Offline Analysis of Historical Bitcoin Transactions

Questions and Answers

Which of the following wallets is known for being a multi-chain wallet?

Electrum

Bitcoin Core

Exodus (correct)

BTCRecover

Which of the following wallets is known for being a thin client?

Bitcoin Core

Exodus

Electrum (correct)

BTCRecover

Which of the following wallets stores its data in encrypted Secure Container (.SECO) files?

Electrum

Exodus (correct)

BTCRecover

Bitcoin Core

Which of the following wallets allows users to password protect and encrypt their wallet data?

Electrum

Which of the following wallets is a full node client and requires a full copy of the BTC blockchain to run correctly?

Bitcoin Core

Which command can be used to filter out irrelevant lines from the output of a command?

findstr

What information does the 'pslist' command provide?

Process name and identifier

What does the 'netscan' command identify?

Processes connected to and talking to the network

What do the IP addresses identified by 'netscan' indicate?

The content viewed on the internet

What do Virtual Address Descriptors (VAD) describe?

The slivers of a process in memory

Which command should be used to combine multiple .dmp files into a single file?

copy /b *.dmp bitcoin-qt.dmp

What is the purpose of BTCScan.py?

To extract crypto artefacts from the process space

Why is it important to remove duplicates from the csv file?

To ensure only unique addresses are considered

What is the purpose of the User Assist registry key in Windows?

To track user activities and program usage

Why is being able to attribute an address to a specific user and software valuable in a cryptocurrency investigation?

To understand the addresses provenance

Which of the following is NOT a magic value used to locate valuable artifacts in MetaMask?

balance

What is the purpose of the seedword recovery tool in MetaMask?

To recreate the seed phrase

Where can the necessary wallet data for Chrome extensions be found?

Google/Chrome/Default/Local Extension Settings/[Chrome Extension Hash]

Which Chrome extension has the hash 'nkbihfbeogaeaoehlefnkodbefgpgknn'?

Crypto MetaMask

Where can the wallet data for TronLink be found in Google Chrome?

Google/Chrome/Default/Local Extension Settings/ibnejdfjmmkpcnlpebklmnkoeoihofec

Which command can be used to determine the profile of a RAM image in Volatility?

imageinfo

Where are Bitcoin wallet files saved in the default data directory on Windows Vista and 7?

C:\Users\YourUserName\Appdata\Roaming\Bitcoin\Wallets

What is the magic value at offset zero for all raw Bitcoin data?

f9beb4d9

Which tool can be used to search for Bitcoin wallet files by file names, contents, and regular expressions?

Agent Ransack

Which script can be used to extract Bitcoin addresses, private keys, and Xpriv/Xpub keys by scanning drives, directories, and/or files using RegEx?

BTCScan

Where can you find the MetaMask log file on Windows Chrome?

C:\Users\USER_NAME\AppData\Local\Google\Chrome"User Data"\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

What is MetaMask primarily used for?

Interacting with web3 compatible sites

Which EVM blockchains are supported by MetaMask?

Ethereum (ETH) and Binance Smart Chain (BSC)

What can be found within the MetaMask log file?

Encrypted copy of the wallets seed phrase

Where can you find the MetaMask log file on Mac Firefox?

Library>Application Support>Firefox>Profiles> mqusl6b4.default-release-1653305409297>storage>default