Mobile Forensics Lab IV
Question ?
From what Bitcoin wallet did he get paid the last time for his job?
1.The WhatsApp messages give us a hint as to how much Bitcoin was sent for services ontwo occasions
2.First transmission with known tx hash was in March and it is not the latest
3.The second one is in April and it mentions an amount and then the message 'I see a bit lessthan that' (Navigate to Data Artifacts → Messages→ (msgstore.db)WhatsApp → Sort by Date/Time
The next step involves us doing a search on https://blockchair.com/bitcoin/outputs (or asimilar service) where we have to enter the evidence that we do have. We can filter by the date and time (April 15th, 2021 between 17:20 and 17:40) as well as the range of bitcoin value (0.0913 and around). This will give us the output of only one transaction that took place within those set parameters. Following that transaction link gives us our result:
Technical Overview
The demonstrate an blockchain investigation technique using Blockchair (a blockchain search engine and explorer). Instead of searching for a specific wallet address or Transaction Hash (TxID), the investigator is using database filtering to isolate a specific transaction based on two known parameters: Time and Approximate Value
Step-by-Step Explanation
Step 1: Accessing Advanced Search Filters
When conducting a forensic search by timestamp, standard blockchain explorers fail because they only index by cryptographic hashes. Blockchair allows table-based queries.
Activate the Time Filter: Check the Time property on the left-hand panel to open the date configuration window.
Set the Condition: Change the condition to "Between". This allows you to define a specific temporal window rather than searching for an exact second (which might fail due to network propagation delays).
Define the Date and Time: Select April 15, 2021 on the calendar. Check the "Include time" box to ensure the query filters down to the specific hour and minute (
17:32:16 UTC).
Step 2: Applying the Value Range Filter
Filtering by time alone on a high-traffic day like April 15, 2021, would still yield thousands of transactions (noise). To isolate the correct artifact, a second layer of filtering is applied based on the transaction amount.
Set a Margin of Error (Range Query): Select "Between" instead of "Exact".
Input the Range: Enter a tight lower bound (
0.09228260) and upper bound (0.09228263).Forensic Note: Using a range query is a best practice in blockchain forensics. It accounts for potential decimal roundings, miner fee deductions, or slight discrepancies in how different ledger platforms display values.
Step 3: Isolating and Analyzing the Target Output
Once you click Apply, Blockchair queries its indexed database and filters out all non-matching ledger data.
Verify Active Filters: The blue tags at the top (
Time (UTC) xandValue (BTC) x) confirm that the dataset is successfully restricted to your specific parameters.
Extract the Artifact: You now have the exact block number (679,370) and the partial Transaction Hash (88c1f...d07fe). Clicking on this hash will allow the investigator to trace the Input addresses (senders) and Output addresses (recipients) to map the flow of funds.
อ่านเพิ่มเติม:
Timestamp Decoder
Lab : practical exercise to map GPS coordinates extracted
ขอบคุณครับ
#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud
No comments:
Post a Comment