Digital Forensic Investigations involving Cryptocurrency Wallets Installed on Mobile Devices
Over the past year, we had the opportunity to continue a research effort in partnership with the Criminal Investigations and Network Analysis (CINA) Center at George Mason University to examine how cryptocurrency wallets store and expose data on mobile devices. As cryptocurrency continues to evolve, so does its use in illicit activity, and we wanted to ensure law enforcement has the tools and knowledge needed to respond effectively.
This project focused on analyzing 24 popular mobile crypto wallets: 12 Android and 12 iOS apps, with the goal of identifying forensic artifacts that could aid in investigations.
What We Found
Here are a few key takeaways from our analysis:
🧠 Wallet metadata is often left behind: Many apps store wallet creation timestamps, public addresses, and app-specific identifiers in plaintext within accessible directories—useful for timeline reconstruction.
🧩 Wallet data isn't always encrypted: App data directories contain wallet names, user settings, and sometimes cached blockchain data—even after logouts or reinstallations.
📌 Timestamps and identifiers persist: Wallet creation dates, sync timestamps, and analytics logs were often retained and could be mapped to user behavior.
📱 Data persistence varied wildly: Some apps wiped data upon logout; others retained transaction history, wallet names, and user settings long after account deletion.
Building on a Strong Foundation
This project would not have been possible without the work of Dr. Diana Summers and Rachel Salter, who served as the original Principal Investigators. Their initial research provided the framework that made this continued work possible. We are deeply grateful for the groundwork they laid and honored to have built upon their exceptional contributions to mobile cryptocurrency forensics.
Why This Matters
Mobile crypto wallets are increasingly part of cases involving fraud, drug trafficking, and money laundering. Traditional forensics tools don’t always parse them correctly, and manual analysis is time-consuming if you don’t know where to look.
Our research offers a structured way to triage, extract, and interpret wallet-related artifacts on both Android and iOS platforms.
What You Can Do
📥 Download our full report: We’ve published detailed documentation for each app we tested, including artifact paths, parsing examples, and screenshots. Cryptocurrency Wallet Report
📚 Use our seizure and search reference guide: We created a wallet-specific field guide for forensic practitioners and first responders.
🗂️ Explore our artifact location index: A compiled reference of where key forensic artifacts are stored across analyzed crypto wallet apps—saving you time during triage and analysis.
🎥 Watch our video breakdown: We walk through how the apps were tested, the environments we used, and some real examples of the data we recovered.
Final Thoughts
Cryptocurrency isn't untraceable; it just requires the right approach. Our goal is to help the forensic community close the gap between how these apps function and how to interpret what’s left behind. Whether you're in law enforcement, private sector forensics, or academic research, we hope this work supports your efforts to stay ahead.
Feel free to reach out if you'd like to collaborate or dive deeper into any of the findings.