Tuesday, April 12, 2016

Visualising the Bitcoin Blockchain in Maltego

This post will provide a quick overview of our new Maltego transforms for visualizing the Bitcoin blockchain. There are 11 new transforms in the seed which use Blockchain.info’s API to query data from the blockchain.

(Screenshot's in this post are taken with the Maltego 4 beta release.)

Before we begin, it is important to have an understanding of how Bitcoin and their transactions work so I will start with an overview of some of the main concepts:

Bitcoin Overview


Bitcoin address:
Bitcoin addresses are transaction endpoints that are used to send Bitcoin to another person. A person can generate as many addresses as they want and people should (which they often don’t) use a new address for every transaction that is made. An address is represented with a 26-35 sequence of alphanumeric characters and looks like this: 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2. For a more in-depth explanation of Bitcoin addresses you can have a look at the Bitcoin Wiki here.

Bitcoin wallet:
A Bitcoin wallet is a file that contains a collection of private keys that are used to generate bitcoin addresses associated with the wallet. Ownership of these private keys allows the user to spend bitcoin that have been sent to associated addresses. Naturally these private keys should be kept private.

Bitcoin transactions: 
The Bitcoin Wiki has a good explanation of a Bitcoin transactions here

A transaction is a transfer of Bitcoin value that is broadcast to the network and collected into blocks. A transaction typically references previous transaction outputs as new transaction inputs and dedicates all input Bitcoin values to new outputs. Transactions are not encrypted, so it is possible to browse and view every transaction ever collected into a block. Standard transaction outputs nominate addresses, and the redemption of any future inputs requires a relevant signature.

Misconceptions about Bitcoin:
Addresses are not wallets and technically do not have a balance. However most blockchain explorers that you find online will specify an address's balance as the amount of Bitcoin that the address has received minus the amount of Bitcoin the address has sent.

Address attribution:
A single Bitcoin address is only intended to be used for a single transaction, however a lot of the time people will reuse addresses. Address reuse has numerous associated problems including making it easier for people to identify the owner of a particular address. Some Bitcoin services allow users to add tags and meta information about addresses that they know. This information can be publicly queried which provides a useful way for attributing an addresses back to its owner. Keep in mind that this information can be edited by anyone and therefore should not be fully relied upon without further analysis. Our Bitcoin transforms will check for tags associated with addresses and if found will return them in an entity note.

Transform List


The Bitcoin transforms include two new entity types, namely a Bitcoin Address and a Bitcoin Transaction.



Transforms that run on a Bitcoin address:
  • (Bitcoin) Get Address Details – This transform will return additional information about a specific Bitcoin address and adds this information to the address entity's detail view.
  • (Bitcoin) To Addresses [*Received from] - This transform returns Bitcoin addresses that were inputs to transactions where this address was an output. Essentially this transform returns Bitcoin addresses that sent Bitcoin to your input address.
  • (Bitcoin) To Addresses [*Sent To] - This transform returns Bitcoin addresses that were outputs to transactions where this address was an input. Essentially this transform returns Bitcoin addresses that received Bitcoin from your input address.
  • (Bitcoin) To Addresses [Received from][Using Taint Analysis] - The taint relationship between two Bitcoin addresses is represented as a percentage and indicates how closely related two addresses are. This transform allows the user to specify a taint relationship threshold (in %) and returns Bitcoin addresses that have sent Bitcoin to your input address with a higher taint relationship than what was specified in the transform setting.
  • (Bitcoin) To Addresses [Sent To][Using Reversed Taint Analysis] - This transform allows the user to specify a taint relationship threshold (in %) and returns Bitcoin addresses that have received Bitcoin from your input address with a higher taint relationship than what was specified in the transform setting.
  • (Bitcoin) To Transactions [where address was an OUTPUT] - Returns transaction hashes where Bitcoin address was an output of the transactions (receiver).
  • (Bitcoin) To Transactions [where address was an INPUT] - Returns transaction hashes where Bitcoin address was an input to the transaction (sender).

Transforms that run on a Bitcoin transaction:
  • (Bitcoin) To INPUT Addresses - This transform will return the input addresses for the Bitcoin transaction.
  • (Bitcoin) To OUTPUT Addresses - This transform will return the output addresses for the Bitcoin transaction.
  • (Bitcoin) To IP Address of First Relay - This transform returns the IP address of the node which first broadcast this transaction to BlockChain.info. This does not necessarily mean that the IP address returned is the true source of the transaction.
Transforms that run on a URL entity:
  • (Bitcoin) To Bitcoin Addresses on Page - This transform will pass any Bitcoin addresses found on a specific webpage.

Using the transforms


Let’s have a look at an example of how we can use these transforms in a practical scenario. Starting with the address 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX which is allegedly the SilkRoad Seized Coins address. Running the transform (Bitcoin) Get Address Details returns the following information about the address as well as a link to open the address in a blockchain explorer.




Next running the transform (Bitcoin) To Addresses [Output to transactions] to get all the addresses that were outputs in transactions where this address was an input. Running this returns a single address that includes meta data stating US Marshal Auction Coins. The meta data for this address also includes a link that provides more information about the alleged owner of the address.



In the detail view of the returned address further information about the transaction that links these addresses is included.



Going directly from an address to another address, like we have done here, is a bit of a shortcut as we miss out on including the transaction entity on the graph which is the link between these two addresses. An alternative method would be first running the transform (Bitcoin) To Transactions [Where address is an INPUT] which will return a Bitcoin transaction entity. From the transaction entity we could then run the transform (Bitcoin) To Transactions [Where address is an OUTPUT] which will return us the same US Marshal Auction address entity that we had previously.



Most of the time you won’t actually be interested in taking the intermediate step of getting the transaction entity first and you can just run the transform that takes you straight from one address to another.

Next let’s go back to our original address and run the transform (Bitcoin) To Addresses [Inputs to transactions] which will return Bitcoin addresses that were inputs to transaction where this address was an output.

*small portion of the graph


As you would expect we get a large number of addresses back (remember this address was allegedly used on Silk Road). The transform returns the maximum amount of entities of 10 000. The entities that are returned are weighted according to how many transactions they were involved in with the input address making it easier to pick out the addresses that are most related to the input. The entities that are most related will appear in the top left of the block layout while the least related entities will be found at the bottom right.

Finally let's have a look at the transforms that make use of Blockchain.info’s Taint Analysis data. These transforms allow you to return addresses that have either sent or received bitcoins to or from a particular address. Additionally these transforms have another parameter called Taint Relationship which is measured as a percentage and represents how strong the link is between the addresses. Running the transform To Addresses [Using Taint Analysis] on our address while specifying a Taint Relationship of greater than 1% results in the three entities below being returned.



API keys for Blockchain.info:
By default the Bitcoin transforms use Paterva's API key which is subject to being rate limited by Blockchain.info. If our API key does get rate limited you will receive a message returned from the transform indicating this. To reduce the chances of being rate limited you can sign up for a free  API from Blockchain,info and enter it in the blockchain.info APIKEY transform setting. Please also note that the endpoint used for Taint Analysis is heavily rate limited.

You can install the Bitcoin transforms to your Maltego client from the transform hub simply by clicking Install:



As usual enjoy responsibly.

PR

No comments:

Post a Comment