Chapter 33 — Exercises
A mix of concept checks, hands-on labs, calculations, and judgment calls — because crypto investigation is the one place in this book where the evidence is public and permanent yet the hardest question is always the same: who is this address? (answer in Appendix) = worked solution in Answers. ⭐ = stretch. Every "trace this" lab below is walkable for free on a public explorer (mempool.space, blockchair.com, Etherscan); every "recover this wallet" lab uses a wallet you created with a passphrase you set, on a device you own or a sanctioned practice image (Appendix J — Practice Images and Lab Setup) — never attack a wallet you are not authorized to open. Address formats and file signatures are collected in Appendix A — File Signatures Reference; the legal instruments in Appendix E — Legal Frameworks Reference.
Group A — Pseudonymous, not anonymous
33.1 In four or five sentences, explain the difference between anonymous and pseudonymous, and apply it to Bitcoin. Then answer the question that proves you understand why the distinction favors the investigator: a bank protects your transaction history behind law and access control, yet a blockchain protects nothing — so why is a criminal's blockchain history more exposed than a bank customer's, and what single event collapses the pseudonym into a name? (answer in Appendix)
33.2 The chapter calls a blockchain public, permanent, and pseudonymous and says it "inverts almost everything else in this book." Take the book's first recurring theme — deleted ≠ destroyed, where deletion removes a pointer but the data persists until overwritten — and explain in two or three sentences how a blockchain is the limit case of that idea: what, exactly, can never be overwritten, and why does that make the blockchain the most complete and most permanent financial evidence ever created?
33.3 ⭐ A client tells you, "Bitcoin can't be traced — that's the whole point of it." Write the two-paragraph reply you would actually give. Paragraph one corrects the misconception (pseudonymous, not anonymous) without jargon; paragraph two explains the asymmetry — that every action a pseudonym takes is linked forever to that pseudonym, so one identification radiates across the entire cluster — and names where that one identification usually comes from.
Group B — Reading a Bitcoin transaction (UTXOs, satoshis, TXIDs)
33.4 (Analyze this transaction.) Read the transaction below and answer (a)–(d). (answer in Appendix)
TRANSACTION 9c2f8b1a40d7e6539af0c2b18e7d4a3f6051c9b2d8a7e043f1c6b59082a73e4d
mined: block 814,907 2024-10-03 09:14 UTC
INPUTS (2)
#0 bc1qk8p3v9m2x…7r4d 1.50000000 BTC
#1 bc1qw3r7t5h8n…0q9s 0.30000000 BTC
OUTPUTS (2)
#0 → 1Fz5gM2pQx…Jr8t 1.75000000 BTC (address reused, legacy)
#1 → bc1qn9x4c6e2…5k1m 0.04990000 BTC (address never seen before)
(a) Working in satoshis (1 BTC = 100,000,000 sat), compute the miner fee. (b) Which output is the payment and which is the change returning to the sender — and name the three change-detection signals you used. (c) Which addresses does the common-input-ownership heuristic cluster as one entity, and why? (d) In one sentence, state why you reasoned in satoshis rather than in BTC floating-point.
33.5 The chapter says a TXID is "the double-SHA-256 hash of [a transaction's] serialized bytes, displayed as 64 hexadecimal characters." (a) Why is the TXID an integrity check on the transaction — what changes if a single byte of the transaction changes? (b) Your report cites TXID 4b8e7c2a…3049. A defense expert claims the explorer could have shown you a doctored transaction. Describe the one-sentence corroboration (from the chapter's Chain of Custody callout) that answers them, and name the artifact you would export and hash.
33.6 (Identify on sight.) For each string, name the asset and the address type, and say in a word whether it is well-formed:
A 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
B 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy
C bc1qar0srrr7xfkvy5l643lydnw9re59gtzzwf5mdq
D bc1p5cyxnuxmeuwuvkwfem96lqzszd9ztqsamzkx
E 0x4e8b2f9a7c1d6053e4a8b9c2f10d7e6b5a3f8c90
F 4AdUndXHHZ6cfufTMvppY6JwXNouMBzSkbLYfpAv1nQpoArAsx
G 1A1zP1eP5QGefi2DMPTfTL50SLmv7Divf
For G, explain exactly why it is malformed — which character is the giveaway, and what Base58 deliberately omits and why.
33.7 ⭐ (Calculate the keyspace lesson.) A Bitcoin private key is a 256-bit secret, so there are 2²⁵⁶ ≈ 1.16 × 10⁷⁷ of them. (a) If every one of the world's roughly 8 billion people ran a billion machines each testing a billion keys per second, how many keys per second is that, and roughly how many years to exhaust the space? Compare to the age of the universe (~1.4 × 10¹⁰ years). (b) State the lesson in one sentence: given (a), no attack in this chapter targets the private key directly — so what do realistic attacks target instead (name the two: the passphrase that wraps a software wallet, and the link between address and identity)?
Group C — Clustering: turning addresses into entities
33.8 (Defend the grouping.) A transaction co-spends four input addresses; you assert all four belong to one entity. (a) State the heuristic and the precise reason it holds (what must be true to spend each input). (b) Show how the cluster grows transitively: if this transaction links A–B–C–D, and a later transaction co-spends D with E, what can you now assert about A and E? (c) Name the single transaction structure that would make this whole inference wrong, and the visual signature you would look for before clustering. (answer in Appendix)
33.9 (Weigh the signals.) For the transaction in 33.4, the change output bc1qn9x4c6e2…5k1m was identified by three signals. (a) List the four change-detection signals the chapter gives, and for each say whether it was present in 33.4. (b) Change detection is described as "more error-prone than the common-input heuristic." Explain the concrete bad outcome of a wrong change attribution — where does your trace go? (c) Which of the four signals is the one that confirms itself retroactively, and how?
33.10 (Recognize CoinJoin.) You see a Bitcoin transaction with 50 inputs and 50 outputs, where many outputs are identical in value (say, exactly 0.1 BTC). (a) Why does naively applying the common-input-ownership heuristic to this transaction produce a false cluster, and what serious word describes that error in a report? (b) Name two CoinJoin implementations the chapter mentions. (c) In one sentence, state the defensible report language that asserts a cluster and pre-empts the CoinJoin objection.
33.11 ⭐ (Judgment — the witness chair.) Under cross-examination, opposing counsel says: "You testified these 214 addresses are 'the same person.' But you've admitted clustering is just a heuristic. So you don't really know, do you?" Write the answer you would give that is both honest about probability and not a retreat — distinguishing a high-confidence grouping by a named heuristic with a known failure mode from a certainty, and stating what you checked (no CoinJoin structure) to support it. Tie your answer to Chapter 27 — Expert Testimony.
Group D — Transaction tracing: following the money
33.12 (Build the timeline.) Reconstruct the trace timeline for the ransomware anchor (anchor case #3) from the facts in the chapter, producing a dated, sourced log an investigator could hand to counsel. Start from the ransom payment of 0.82 BTC to bc1qf7v9…q2wd (TXID 4b8e…3049, block 812,043, 2024-09-18) and end at the subpoena predicate. Your log must include, in order: the payment, the consolidation/clustering step, the peeling chain, the branch into the mixer (with the value and what it means), the branch reaching the exchange chokepoint, and the legal next step. Mark which line is the off-ramp where pseudonymity breaks. (answer in Appendix)
33.13 (Follow the chain.) A "peeling chain" unspools from a consolidation address. (a) Describe the repeating two-step pattern of a peel, and which output you keep following. (b) Why are the peels small and the chain long — what is each design choice meant to defeat? (c) The chapter says peeling chains are "ironically, easy to follow precisely because" of one heuristic — which one, and why does it stitch the chain together?
33.14 Distinguish a mixer/tumbler, a CoinJoin, and chain-hopping in one or two sentences each: what each does to the trail, and how you pick the trail back up after each. Then answer the judgment question: the chapter insists that using a mixer "raises, not lowers, the suspicion attached to the funds." Explain why a deliberate trip through a known mixer cluster is itself evidence, tying to the book's third theme.
33.15 ⭐ (The strategic insight.) Redraw, in your own words and a small ASCII sketch, the on-ramp/off-ramp diagram, and then defend this claim in a short paragraph: "You do not have to de-anonymize every hop in the middle." What must be true about value for the choke-point strategy to work, and why does that mean the most important section of a tracing chapter is "not about cryptography at all" — it is about subpoenas?
Group E — Exchange cooperation and the legal predicate
33.16 (Write the predicate.) Your trace ends at deposits to an address cluster attributed to "Exchange-X," a U.S.-registered MSB. Draft the one-paragraph subpoena predicate the technical examiner contributes — the specific facts that let the exchange identify the exact account and that tie the deposits to the offense. Then state the two failure modes the chapter's Legal Note warns about, and rewrite an over-broad demand ("all accounts associated with this address") into an enforceable one. (answer in Appendix)
33.17 A regulated exchange is a money services business under the Bank Secrecy Act. In a short paragraph, explain what that obligates it to hold and do — name KYC, AML monitoring, SARs/CTRs, and the Travel Rule (give FinCEN's $3,000 threshold and FATF's $1,000 figure for virtual-asset transfers) — and state, in one sentence, the practical payoff for your investigation: what does the exchange know about the account that received your traced funds?
33.18 (Judgment — sanctions and jurisdiction.) Two complications can change a case overnight. (a) Your trace touches an address published on OFAC's SDN list. What changes about the legal landscape and the urgency, and what should you have screened against before concluding? (b) The off-ramp exchange turns out to be incorporated abroad and does not answer U.S. process. Name the instrument now required, and explain why identifying the exchange's jurisdiction early can change your timeline "from hours to quarters." Cite Chapter 25 — The Legal Framework.
Group F — Wallet forensics: keys, seeds, and artifacts
33.19 (Identify these artifacts.) Two 16-byte specimens were carved from the start of two files seized from a suspect's laptop. Identify each, citing the exact bytes that decide it, and say what each tells you about the wallet. (answer in Appendix)
A 00000000: 0000 0000 0000 0000 0000 0000 6231 0500
B 00000000: 5351 4c69 7465 2066 6f72 6d61 7420 3300
Then answer: a strings scan of specimen A returns the tokens mkey and ckey. What does their presence prove about the wallet, and which hashcat mode targets it?
33.20 (Recover from this image — the artifact sweep.) You are handed a mounted, read-only Windows image (drive F:) under proper authority. Write the triage plan to locate cryptocurrency artifacts: (a) the wallet files to search for by name (wallet.dat, default_wallet, seed.seco) and the application-data folders for Bitcoin Core, Electrum, Exodus, and Ledger Live; (b) the MetaMask vault — give the exact extension ID and the file types you collect from its LevelDB store, and say which artifact you are extracting; (c) the plaintext search you run across documents, notes, browser data, and photographs (via OCR) and unallocated space — and what two things you are hunting for there. In one sentence, justify why this sweep is run on a copy and read-only, citing the book's second theme.
33.21 ⭐ (Calculate — the seed is the wallet.) BIP39 draws words from a fixed list of 2,048 = 2¹¹ words. (a) A 12-word phrase encodes 12 × 11 = 132 bits, of which 128 are entropy and 4 are a checksum; a 24-word phrase encodes 264 bits (256 entropy + 8 checksum). How many valid 12-word mnemonics exist, and how many 24-word ones? (b) Roughly what fraction of random 12-word sequences from the list pass the checksum, and what does that imply about the value of validating the checksum before you rely on a hit? (c) Your seed-phrase detector flags 12 consecutive words in a Notes-app export, all from the BIP39 list, checksum valid. In one sentence, explain why this single hit "can be the entire case."
33.22 (The dual-purpose crack.) The same artifact and the same command serve recovery and forensics. (a) Write the lawful workflow for a wallet.dat you are authorized to open: hash the working copy, confirm it is Berkeley DB and encrypted, extract the crackable hash with bitcoin2john.py, and run hashcat — give the mode number for wallet.dat, and the modes for Electrum and the MetaMask vault. (b) Why does a targeted wordlist built from the custodian's own artifacts beat brute force? (c) State, in one sentence, the only thing that distinguishes the recovery engagement from the seizure — and why that one thing is "the entire ethical and legal weight of this work."
33.23 (Calculate and verify the hash — the decryption record.) You copy a seized wallet.dat from the verified image to your working folder, crack it under warrant, and read its addresses. Draft the chain-of-custody / provenance note for your file, capturing: the source image and its hash, the SHA-256 of the working copy before any operation, the authority for the access, the action taken, and the integrity argument. Then answer: the defense asks whether your cracking altered the evidence. Which hash, of which artifact, answers them — and why is the original image's hash the one that matters?
Group G — Ethereum, privacy coins, and putting it together
33.24 Ethereum uses an account model, not UTXOs. (a) Explain why this means the common-input-ownership heuristic "does not apply," and name two other signals you cluster Ethereum on instead. (b) Most laundering today moves stablecoins (USDT, USDC) as ERC-20 tokens. Explain the tracing leverage this gives you that Bitcoin has no equivalent to — what can the issuer do, at law-enforcement request, that ends a trace without an exchange subpoena? (c) Name the Ethereum explorer that exposes internal transactions and token transfers.
33.25 (Honest limits — Monero.) Modern Monero is the chapter's frontier of know your limitations. (a) Name the three technologies and the one transaction property each conceals (sender / recipient / amount). (b) With a mandated ring size of 16, what is the probability of randomly guessing the real spend among the ring members, and why did early Monero leak when decoys could be zero or poorly chosen (name the temporal heuristic)? (c) Write the defensible one-sentence report finding for funds converted to present-day Monero, and list the off-chain pivots you turn to instead. (answer in Appendix)
33.26 ⭐ (Progressive project — trace the cryptocurrency in your case.) This is the optional crypto thread of your Forensic Case File (the project running since Chapter 5, assembled in Chapter 38). If your case involves cryptocurrency, produce all five deliverables the chapter specifies; if it does not, write the one-line "no cryptocurrency artifacts identified" finding and explain why even that is a result worth recording. The five: (1) the wallet-artifact sweep output (files, app data, MetaMask vault) plus the address/seed-phrase plaintext search, with every extracted artifact hashed into your chain-of-custody worksheet (Appendix F); (2) the list of on-chain identifiers (addresses, TXIDs) recovered from artifacts and from any ransom note/invoice/chat; (3) the trace on a public explorer (verified against a full node for any load-bearing fact) — clusters, the peeling chain, where it reaches a mixer/chain-hop/exchange — with every TXID, block height, time, and amount; (4) for each chokepoint, the exchange, its jurisdiction, and the drafted subpoena predicate, flagging anything needing an MLAT; (5) the findings-with-limits section: what was traced, what reached an identifiable provider, what went dark (mixer/privacy coin), and which heuristic each clustering rests on. Save the trace export and its SHA-256 to the case-file folder.
Self-check. You have mastered this chapter when you can, without notes: explain pseudonymous, not anonymous to a client and to a court; read a transaction's inputs, outputs, satoshi amounts, fee, and change off an explorer; apply the common-input-ownership and change-detection heuristics and name where each fails (CoinJoin defeats the first; a wrong change call sends you down a stranger's addresses); follow a peeling chain through a mixer to an exchange chokepoint and draft the precise, jurisdiction-aware subpoena predicate that turns the deposit into a name; locate
wallet.dat, a MetaMask vault, and a BIP39 seed phrase on an image and frame the lawful crack for either an owner or a seizure; and state every clustering and tracing finding with its underlying heuristic and known limit — including the honest "converted to Monero; on-chain tracing not reliably feasible" when that is the truth. If the difference between "the funds went dark at the mixer" and "I couldn't trace it" still feels the same to you, re-read "Limitations: knowing when to stop" before you ever write a crypto finding. Next, Chapter 34 — IoT, Vehicle, and Embedded Device Forensics leaves the ledger for the physical world of tiny computers everywhere — where, once again, technology changes, principles don't.