Title: Treasure Hunt - Recover wallet.dat from JAN2010 Post by: furyo87 on September 03, 2017, 12:19:39 AM I ran the bitcoin client for a couple of days in January 2010.
I am using Recuva to try and recover Wallet.dat. Does this filename ring any bells? INFO "Filename: 49C7D454d01 Path: D:\? Size: 30.6 KB (31,348) State: Very poor Creation time: 1/31/2010 19:59 Last modification time: 1/31/2010 19:59 Last access time: 1/31/2010 19:59 Comment: This file is overwritten with "D:\Programas\Mozilla Firefox\chrome\pippki.jar.moz-backup" 6 file cluster(s) overwritten (0, 1, 2, 3, 4, 5) 4 cluster(s) allocated at offset 6301398 4 cluster(s) allocated at offset 6305132" Cheers Title: Re: Treasure Hunt - Recover wallet.dat from JAN2010 Post by: jackg on September 03, 2017, 12:28:14 AM I ran the bitcoin client for a couple of days in January 2010. You'll most likely need the full file to be able to get the coins/private keys out. I am using Recuva to try and recover Wallet.dat. Does this filename ring any bells? INFO "Filename: 49C7D454d01 Path: D:\? Size: 30.6 KB (31,348) State: Very poor Creation time: 1/31/2010 19:59 Last modification time: 1/31/2010 19:59 Last access time: 1/31/2010 19:59 Comment: This file is overwritten with "D:\Programas\Mozilla Firefox\chrome\pippki.jar.moz-backup" 6 file cluster(s) overwritten (0, 1, 2, 3, 4, 5) 4 cluster(s) allocated at offset 6301398 4 cluster(s) allocated at offset 6305132" Cheers Is that the original file name or is it a name added by the recuva recovery software? It has to be wallet.dat in order for you to get anything. Also, the file is quite small and the signatures it leaves as a trace will be small (the wallet.dat file, not this specific one). Title: Re: Treasure Hunt - Recover wallet.dat from JAN2010 Post by: furyo87 on February 12, 2021, 12:20:57 AM I ran the bitcoin client for a couple of days in January 2010. You'll most likely need the full file to be able to get the coins/private keys out. I am using Recuva to try and recover Wallet.dat. Does this filename ring any bells? INFO "Filename: 49C7D454d01 Path: D:\? Size: 30.6 KB (31,348) State: Very poor Creation time: 1/31/2010 19:59 Last modification time: 1/31/2010 19:59 Last access time: 1/31/2010 19:59 Comment: This file is overwritten with "D:\Programas\Mozilla Firefox\chrome\pippki.jar.moz-backup" 6 file cluster(s) overwritten (0, 1, 2, 3, 4, 5) 4 cluster(s) allocated at offset 6301398 4 cluster(s) allocated at offset 6305132" Cheers Is that the original file name or is it a name added by the recuva recovery software? It has to be wallet.dat in order for you to get anything. Also, the file is quite small and the signatures it leaves as a trace will be small (the wallet.dat file, not this specific one). Thank you for your comment ~2,5 years ago! I am going to restart this treasure hunt... I have spent a couple of hours going through the most recent threads about wallet.dat file recovery or extraction of private keys. I will lay out my game plan and would appreciate all comments and suggestions. I will reiterate my problem as I don't think I was clear enough initially: Background
Summary
Plan 1. Clone the old hard drive (it is currently disconnected from Desktop) Planning to use: https://hddguru.com/software/HDD-Raw-Copy-Tool/ (https://hddguru.com/software/HDD-Raw-Copy-Tool/) as I have seen it recommend around by trusted member ETFBitcoin
3. Try findwallet (ref. https://bitcointalk.org/index.php?topic=5071775.0 (https://bitcointalk.org/index.php?topic=5071775.0)) 4. Try Rstudio or other recovery software (ref. https://bitcointalk.org/index.php?topic=2637884.0 (https://bitcointalk.org/index.php?topic=2637884.0)) 5. Delivery it to the pros at Wallet Recovery Services (not sure if they accept forensic cases) Credits https://bitcointalk.org/index.php?topic=5308461.0#post_CorruptedDisk (https://bitcointalk.org/index.php?topic=5308461.0#post_CorruptedDisk) https://bitcointalk.org/index.php?topic=4959742.msg44708601#msg44708601 Cheers! Title: Re: Treasure Hunt - Recover wallet.dat from JAN2010 Post by: litecoin_messiah on February 12, 2021, 03:37:01 AM Create a USB with kali linux, (it comes prebundled with testdisk and other tools)
