Evaluating Tooling and Methodology when Analysing Bitcoin Mixing Services After Forensic Seizure
This work addresses a gap in forensic analysis for cryptocurrency privacy tools, but it is incremental as it applies existing forensic methods to new services.
The study tackled the lack of research on forensic analysis of Bitcoin mixing services by evaluating tooling and methodology to recover artifacts from Obscuro and Wasabi wallet, finding that network forensics and logging files were useful sources for deanonymization.
Little or no research has been directed to analysis and researching forensic analysis of the Bitcoin mixing or 'tumbling' service themselves. This work is intended to examine effective tooling and methodology for recovering forensic artifacts from two privacy focused mixing services namely Obscuro which uses the secure enclave on intel chips to provide enhanced confidentiality and Wasabi wallet which uses CoinJoin to mix and obfuscate crypto currencies. These wallets were set up on VMs and then several forensic tools used to examine these VM images for relevant forensic artifacts. These forensic tools were able to recover a broad range of forensic artifacts and found both network forensics and logging files to be a useful source of artifacts to deanonymize these mixing services.