Evaluating Tooling and Methodology when Analysing Bitcoin Mixing Services After Forensic Seizure

TL;DR

This paper evaluates forensic tools and methodologies for analyzing Bitcoin mixing services, focusing on Obscuro and Wasabi, to recover artifacts and potentially deanonymize transactions after forensic examination.

Contribution

It introduces an effective forensic analysis methodology for privacy-focused Bitcoin mixing services, demonstrating the recovery of artifacts from VM images using various forensic tools.

Findings

Network forensics provided useful artifacts

Logging files helped deanonymize services

Forensic tools recovered broad range of artifacts

Abstract

Little or no research has been directed to analysis and researching forensic analysis of the Bitcoin mixing or 'tumbling' service themselves. This work is intended to examine effective tooling and methodology for recovering forensic artifacts from two privacy focused mixing services namely Obscuro which uses the secure enclave on intel chips to provide enhanced confidentiality and Wasabi wallet which uses CoinJoin to mix and obfuscate crypto currencies. These wallets were set up on VMs and then several forensic tools used to examine these VM images for relevant forensic artifacts. These forensic tools were able to recover a broad range of forensic artifacts and found both network forensics and logging files to be a useful source of artifacts to deanonymize these mixing services.