查看文章

Bitcoin cryptocurrency is reportedly one widely used digital currency in criminal activities (e.g. used for online purchases of illicit drugs and paying of ransom in ransomware cases). However, there has been limited forensic research of bitcoin clients in the literature. In this paper, the process memory of two popular bitcoin clients, bitcoin Core and electrum, is examined with the aims of identifying potential sources and types of potential relevant data (e.g. bitcoin keys, transaction data and passphrases). Artefacts obtained from the process memory are also studied with other artefacts obtained from the client device (application files on disk and memory-mapped files and registry keys). Findings from this study suggest that both bitcoin Core and electrum's process memory is a valuable source of evidence, and many of the artefacts found in process memory are also available from the application and wallet files on the …