Carney Forensics Blog

Forensics on the Blockchain: Decrypting Cryptocurrency Evidence for Legal Proceedings

Forensics on the Blockchain

The landscape of the financial world is changing, and it is crucial for professionals in the accounting and legal fields to expand their knowledge and understanding along with the evolving technologies and financial systems. The intricacies of blockchain technology and crypto assets are becoming entangled with legal matters including divorces, bankruptcies, asset conversions, fraud and corruption, insurance claims, and many other matters. So how do forensic accountants and digital forensics experts decrypt cryptocurrency evidence complexity for blockchain and crypto assets? Welcome to the world of Blockchain and Cryptocurrency Forensics. Let’s delve deeper into how Blockchain and Cryptocurrency Forensics works.

The Blockchain: A Double-Edged Sword

The inherent nature of blockchain technology, which underpins most crypto assets (also referred to as cryptocurrencies), is both a blessing and a burden. On one hand, every transaction is transparent, recorded for posterity on a public ledger. This transparency ensures that bad actors cannot tamper with records by fraudulently changing them. On the other hand, transactions are pseudonymous. Rather than personal details, what’s visible is a string of alphanumeric characters representing digital wallets. This string of characters is frequently called a public key or a public address. An example of Ethereum and Bitcoin public addresses is shown below:

Ethereum: 0xb794f5ea0ba39494ce839613fffba74279579268
Bitcoin: 1Lbcfr7sAHTD9CgdQo3HTMTkV8LK4ZnX71

The Pseudonymous Nature of Cryptocurrencies

It’s essential to understand that while crypto assets can offer privacy, they don’t always guarantee complete anonymity. Transactions can often be viewed by anyone using a blockchain explorer, but associating them with an individual or entity requires additional information. This characteristic is where digital forensic techniques become invaluable.

Tracing the Digital Footprints

Several methodologies have evolved to trace the flow of digital assets:

  • Address Clustering: This technique involves associating multiple crypto asset addresses with a single owner. This is possible by analyzing patterns in transactions, looking for shared inputs, and utilizing other data association techniques.
  • Taint Analysis: By tracking “tainted” coins, investigators can identify the flow of funds from an illicit source to its final destination.
  • Temporal Analysis: The timing of transactions can often reveal patterns, helping in identifying suspicious activities or clustering related transactions.

Tools of the Trade

Blockchain analysis doesn’t have to be a manual endeavor. Tools and platforms like Chainalysis, Elliptic, and CipherTrace have been developed to automate and simplify the process. They analyze patterns, recognize anomalies, and visually represent fund flows. Although these tools may assist with the investigation process, it is an important idea to trust but verify the data provided by these tools and software.

Addressing the Challenges of Decrypting Crypyocurrency Evidence

Blockchain and cryptocurrency forensics isn’t without its hurdles:

  • Mixers/Tumblers: These services aim to increase transaction privacy by pooling multiple transactions together. This can obscure the origins of funds, making them difficult to trace.
  • Cross-Chain Complications: With the growth in the number of cryptocurrencies and blockchains, swapping assets and moving assets across multiple blockchains further complicate tracking efforts.
  • Privacy Coins/Tokens: Some crypto assets, such as Monero and Zcash, are designed specifically to provide enhanced privacy features, making forensic analysis significantly more challenging.

The Real-World Implications for Lawyers and Business Professionals

Legal professionals and businesses must stay abreast of these developments for several reasons:

  • Litigation & Dispute Resolution: In cases of disputes involving digital assets, understanding the forensic landscape is critical to building or defending a case.
  • Asset Recovery: For businesses that have been defrauded or individuals that have lost assets, understanding the path of digital assets can be the key to recovery.
  • Regulatory Compliance: With increasing scrutiny from regulatory bodies, businesses involved with crypto assets must ensure they adhere to anti-money laundering (AML) and counter-financing of terrorism (CFT) standards.

Digital Footprints & Crypto Recovery from Devices

The blockchain is a digital ledger that can provide invaluable information when utilized. However, the blockchain is not the only source of data that can assist with these matters. Treasure troves of data for crypto assets can be found in a vast number of other sources and locations besides the publicly available blockchain. These other sources are often used in tandem during blockchain forensics investigations to help bridge the gaps of the investigation and help provide smoking gun evidence.

