The decentralized and pseudonymous nature of cryptocurrency has facilitated its extensive use in illicit activities, including money laundering, tax evasion, and ransomware. Limiting such activities requires a well-established forensic framework. However, a dedicated methodology for examining cryptocurrency wallets remains underdeveloped. This study presents a systematic forensic analysis of Electrum wallets installed on virtual machines running Windows 10, outlining the wallet taxonomy and meticulously listing all artifacts. This study primarily focuses on memory forensics, with most of the analysis devoted to memory-based artifacts extracted from five distinct memory dump scenarios. Artifacts extraction were performed using Volatility 3 plugins, in conjunction with Python-based analysis scripts, within a Kali Linux environment. Following the memory-based analysis, a limited disk examination was conducted after wallet inactivity or system shutdown to assess whether any residual Electrum artifacts persisted beyond memory. The research examines the artifacts retrievable from wallet files, both before and after backup, and compares these results with those obtained from other methods reported in the literature. The experimental outcomes demonstrate the impact of this research on the successful extraction of private keys, wallet addresses, extended public keys, wallet files, and transaction IDs. The extracted Electrum addresses and private keys provided access to critical wallet details, and unspent Bitcoin were successfully recovered using these keys, confirming the feasibility of forensic cryptocurrency recovery and revealing data of high evidentiary value to the digital forensic community.
Jain et al. (Tue,) studied this question.