What a forensic crypto investigation actually looks like

When most people think about crypto recovery, they picture someone typing furiously at a terminal while lines of code scroll past — or running a password cracker overnight and hoping for a match. The reality is more methodical, more investigative, and in many ways more interesting than that.

Here's exactly what a professional forensic crypto investigation looks like from start to finish.

Phase 1: Intake and assessment

Before anything technical happens, we need to understand the situation. This begins with a free consultation — typically 15 minutes — where we ask about the specific circumstances: what hardware is available, what wallet software was used, what you know or suspect about passwords, and what evidence exists that crypto was held.

From this conversation, we assess whether investigation is likely to be productive. If the situation doesn't look promising — for example, a very short window of Bitcoin activity followed by years of heavy computer use that likely overwrote any wallet data — we'll say so. There's no benefit to charging for work that won't yield results.

If we proceed, an engagement letter is issued covering scope, fees, and process. For wallet recovery work, we also conduct a detailed intake interview about password habits: names, dates, patterns, fragments the person remembers. This information shapes the entire recovery approach — targeted work built from personal information dramatically outperforms generic approaches.

Phase 2: Evidence handling and device intake

Devices arrive by one of three paths: a wallet file sent securely by email (fastest), a hard drive removed from the machine and shipped, or the entire device shipped. We confirm receipt, photograph and document everything, and log condition at intake.

The single most important step that distinguishes forensic work from casual investigation: every drive is connected through a hardware write blocker before anything else happens. A write blocker is a physical device that sits between the hard drive and the investigator's machine, passing data in one direction only. Nothing writes to the original drive. Ever. This preserves the original evidence and is non-negotiable in any serious forensic workflow.

Phase 3: Forensic imaging

Before examining anything, we create a forensic image — a bit-for-bit copy of the entire drive, including every sector, including unallocated space where deleted files live. The image is hashed (SHA-256 and MD5) to create a mathematical fingerprint. Any future copy of that image can be verified against the hash to confirm it hasn't been modified.

All subsequent work happens on the image, never on the original drive. The original goes back in its evidence bag and stays there.

This step matters because it enables two things: it protects the original evidence, and it means that if we make a mistake during analysis — running a tool that corrupts something, for example — we can simply make a fresh copy from the image and start again. The data is preserved regardless of what happens during analysis.

Phase 4: Automated scanning

With a clean image, we run several automated tools in sequence:

Bulk Extractor

A forensic scanner that extracts structured data — Bitcoin addresses, email addresses, URLs, and other identifiable strings — from the raw drive image without needing to parse the filesystem. It works on the raw bytes, which means it finds data in deleted files, slack space, and areas that the filesystem doesn't know about. Bitcoin addresses found in the output are checked against the blockchain immediately.

Filesystem analysis

We examine the active filesystem for wallet files in their expected locations — wallet.dat in Bitcoin folders, default_wallet in Electrum folders, .wallet files in MultiBit directories. We also scan the full drive for any file matching wallet signatures, regardless of location or name.

File carving from unallocated space

Deleted files leave their data in unallocated space until overwritten. File carving tools scan the raw bytes of unallocated space for file signatures — the specific byte patterns that mark the beginning and end of known file formats. This is how we find wallet files that were deleted years ago but never overwritten.

Digital footprint analysis

Browser history, bookmarks, cached pages, saved passwords, and email artifacts are examined for evidence of crypto activity: visits to exchanges, mining pool URLs, wallet download pages, saved credentials for crypto-related services. This part of the investigation often reveals exchange accounts and web wallets that device scanning won't surface.

Phase 5: Manual verification

Automated tools produce hits that need human judgment. Bitcoin address patterns match other data — Windows telemetry generates strings that look like addresses, ransomware notes contain attacker addresses, browser extensions create address-like strings. Every hit is evaluated for context before it's treated as a signal.

When a genuine wallet file is found, the first question is: does it hold anything? We extract the wallet's Bitcoin addresses and check them against the public blockchain — no password needed for this step. If the wallet is empty, we document that and move on. If it holds a balance, we know the recovery work is worthwhile and proceed to cracking.

Phase 6: Password recovery (when applicable)

For encrypted wallets with confirmed balances, password recovery begins. The first step is extracting a hash from the wallet file — a mathematical representation of the password check that can be tested against without exposing the private keys. This hash is what the cracking tools work against, on an air-gapped machine never connected to the internet.

Recovery runs in escalating rounds:

1. The targeted wordlist built from intake information — often cracks the wallet in seconds if the password has any connection to the person's life
2. The targeted list with mutation rules — capitalization, number substitution, common suffixes
3. Broader wordlists from breach databases — millions of real passwords people actually used
4. Structure-based mask attacks — testing every combination matching specific patterns the person described

GPU-accelerated hardware runs approximately 11,000 attempts per second against Bitcoin Core's encryption — slow by GPU standards, but combined with intelligent targeting, often sufficient.

Phase 7: Recovery and handover

If the password is recovered, the wallet's keys become accessible again and control returns to the client — the recovered credentials are delivered securely, and the assets are the client's to move to any address they choose. Private keys are only ever handled on an air-gapped machine, never one connected to the internet. The success fee applies only on a successful recovery and only as a percentage of what's recovered; if access can't be restored, nothing is owed.

Phase 8: Findings report

Every engagement concludes with a written findings report regardless of outcome. The report covers:

• Device inventory with serial numbers and condition at intake
• Methodology — tools used, process followed, hash values for verification
• Findings summary — wallet files found, addresses checked, balances confirmed or denied, recovery outcome

For estate matters, this report documents that a professional search was conducted and what it found. For personal recovery, it provides a complete record of what was examined and what was found. Either way, you know exactly what happened to your data and why.