Forensic Investigations and Computer Forensics in the Age of Blockchain

Blockchain technology’s almost tamper-proof digital ledger has the potential to revolutionize the way data are stored and transferred. It offers several benefits―such as decentralization, transparency and immutability―that make it an attractive option for enterprises worldwide.

The widespread adoption of blockchain technology in several industries, including finance, healthcare and supply chain management, has led to significant changes in the fields of forensic investigations and computer forensics, which are essential components of information system audits, governance, risk management and cybersecurity. Forensic investigation is the process of gathering, analyzing and presenting digital evidence in a court of law. Computer forensics involves the collection and analysis of digital data to uncover evidence of cybercrime, fraud or other illegal activities. Digital evidence can include emails, documents, images, videos, log files and other electronic data. Computer forensic investigators must be discreet in their work (i.e., they should not disclose the details of their investigation to anyone who is not authorized to know and maintain the utmost confidentiality) to protect the privacy of the individuals involved in the investigation and prevent the destruction of evidence. The chain of custody is critical to ensure the integrity of digital evidence and its admissibility in legal proceedings.

In the age of blockchain, forensic investigators and computer forensic experts face new opportunities and challenges.

Blockchain can be used to store and track digital data securely. By utilizing hash values, the authenticity of digital data can be verified. For example, in the case of a crime scene photo, an investigator can compare the hash value of the image to the original to determine if it has been tampered with or altered. With blockchain, if a hacker tries to alter a transaction record, the hash value of subsequent blocks will change, signaling tampering and resulting in rejection of the transaction. Hash values and blockchain are valuable tools for protecting digital data from unauthorized access and tampering, ensuring data integrity and authenticity.

As more enterprises adopt blockchain technology, professionals must stay up to date with the latest developments and create new tools and techniques to investigate crimes committed involving blockchain.

The Challenges of Investigating Crimes on Blockchain

Investigating crimes involving blockchain poses various challenges.

Anonymity
One of the primary challenges of investigating crimes committed involving blockchain is anonymity. Although it is possible to trace transactions back to their origin, it can be difficult to identify the individuals or enterprises behind those transactions.

Technical Complexity
Specialized technical knowledge is required to investigate crimes committed involving blockchain. Forensic investigators and computer forensic professionals must be able to collect, analyze and interpret transaction data, which requires a deep understanding of the technical aspects of blockchain and the ability to analyze large amounts of data. The technical complexities of investigating crimes committed on blockchain include:

• Global shortage—There are not many people with the skills and experience to investigate crimes committed on blockchain.
• Cost vs. benefits—The cost of hiring a qualified professional is high, but the benefits can be significant.

Despite these challenges, there are a number of enterprises and law enforcement agencies that are working to address the shortage of forensic investigators and computer forensic professionals with the specialized technical knowledge required to investigate crimes committed involving blockchain.

Smart Contracts and Decentralized Applications
Smart contracts and decentralized applications are becoming more prevalent in the blockchain ecosystem. They present challenges for forensic investigators and computer forensic professionals in terms of collecting and analyzing digital evidence, including:

• No central authority—There is no one to contact for information about the contract or its transactions.
• Complex code—It is difficult to understand how the contract works and whether it has been tampered with.
• Lack of audit trails—It is difficult to track the flow of funds and identify potential points of fraud.
• Use of pseudonyms—It is difficult to identify users.
• Lack of jurisdiction—It is difficult to determine which law enforcement agency has jurisdiction.

The terms of smart contracts cannot be altered, and execution is guaranteed, making it difficult to investigate contract-related disputes or breaches, and the use of decentralized applications makes it difficult to identify and track individuals involved in criminal activity.

Blockchain-based digital evidence can also provide a clear chain of custody, allowing the evidence to be tracked from its source.

Real-World Uses of Blockchain

Some of the real-world applications of blockchain technology in forensic investigations and computer forensics are digital evidence, the Internet of Things (IoT) and cryptojacking.

Digital Evidence
Blockchain forensics can be used to authenticate and verify digital evidence in cybercrime investigations and subsequent legal proceedings. With the increasing reliance on digital technologies, it has become essential to ensure the integrity and authenticity of digital evidence. Blockchain technology allows digital evidence to be stored in a secure and tamper-proof manner, making it easier to verify its authenticity. This feature helps investigators prove the occurrence of a crime. For example, if an enterprise is accused of fraud, the blockchain can generate an unalterable record of all transactions within the enterprise, providing evidence of the fraudulent activities. In addition, when a computer is seized as evidence, a copy of its hard drive can be stored on the blockchain, ensuring the integrity and preservation of the evidence.

Blockchain-based digital evidence can also provide a clear chain of custody, allowing the evidence to be tracked from its source. This can improve the reliability of digital evidence and increase confidence in the legal system.¹ For example, blockchain enables investigators to track the movement of digital assets like cryptocurrency, aiding in identifying criminals who utilize cryptocurrency for illegal activities. For instance, if stolen funds are traced, investigators can use the blockchain to identify the hacker and recover the stolen assets.

In one study, researchers proposed a blockchain-based digital forensics framework for securing digital evidence. The framework uses a tamper-evident blockchain to store the evidence, ensuring its integrity and authenticity, as well as a smart contract–based evidence management system to simplify the process.²

IoT
Blockchain forensics can be used in the context of IoT to investigate cyberattacks and other security incidents. In an IoT environment, devices are interconnected and communicate with one another, creating a complex network that can be difficult to secure. By using blockchain technology, IoT devices can be connected to a secure and decentralized network. Blockchain forensics can be used to identify the source of an attack, trace the path of the attack and determine the impact of the attack on the IoT system, allowing enterprises to improve their security posture and protect against future attacks. These IoT devices are often used in supply chain management.

One group of researchers proposed a blockchain-based framework for the forensic investigation of IoT devices. The proposed framework uses a blockchain to store and manage IoT device data, making it easier to collect and analyze data during forensic investigations. The framework also includes a smart contract–based auditing system to ensure data integrity and authenticity.³

Cryptojacking
Cryptojacking is a cybercrime in which attackers use malware to hijack the processing power of a victim’s computer or mobile device to mine cryptocurrency. This can cause significant damage to the victim’s device, resulting in a loss of resources and data. Blockchain technology can be used to investigate cryptojacking attacks by tracing the flow of cryptocurrency from the victim’s device to the attacker’s wallet address.

An article published by the American Bar Association discussed the benefits of using blockchain forensics to investigate transactions involving digital currencies such as Bitcoin, including the ability to trace these transactions and identify the parties involved. Forensic accounting techniques can also be used to analyze blockchain data and detect attempts to conceal the source or destination of digital currency transactions.⁴

Blockchain forensics can be used to identify the source of an attack, trace the path of the attack and determine the impact of the attack on the IoT system, allowing enterprises to improve their security posture and protect against future attacks.

Blockchain technology can also be used to help prevent insider trading in the cryptocurrency market. Insider trading occurs when individuals use nonpublic information to make trades and profit from the market. By using blockchain technology, trades can be tracked and recorded in a transparent and immutable manner, making it easier to level the playing field and increase confidence in the cryptocurrency market.⁵

According to a report by Chainalysis, a blockchain data analytics company, crypto-related crimes hit an all-time high in 2022, resulting in the loss of US$20.6 billion. The report highlights the increasing sophistication of criminal activity in the crypto space, with a rise in scams, fraud and theft.⁶

The perpetrators of crypto-related crimes use a range of techniques to steal cryptocurrency, including phishing, ransomware, hacking exchanges and wallets. For example, when Poly Network was hacked in August 2021, the hackers exploited a vulnerability in the network’s smart contract code to steal US$600 million and transfer the funds to their own wallets. In this case, forensic investigators were able to track the flow of stolen funds across different blockchains and identify the addresses where the funds were held. Through the use of on-chain data analysis and cooperation among various crypto exchanges, the investigators were able to recover most of the stolen funds.⁷

In another case, Jump Crypto, a decentralized finance platform, was able to recover 120,000 Ethereum (ETH)―worth more than US$400 million―following a hack in January 2023.⁸ The recovery was accomplished by exploiting the platform’s own smart contracts to identify and freeze the funds stolen by the hacker. In this case, the hacker exploited a vulnerability in Jump Crypto’s smart contract code to steal funds from the platform’s liquidity pools. Investigators were able to use the same vulnerability in Jump Crypto’s smart contracts to track and freeze the stolen funds. This involved writing new code to allow legitimate addresses and prevent the hacker from moving the stolen funds to other wallets.

It is crucial that law enforcement agencies and forensic investigators work together to develop effective strategies and solutions to combat cybercrimes involving blockchain technology.

Forensic Investigations Involving Blockchain

When investigating blockchain-related cybercrimes, forensic investigators face a number of challenges due to the technology’s unique characteristics. However, there are five steps investigators can take to conduct an effective forensic investigation:

1. Identification—The first step in any forensic investigation is to identify the source of the incident. In the case of blockchain, this can involve analyzing the blockchain network to determine where the incident occurred, who was involved and how it was carried out.
2. Preservation—Once the source of the incident is identified, the next step is to preserve the evidence. This involves creating a forensic copy of the blockchain and other relevant data, such as transaction logs and smart contracts. This ensures that the evidence is not altered or destroyed during the investigation.
3. Analysis—The next step is to analyze the evidence to determine what happened and how it occurred. This can include using specialized blockchain analysis tools that allow investigators to trace transactions, identify wallets, and uncover hidden connections between different actors in the network. Specialized tools include blockchain analysis platforms, such as Chainalysis, Elliptic and CipherTrace, which provide detailed insights into blockchain transactions and can be used to identify suspicious activity. Other tools, such as forensic software and hardware solutions, can be used to analyze digital devices and uncover evidence of cybercrime.
4. Attribution—Once the evidence has been analyzed, the next step is to attribute the incident to specific individuals or groups. This can be challenging in blockchain investigations, as many actors use pseudonyms or are otherwise difficult to identify. However, by analyzing transaction patterns and other data, investigators can often identify the individuals or groups responsible.
5. Reporting—Finally, the results of the investigation must be reported. This can involve creating a detailed report that outlines the incident, the evidence collected and the conclusions reached. This report can be used to support legal action against the perpetrators and to inform future investigations and improve cybersecurity practices.

Conclusion

There are many challenges when investigating cybercrimes involving blockchain technology. Due to the decentralized and encrypted nature of blockchain, forensic investigators need specialized knowledge and tools to successfully investigate and prosecute crimes committed using this technology. The key lessons for information systems professionals are:

• The potential applications of blockchain technology to improve business processes must be understood.
• Technical skills in blockchain, including how to collect, analyze and interpret transaction data must be developed.
• Teams must stay apprised of the latest developments in the field, and develop tools and techniques for investigating blockchain-related crimes.
• The challenges of investigating blockchain-related crime, including anonymity, decentralization, technical complexity, smart contracts and decentralized applications must be understood.
• The potential uses of blockchain technology in forensic investigations and computer forensics must be realized, including to ensure the integrity and authenticity of digital evidence in legal proceedings and to store digital evidence in a secure and tamper-proof manner.

It is crucial that law enforcement agencies and forensic investigators work together to develop effective strategies and solutions to combat cybercrimes involving blockchain technology.

Endnotes

¹ Jha, A.; “Cybercrime and Digital Evidence,” Financial Express, 16 August 2022, http://www.financialexpress.com/defence/cybercrime-and-digital-evidence/2632164/
² Alhawarat, T. M.; M. Alauthman; “A Blockchain-Based Digital Forensics Framework for Securing Digital Evidence,” Institute of Electrical and Electronics Engineers (IEEE) 3^rd International Cyber Resilience Conference (CRC), Malaysia, January 2021, http://ieeexplore.ieee.org/document/9392563
³ Tariq, A. et al.; “A Blockchain-Based Framework for Forensic Investigation of IoT Devices,” Journal of Network and Computer Applications, May 2021, http://www.sciencedirect.com/science/article/abs/pii/S0167739X21000686
⁴ Rubin, R.; A. Rega; “Forensic Analysis of Digital Currencies in Investigations,” American Bar Association, 5 April 2021, http://www.americanbar.org/groups/litigation/committees/pretrial-practice-discovery/practice/2021/forensic-analysis-of-digital-currencies-in-investigations/
⁵ Gülen, K.; “Crypto-Enabled Cybercrimes Are on the Rise,” Dataconomy, 26 August 2022, http://dataconomy.com/2022/08/crypto-enabled-cybercrimes-are-on-the-rise/
⁶ Velasquez, F.; “Crypto Crime Hit All-Time High of $206B in 2022: Chainalysis,” CoinDesk, 27 February 2023, http://www.coindesk.com/business/2023/02/27/crypto-crime-hit-all-time-high-of-206b-in-2022-chainalysis/
⁷ Devanesan, J.; “US$600 Million Stolen in Biggest Crypto Hack in History,” Tech HQ, 11 August 2021, http://techhq.com/2021/08/us600-million-stolen-in-the-biggest-crypto-hack-in-history/
⁸ Rosen, K.; “After Suffering Second-Largest Ever Crypto Hack, Jump Crypto Recovers 120,000 ETH by Exploiting Its Own Smart Contracts,” Forbes, 3 March 2023, http://www.forbes.com/sites/digital-assets/2023/03/03/after-suffering-second-largest-ever-crypto-hack-jump-crypto-recovers-120000-eth-by-exploiting-its-own-smart-contracts

ANUJ CHOUDHARY | CISA, CA, CFE

Is a corporate compliance manager at Dr. Reddy Laboratories. He has led several high-profile investigations and complex projects for clients in multiple industries and participated in a number of large data analytics and software development projects. Previously, Choudhary was a manager of forensics and integrity services for Ernst and Young LLP (India) and an assistant manager in business advisory services for BDO India LLP. He writes blogs on professional topics, which he publishes on his personal website, heyanuj.com. He is a member of ISACA^® and an associate member of the Institute of Chartered Accountants of India and the US Association of Certified Fraud Examiners. He is also a member of the Young Singapore International Arbitration Centre and the Young Mumbai Centre for International Arbitration.