Authors: Jeongin Lee, Geunyeong Choi, Jihyo Han, Jungheum Park
DFRWS APAC 2025
Abstract
Monero, a privacy-preserving cryptocurrency, employs advanced cryptographic techniques to obfuscate transaction participants and amounts, thereby achieving strong untraceability. However, digital forensic approach can still reveal sensitive information by examining off-chain artifacts such as memory and wallet files. In this work, we conduct an in-depth forensic analysis of Monero’s wallet application, focusing on the handling of public and private keys and the wallet’s data storage formats. We reveal how these keys are managed in memory and develop a memory scanning algorithm capable of identifying key-related data structures. Furthermore, we analyze the wallet keys and cache files, presenting a method for decrypting and interpreting serialized keys and transaction data encrypted with a user-specified passphrase. Our approach is implemented as an open-source Volatility3 plugin and a set of decryption scripts. Finally, we discuss the applicability of our methodology to multi-cryptocurrency wallets that incorporate Monero components, thereby validating the generalizability of our techniques.