Many different wallets offer different functionality and ways to maintain and access your private and public keys. A wallet watches either a local copy or communicates with a copy belonging to another full-node user to build a balance of transactions that it can control. Wallets can be divided into three distinct categories:

  1. Software
    • Full Node Wallet – The entire blockchain is downloaded locally to the wallet. The transactions can be processed, verified, and transmitted to peers.
    • Thin Node Wallet – This wallet connects to a full-node user for the transaction process.
    • Online Wallet – Only exits online on a wallet site. Transaction data is usually not synced to a local full-node user.
  2. Hardware
  3. Paper
    • Cold Wallets or Cold Storage

Software wallets can also be accessed through a desktop, mobile device, or online.


Digital forensic first responders should know the names of key cryptocurrency wallet software tools not to miss important assets. Investigators must track the movements of a suspect’s funds and gain control of them through asset forfeiture and seizure. Forensic analysts work through disk images to follow similar investigation patterns, depending on the case. The forensic software they use will generally try and reconstruct the system files. One such file is the Master File Table in Windows. Viewing this file provides the investigator with a snapshot of both active and deleted files and a list of any installed applications. An investigator should recognize when a cryptocurrency management tool is installed. It could be beneficial during an investigation, possibly uncovering money movement and laundering areas that were unknown before. Similarly, when performing mobile phone forensic investigations, wallet mobile apps are recognized and examined.

Desktop – this type of wallet can be downloaded and installed on a PC or laptop. In most cases, desktop wallets are only accessible from the single computer in which they are downloaded. Desktop wallets offer one of the highest levels of security; however, should your computer be hacked or acquire a virus, the possibility exists that you may lose all your funds. Some downloadable wallets are:

  • Bitcoin Core
  • Electrum
  • Bitcoin Knots
  • Arcbit

Online – Online wallets operate on the cloud and are accessible from any location with Internet access. They are much more convenient to access. However, they are third-party controlled and store your private keys online. This makes them more vulnerable to hacking attacks and theft. Electrum is an online storage wallet that does not enable full-node, only connecting to a remote node for transactions.

Mobile – Mobile wallets run through an app on your phone. Much like online wallets, they can be used anywhere. They are usually much smaller and easier to use than desktop wallets because of space limitations on a mobile device. Some mobile wallets are:

  • Jaxx
  • Coinbase
  • Coinpayments
  • MyEtherWallet


Hardware – Hardware wallets differ from software wallets in a very significant way. Hardware wallets are physical devices, like a USB, that store a user’s private keys on the device. Although you can make transactions online, they are stored offline, which helps to increase security. Hardware wallets are usually compatible with web interfaces and will support different currencies. Some of the different types of hardware wallets are listed below and in Figure 11:

  • Ledger Nano S
  • Trezor Wallet
  • Keepkey

Hardware wallets are usually very secure. If seized during an investigation, it will usually require the suspect’s cooperation to unlock them. However, recovery capabilities are built into hardware wallets if you lose or forget your PIN. Understanding those recovery steps would be key to an investigator trying to access a hardware wallet. Some investigators may not recognize a hardware wallet or a printed recovery card that usually accompanies the wallet. Specifically with Trezor, when the wallet is initialized, the owner is prompted to record a group of supplied words onto a recovery card. This is to assist in accessing the unit in the event the PIN is lost. Additionally, if investigators find the suspect’s recovery card but cannot locate the Trezor, a new Trezor can be acquired, and the recovery card words can be entered into it, which will then reveal the original keys that were configured on the suspect’s device.

Figure 11: Hardware Wallet Types


Paper – Paper wallets just what the term means. This type of wallet is obviously very easy to use and provides a very high level of security. However, paper wallets can refer to software used to securely generate a pair of keys, which are then printed. Using a paper wallet is relatively straightforward. Transferring Bitcoin or any other currency to your paper wallet is accomplished by transferring funds from your software wallet to the public address shown on your paper wallet. Alternatively, if you want to withdraw or spend currency, all you need to do is transfer funds from your paper wallet to your software wallet. This process, often referred to as ‘sweeping,’ can either be done manually by entering your private keys or scanning the paper wallet’s QR code.

Public and private keys can be generated easily without ever being online. Conducting business this way is extremely secure because your key pair will never appear in a wallet or on a computer at all until you need to make a transaction. A tool called WalletGenerator is a free key generator that can be used (see Figure 11.1). It can be accessed at With this program, you can download the files from the GitHub page, then disconnect from the Internet to create your public and private keys securely offline.

Because wallets can be strings of numbers scribbled on paper, it means that they are most likely either tucked away somewhere and easy to miss on laying about in the open as innocuous-looking numbers. However, if an investigator suspects someone to be utilizing cryptocurrency stored on a blockchain, then a paper wallet will most likely be stored very safely. Things such as safes, locked filing cabinets, locked desk drawers, evidence of a safe deposit box, etc., should be checked and added to any search warrant affidavit. Investigators need to be observant to recognize and seize paper with long number strings written on it.

Figure 11.1: WalletGenerator

When you access the web page, you begin moving your mouse around to create randomness. When the bar to the right is completely green, a public and private key will be generated and corresponding QR codes. You can also go to the paper wallet tab and print out a paper wallet based on whatever currency you use. For demonstration purposes, Bitcoin is used as the example in Figure 11-2.

Figure 11-2: Bitcoin Paper Wallet


Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment