Filtering Email Addresses, Credit Card Numbers and Searching for Bitcoin Artifacts with the Autopsy Digital Forensics Software

  • Patricio DominguesEmail author
  • Miguel Frade
  • João Mota Parreira
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 942)


Email addresses and credit card numbers found on digital forensic images are frequently an important asset in a forensic casework. However, the automatic harvesting of these data often yields many false positives. This paper presents the Forensic Enhanced Analysis (FEA) module for the Autopsy digital forensic software. FEA aims to eliminate false positives of email addresses and credit card numbers harvested by Autopsy, thus reducing the workload of the forensic examiner. FEA also harvests potential Bitcoin public addresses and private keys and validates them by looking into Bitcoin’s blockchain for the transactions linked to public addresses. FEA explores the report functionality of Autopsy and allows exports in CSV, HTML and XLS formats. Experimental results over four digital forensic images show that FEA eliminates as many as \(40\%\) of email addresses and \(55\%\) of credit card numbers.


Digital forensics Email addresses Credit card numbers Bitcoin 



This work was partially supported by FCT, Instituto de Telecomunicações under project UID/EEA/50008/2013 and CIIC under project UID/CEC/04524/2016.


  1. 1.
    Paul, P.K., Bhuimali, A., Shivraj, K.S.: Internet corporation for assigned names and numbers: an overview. Asian J. Eng. Appl. Technol. 5(2), 40–43 (2016)Google Scholar
  2. 2.
    Bahnsen, A.C., Aouada, D., Stojanovic, A., Ottersten, B.: Feature engineering strategies for credit card fraud detection. Expert Syst. Appl. 51, 134–142 (2016)CrossRefGoogle Scholar
  3. 3.
    Duchamp, D., et al.: Prefetching hyperlinks. In: USENIX Symposium on Internet Technologies and Systems, pp. 12–23 (1999)Google Scholar
  4. 4.
    Elz, R., Bush, R.: Clarifications to the DNS specification. Technical report (1997)Google Scholar
  5. 5.
    Eskandari, S., Leoutsarakos, A., Mursch, T., Clark, J.: A first look at browser-based Cryptojacking. arXiv preprint arXiv:1803.02887 (2018)
  6. 6.
    Garfinkel, S.: AFF and AFF4: where we are, where we are going, and why it matters to you. In: Sleuth Kit and Open Source Digital Forensics Conference (2010)Google Scholar
  7. 7.
    Garfinkel, S.L.: Digital media triage with bulk data analysis and bulk\(\_\)extractor. Comput. Secur. 32, 56–72 (2013)CrossRefGoogle Scholar
  8. 8.
    Jung, J., Sit, E., Balakrishnan, H., Morris, R.: DNS performance and the effectiveness of caching. IEEE/ACM Trans. Netw. 10(5), 589–603 (2002)CrossRefGoogle Scholar
  9. 9.
    Klensin, J.: RFC 5321: simple mail transfer protocol (2008).
  10. 10.
    Liao, K., Zhao, Z., Doupé, A., Ahn, G.J.: Behind closed doors: measurement and analysis of CryptoLocker ransoms in Bitcoin. In: 2016 APWG Symposium on Electronic Crime Research (eCrime), pp. 1–13. IEEE (2016)Google Scholar
  11. 11.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)Google Scholar
  12. 12.
    Panchal, E.P.: Extraction of persistence and volatile forensics evidences from computer system. Int. J. Comput. Trends Technol. (IJCTT) 4(5), 964–968 (2013)Google Scholar
  13. 13.
    Postel, J.: Domain name system structure and delegation (1994)Google Scholar
  14. 14.
    Resnick, P.: RFC 5322: Internet message format (2008).
  15. 15.
    Rowe, N.C., Schwamm, R., McCarrin, M.R., Gera, R.: Making sense of email addresses on drives. J. Digit. Forensics Secur. Law: JDFSL 11(2), 153 (2016)Google Scholar
  16. 16.
    Wachira, W., Waweru, K., Nyaga, L.: Transposition error detection in Luhn’s algorithm. Int. J. Pure Appl. Sci. Technol. 30(1), 24 (2015)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Patricio Domingues
    • 1
    • 2
    • 3
    Email author
  • Miguel Frade
    • 1
    • 3
  • João Mota Parreira
    • 4
  1. 1.ESTGPolytechnic Institute of LeiriaLeiriaPortugal
  2. 2.Instituto de TelecomunicaçõesCoimbraPortugal
  3. 3.CIIC – Computer Science and Communication Research CentreLeiriaPortugal
  4. 4.Void Software, SALeiriaPortugal

Personalised recommendations