Bitcoin as a popular digital currency has been a target of theft and other illegal activities. Key to the forensic investigation is to identify bitcoin addresses involved in the bitcoin transfers. This paper presents a framework, FABT, for forensic analysis of bitcoin transactions by identifying suspicious bitcoin addresses. It formalizes the clues of a given case as transaction patterns defined over a comprehensive set of features. FABT converts the bitcoin transaction data into a formal model, called Bitcoin Transaction Net (BTN). The traverse of all bitcoin transactions in the order of their occurrences is captured by the firing sequence of all transitions in the BTN. When analyzing transaction flows, FABT exploits the notion of “bitcoin fluid” to track where the bitcoins passed through given addresses (called dyeing addresses) have flown and determine the extent to which each of the other addresses is related to the dyeing addresses. The splitting, merging, and dyeing operators are used to capture the distribution of coins throughout transaction flows. FABT also applies visualization techniques for further analysis of the suspicious addresses. We have applied FABT to identify suspicious addresses in the Mt.Gox case. A subgroup of the suspicious addresses has been found to share many characteristics about the received/transferred amount, number of transactions, and time intervals.

比特币作为一种流行的数字货币一直是盗窃和其他非法活动的目标。法医调查的关键是识别参与比特币转移的比特币地址。本文提出了一种框架，即FABT，用于通过识别可疑的比特币地址来对比特币交易进行法医分析。它将给定案例的线索形式化为通过全面功能集定义的交易模式。FABT将比特币交易数据转换为正式模型，称为比特币交易网（BTN）。所有比特币交易的发生顺序遍历都是由BTN中所有转换的触发顺序捕获的。在分析交易流时，FABT利用“比特币流体”的概念来跟踪经过给定地址（称为染色地址）的比特币在何处飞行，并确定每个其他地址与染色地址相关的程度。拆分，合并和染色运算符用于捕获整个交易流程中硬币的分布。FABT还应用可视化技术来进一步分析可疑地址。我们已应用FABT来识别Mt.Gox案中的可疑地址。已发现一个可疑地址的子组具有许多与接收/转移的金额，交易次数和时间间隔有关的特征。染色操作员用于捕获硬币在整个交易流程中的分布。FABT还应用可视化技术来进一步分析可疑地址。我们已应用FABT来识别Mt.Gox案中的可疑地址。已发现一个可疑地址的子组具有许多与接收/转移的金额，交易次数和时间间隔有关的特征。染色操作员用于捕获硬币在整个交易流程中的分布。FABT还应用可视化技术来进一步分析可疑地址。我们已应用FABT来识别Mt.Gox案中的可疑地址。已发现一个可疑地址的子组具有许多与接收/转移的金额，交易次数和时间间隔有关的特征。