In last week’s post, we talked about Bitcoin, Tor and some of the hidden websites only accessible via Tor, such as Silk Road, which was shut down by the FBI on October 1st.

Well, just over a month later and Silk Road is back online:

You can reach the new site at this link (again, only via Tor) if you’d like to check it out: http://silkroad6ownowfk.onion

It only took a day and they already had over 20,000+ users on the site:

The new admin of the site? “Dread Pirate Roberts”. How’s that possible, he’s been arrested right? Those familiar with the movie “The Princess Bride” will get the joke here – the Dread Pirate Roberts was not one man, but rather a series of individuals who periodically pass the name and reputation on to a chosen successor.

Time will tell how long the new Silk Road lasts, but it’s clear that these secret websites and Tor aren’t going away anytime soon, and neither is the currency that drives these sites, Bitcoin.

We received a lot of positive feedback on the last Bitcoin post and some suggestions for follow-up posts. One of the themes was around identifying Bitcoin wallets, especially on a USB flash drive or other removable media.

First, let’s take a look at the Bitcoin wallet software out there:

As you can see, there are a few different options. This time I’ll focus on the Bitcoin-Qt client, which is a full Bitcoin client and builds the backbone of the network, the standard client used.

If you’re examining an image with the Bitcoin-Qt client present you’ll see a folder structure and files under the Users\[username]\AppData\Roaming\Bitcoin folder similar to this:

Note the “wallet.dat” file and “debug.log”. The wallet.dat file is (you guessed it!) the file containing the wallet data for the user. The debug.log file contains (you guessed it again) debugging information, including communication on the Bitcoin P2P network, including timestamps in some cases.

The wallet.dat file is easy to identify by filename, but backups of the wallet can be made, and can be called whatever the user chooses. If you are examining removable media or other locations where you suspect you are dealing with a Bitcoin wallet file (from the Bitcoin-Qt client), you can check a couple bytes at offset 0x12 for the string “b1” which may identify the file as being a Bitcoin wallet:

Another easy check is to export the file and rename it to “wallet.dat”. Run IEF on that file by using the “Files/Folders” button on the main screen and then unchecking all the artifacts except for the Bitcoin artifact on the artifact selection screen. Here is a sample of what you’d see recovered from the wallet by IEF:

I hope this answers some of the questions you may have had after my last post on Bitcoin forensics.

We’ll do our best to continue bringing you interesting topics in future posts, and as always, I’m eager to hear your suggestions for what you’d like to see in future blog posts. Please feel free to email suggestions, feature requests, and feedback on IEF to jad(at)magnetforensics(dot)com.

Have a great week!

Jad and the Magnet team