Forensic Artefact Discovery and Attribution from Android Cryptocurrency Wallet Applications

TL;DR

This paper investigates forensic artefact extraction from Android Bitcoin and Dogecoin wallets, revealing key data like transaction details and user information to aid criminal investigations involving cryptocurrencies.

Contribution

It provides a systematic method to recover forensic artefacts from Android cryptocurrency wallets, focusing on Bitcoin and Dogecoin, which is underexplored in existing research.

Findings

Recovered wallet IDs, transaction IDs, and timestamps.

Identified user email addresses, cookies, and OAuth tokens.

Demonstrated forensic extraction process for Android wallets.

Abstract

Cryptocurrency has been (ab)used to purchase illicit goods and services such as drugs, weapons and child pornography (also referred to as child sexual abuse materials), and thus mobile devices (where cryptocurrency wallet applications are installed) are a potential source of evidence in a criminal investigation. Not surprisingly, there has been increased focus on the security of cryptocurrency wallets, although forensic extraction and attribution of forensic artefacts from such wallets is understudied. In this paper, we examine Bitcoin and Dogecoin. The latter is increasingly popular partly due to endorsements from celebrities and being positioned as an introductory path to cryptocurrency for newcomers. Specifically, we demonstrate how one can acquire forensic artefacts from Android Bitcoin and Dogecoin cryptocurrency wallets, such as wallet IDs, transaction IDs, timestamp information, email addresses, cookies, and OAuth tokens.