Document Type

Article

Publication Date

9-30-2020

Subject: LCSH

Digital forensic science, Data recovery (Computer science), Cryptocurrencies, Bitcoin

Disciplines

Computer Engineering | Computer Sciences | Electrical and Computer Engineering | Forensic Science and Technology | Information Security

Abstract

We present Memory FORESHADOW: Memory FOREnSics of HArDware cryptOcurrency Wallets. To the best of our knowledge, this is the primary account of cryptocurrency hardware wallet client memory forensics. Our exploratory analysis revealed forensically relevant data in memory including transaction history, extended public keys, passphrases, and unique device identifiers. Data extracted with FORESHADOW can be used to associate a hardware wallet with a computer and allow an observer to deanonymize all past and future transactions due to hierarchical deterministic wallet address derivation. Additionally, our novel visualization framework enabled us to measure both the persistence and integrity of artifacts produced by the Ledger and Trezor hardware wallet clients. The framework can be generalized for use in future memory forensics work.

Comments

Article published in, "Forensic Science International: Digital Investigation," Volume 33, Supplement, July 2020.

DOI

10.1016/j.fsidi.2020.301002

Publisher Citation

Tyler Thomas, Mathew Piscitelli, Ilya Shavrov, Ibrahim Baggili, Memory FORESHADOW: Memory FOREnSics of HArDware CryptOcurrency wallets – A Tool and Visualization Framework, Forensic Science International: Digital Investigation, Volume 33, Supplement, 2020, 301002, ISSN 2666-2817, https://doi.org/10.1016/j.fsidi.2020.301002. (https://www.sciencedirect.com/science/article/pii/S2666281720302511)

Download

Check your library

Share

COinS