We are currently experiencing network problems with the desktop version of Police Oracle. We hope to have these resolved as soon as possible.

South West Regional Cyber Crime Unit on managing cryptocurrency

Police Oracle spoke with the SWRCCU about methods for managing the sheer amount of digital data that comes with cryptocurrency crimes.

In 2021, cryptocurrency was involved in more than 77 per cent of the South West Regional Cyber Crime Unit’s (SWRCCU) investigations. 

As cryptocurrency becomes more accessible, investigators are increasingly faced with vast amounts of digital data to process and analyse. 

DS Matt Brain spoke with Police Oracle about some of the difficulties they come up against and how they are managing to keep on top of them. 

“Any cyber offence where there’s a financial motive inevitably will involve cryptocurrency,” he said. 

“The most prolific of our investigations are ransomware, and cryptocurency is how ransomware offenders will be paid, for example.

““Although in many ways people think of cryptocurrency as being very anonymous, actually most transactions are viewable on public ledger, meaning you can go onto a website from any computer and see them.”

“On some level, it's easier to investigate cryptocurrency than investigating traditional crimes, the difficulty comes in the fact that there is no public attribution of those addresses. So you have to look at methods of de-anonymizing the parties involved.” 

DS Brain explained that where cryptocurrency investigations used to solely be contained within the cyber team, they are increasingly getting requests from other teams within the ROCU for support where they are encountering cryptocurrency. 

“The technical bar for using cryptocurrency is not particularly high, if you open up an exchange account it’s all designed to be very user-friendly and intuitive,” he explained. 

“Understanding what’s going on at a coding level is very advanced, but you don’t need a high level of technical knowledge to use it.” 

The team then needs to look at dealing with the amount of digital data that comes in. 

“From the point of view of seizure onwards, at every stage we have to consider what we’re going to seize, what we’re going to submit for imaging and then once we’ve got those images, what amongst that are we going to actually look at, so we’ll come up with a digital forensics strategy,” DS Brain said. 

“For example, you might find a drawer full of historic phones that haven’t been powered on in 10 years, and you’d make the decision that actually it’s highly unlikely there’s any evidence on that.”

Since 2018, the team has also been using Nuix software which can process large amounts of data into searchable and contexualized information. 

An on-going SWRCCU investigation into the cryptocurrency theft of more than £20 million used Nuix as a tool to extract thousands of Bitcoin addresses. 

An investigating officer within the team was able to write a script which enabled the software to extract cryptocurrency addresses, quickly identify and act on leads that came to light from the extractions, as well as connect Bitcoin addresses to suspects.  It can also extract details such as wallet balance, the number of transactions and the value of throughput. 

The tool can sort through one million items of data in 5-10 minutes. 

The investigation is still at a pre-charge stage so DS Brain was limited in terms of the information he could pass to Police Oracle, but he explained that there were almost 70 devices submitted for forensic examination. 

One of the suspect’s devices had over 17,000 sets of credentials which had been obtained. 

In this case, the cryptocurrency was seized and will be stored as cryptocurrency, meaning the final value will be determined at the point the criminal proceedings are concluded. 

“Nuix is a piece of software that we use once the devices have been forensically imaged. A copy of each of those devices is taken, those copies will then be processed through Nuix,” he said.  

“You can then search across all these devices at once to look for certain things or certain key words.” 

All of the digital exhibits that the team image are fed through Nuix which complies them and interprets the data, and can categorize into different types of data. 

The Bitcoin script is run as well, in line with the forensics strategy that’s made, turning a “ridiculous” number of items that is potentially in the millions into a much more manageable number.

“Traditionally, you load one phone into a review package, you go through to the next one, Nuix allows you to cast your net across everything [...] you can see the links and deal with the entire investigative approach, even bring historical Nuix cases in,” he said. 

Nuix is currently being used by seven of the 10 ROCUs, PSNI, Police Scotland and a number of the regional forces. 

Head of Investigations at Nuix, Mark McCluskie, was an officer for 30 years in the PSNI. Since 2000, he has been involved with digital forensics and cybercrime investigations. 

For Mr McCluskie, the key is to lean on the software to process the data, freeing up officers to actually investigate the seized data. 

“What Nuix is trying to shift thinking to is the fact that that computer is probably linked to a phone and an iPad and a SatNav. So let’s put it all in one case, let’s process it very fast and rather than let the technical person make assumptions of what he or she thinks is relevant, lets take it all back to the investigator and let them review,” he said. 

“In a typical [cryptocurrency] case, with a seized number of devices, what they were doing was examining this computer for all the cryptocurrency wallets and addresses to see if they could find any. When that was done, they did the phone, then the other phone, then the iPad. 

“It was a very laborious process of having to search each device individually to find these cryptocurrencies and wallet addresses.

“What the SWRCCU did was they wrote a script. They put all of the devices into one Nuix case and they ran the script over the whole case. 

“Because the script uses Nuix, the breadth of data concerned is only limted by what we can support.” 

Nuix is not the only digital platform offering support to forces, and while it can take the weight off with regards to officer time and resources, however it is often a question of funding. 

For Mr McCluskie: “I think if funding was made available, technology was rolled out on a wider scale, I definitely do think investigation into digital crime could become much more efficient. I think that's not rocket science. I'm sure most people will understand that. 

“Most if not all, police colleges are giving some sort of digital awareness or digital training but I would say that needs to be enhanced. All police officers should be digitally aware and digitally trained to be able to investigate the vast majority of day to day digital crime.”

Leave a Comment
In Other News
Enhanced version of Police CyberAlarm tool launched
How West Midlands has moved digital forensics to the cloud
Cumbria partners with US company for new cloud-based system
NPCC lead on data calls for more specialists
Think more about data not just ICT systems summit told
City of London praises move to cloud management system More News