Hardware Wallets/Cold Storage

Crypto assets, unlike physical currency, do not reside in the tangible world; they exist in digital form, secured in what we term as “wallets”. Hardware wallets, often dubbed as “cold storage”, are physical devices that safeguard these assets offline, away from potential online threats.

Digital forensics experts have a unique skill set to extract vital evidence from these hardware wallets. This includes accessing the public and private keys, which are like a bank account number and its password respectively. Given the legal boundaries, these experts also know how to lawfully obtain the crypto wallet details from a custodian.


Every digital contact leaves a trace, and crypto asset transactions are no different. Be it on a MacBook, a Windows PC, or even Linux servers, evidence might lurk within electronic documents, emails, or browser cache.

Mobile Devices

Modern mobile devices, whether they’re iPhones, Androids, or digital watches, act as repositories of immense data, including crypto asset traces. Text messages, chats, screenshots, and browser histories can hold keys to uncovering crypto transactions or wallet addresses.

Metadata in the context of cryptocurrency is essentially the “data about the data.” It is often glossed over, yet it is strategically important. For example, a transaction’s metadata can divulge details such as the wallet addresses involved, the amount transacted, the timestamp of the transaction, and the transaction fees. Metadata proves invaluable in painting a clear picture of any crypto asset activity.

Delving Deeper: Deleted Evidence and Artifacts

As broken pottery reveals tales of ancient civilizations, fragments of digital evidence, even if deleted, can provide pivotal insights. Forensic experts use advanced techniques to recover these traces from secure copies of devices, gleaning insights into past crypto asset transactions or wallet addresses.

With the advent of Artificial Intelligence and Machine Learning, the efficiency of this process has been exponentially enhanced. Advanced algorithms now auto-detect and categorize potential crypto-related evidence, such as screenshots, making the process more streamlined and cost-effective.

Crypto Wallet Forensics

Recovery doesn’t stop at devices; the type of crypto wallet used also determines the approach. Forensic tools are tailored to interface with multiple wallets, be it popular ones like Coinbase Wallet, Bitcoin Core Client, or more niche wallets such as Visa Qiwi Wallet.

Investigators remain vigilant for both “known” and “unknown” wallets. Modern digital forensics tools enable them to scan and decipher traces of any crypto activity, regardless of whether the wallet used is commonly recognized.

The Subtleties of Pocket Litter

Something as trivial as a list of random words in a diary or on a piece of paper could be the master key to a crypto wallet. Known as “recovery seeds” or “seed phrases”, these lists, often 12 to 33 words long, can unlock a wallet if arranged in the correct sequence. They might be concealed within books, planners, or even metallic backups. Bitcoin ATM receipts are another potential goldmine of evidence. While some receipts explicitly mention “Bitcoin”, others may use cryptic terms such as “ledger balance”.

Crypto Recovery from Cloud Accounts

As the clouds in the sky obscure vision, cloud accounts can hide a plethora of crypto asset evidence. By sifting through browser histories, search queries, and third-party mobile apps, digital forensics experts can unveil undisclosed bank accounts, credit unions, and financial services linked to crypto asset activities.

Crypto Exchange Forensics

Crypto exchanges act as the middlemen for buying, selling, or trading digital assets. Evidence from these platforms, like Coinbase or Exodus, provides insights into transactional histories, amounts transacted, and more. Transaction Recovery focuses on tracing the receipts of transfers and transactions. Emails, text messages, and other digital correspondence can provide a full trail of crypto activities.

Two-Factor Authentication (2FA)

2FA acts as an added layer of security for online accounts. By examining authenticator apps, like Google, Microsoft, and Authy, digital forensic experts can associate a smartphone or computer user with specific crypto exchanges.  So it corroborates digital evidence by exposing which crypto exchanges the device user is likely using.


The intersection of crypto assets and digital forensic examination presents an exciting opportunity for lawyers and accounting professionals. With digital assets becoming more mainstream, mastering the art of blockchain forensics is not a niche skill, but a necessity in our increasingly digital age. By understanding the power of the blockchain and advanced digital forensic techniques, lawyers and accountants can navigate the complex landscape of digital cryptocurrency assets with precision and confidence.