transaction IDs from the block and hash them together through SHA256 twice.
2. Keep doing this for each pair of Transaction IDs until you end up with a new list of hashes.
   1. Note: If you have an odd number of transactions, hash the remaining transaction with itself.
3. Repeat steps 1-2 for every new list of hashes you create until you finally end up with one hash.
   

Timestamp
The timestamp for a block is recorded in UNIX time. You can identify it as a 10-number string that starts with 15 (until September 2020, starting with 16). This value represents the number of seconds from 00:00:00 1 January 1970 through the current date and time. The timestamp is created when the successful miner starts hashing the header (see http://bit.ly/2fDmLrG for more details from the Bitcoin developer reference).

It is easy to create or reverse the Unix timestamp into a Unix timestamp or back to an easily recognizable date and time using an online converter like the one at Unix Timestamp, at https://www.unixtimestamp.com/.

Suppose you are more of an excel person and like to do things manually as well. Open an excel worksheet and follow these steps.

Convert Timestamp To Date
If you have a list of timestamps needed to convert to date, you can do as below steps (ExtendOffice.com, N.D.):

1. In a blank cell next to your timestamp list and type this formula =(((A1/60)/60)/24)+DATE, press Enter key, then drag the autofill handle to a range you need.

2. Then right-click the cells used the formula, and select Format Cells from the context menu, then in the popping Format Cells dialog, under Number tab, click Date in the Category list, then select the date type in the right section.

3. Click OK; now you can see the Unix timestamps have been converted to dates.

You can use this technique to convert multiple UNIX timestamps simultaneously.

Difficulty Target
When looking at the difficult value, it essentially tells you how hard it is to find a hash that will be lower than the target-defined system.