start kali linux live usb on the device and create a system image with testdisk of the hard disk the wallet existed in. if you value any chance of recovering crypto (and there is loads of methods yet untested such as https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15947 that shows bitcoin-qt creates a crash log with current state i believe of the event of crashing. and the file won't show up with normal scans. Whatever it is you want to do, if you dont make a clone of this hard disk you will regret it. i have done this countless times. The cloned file image of the disk can be used just as the hard drive without any of the weakness. imagine loading it in nvme ssd and now you have 100x the read/write speed or more ;) "5. Delivery it to the pros at Wallet Recovery Services (not sure if they accept forensic cases)" i hear this guy is a selective scammer, he shows up everywhere you look for wallet recovery but he can't do shit. Title: Re: Treasure Hunt - Recover wallet.dat from JAN2010 Post by: furyo87 on February 12, 2021, 10:41:05 AM Create a USB with kali linux, (it comes prebundled with testdisk and other tools) start kali linux live usb on the device and create a system image with testdisk of the hard disk the wallet existed in. if you value any chance of recovering crypto (and there is loads of methods yet untested such as https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15947 that shows bitcoin-qt creates a crash log with current state i believe of the event of crashing. and the file won't show up with normal scans. Whatever it is you want to do, if you dont make a clone of this hard disk you will regret it. i have done this countless times. The cloned file image of the disk can be used just as the hard drive without any of the weakness. imagine loading it in nvme ssd and now you have 100x the read/write speed or more ;) "5. Delivery it to the pros at Wallet Recovery Services (not sure if they accept forensic cases)" i hear this guy is a selective scammer, he shows up everywhere you look for wallet recovery but he can't do shit. Thank you Sir! :) I will make sure to take my time before cloning the disk to make sure I am not further messing it. I understand the point on faster medium such as NVME Would you recommend I look into something else about cloning? Even if I have to read a few extra things its an investment of time I would be willing to do. Regarding the Wallet Recovery Services, I believe this is related to a trusted member DaveF. I am obviously a few steps away from delivering this to anyone but would appreciate any further inputs here. Title: Re: Treasure Hunt - Recover wallet.dat from JAN2010 Post by: NotATether on February 12, 2021, 11:40:41 AM INFO "Filename: 49C7D454d01 Path: D:\? Size: 30.6 KB (31,348) State: Very poor Creation time: 1/31/2010 19:59 Last modification time: 1/31/2010 19:59 Last access time: 1/31/2010 19:59 Comment: This file is overwritten with "D:\Programas\Mozilla Firefox\chrome\pippki.jar.moz-backup" 6 file cluster(s) overwritten (0, 1, 2, 3, 4, 5) 4 cluster(s) allocated at offset 6301398 4 cluster(s) allocated at offset 6305132" Your wallet file has the first 6 of its 8 sectors overwritten by some Firefox file, and not Recuva, which amounts to the first 24KB of the 30.6KB gone from your hard disk. It is highly likely the Berkeley DB table that holds the private keys was at the beginning of the file and therefore overwritten. Unless you have clones from before the time you installed Firefox, your odds of recovery are low. I'm not sure if even a recovery service can help you here since the sector data was overwritten. Title: Re: Treasure Hunt - Recover wallet.dat from JAN2010 Post by: NotATether on February 12, 2021, 12:15:00 PM
If you're linux user, you could use built-in tools called dd dd is a very dangerous tool because a single mistype of a disk letter will overwrite the wrong disk and cause even more data to be lost. So I would not recommend it for newbies. For example, you have an empty hard disk at /dev/sdc, your bad hard disk as at /dev/sdb and your operating system is at /dev/sea, normally you'd type dd if=/dev/sdb of=/dev/sdc bs=4K, but if you are careless and are just pressing up and down arrow keys on the terminal to get this command you ran before, you might forget to change "sda" to "sdc" and it will overwrite your OS drive! Title: Re: Treasure Hunt - Recover wallet.dat from JAN2010 Post by: furyo87 on February 12, 2021, 01:37:11 PM INFO "Filename: 49C7D454d01 Path: D:\? Size: 30.6 KB (31,348) State: Very poor Creation time: 1/31/2010 19:59 Last modification time: 1/31/2010 19:59 Last access time: 1/31/2010 19:59 Comment: This file is overwritten with "D:\Programas\Mozilla Firefox\chrome\pippki.jar.moz-backup" 6 file cluster(s) overwritten (0, 1, 2, 3, 4, 5) 4 cluster(s) allocated at offset 6301398 4 cluster(s) allocated at offset 6305132" Your wallet file has the first 6 of its 8 sectors overwritten by some Firefox file, and not Recuva, which amounts to the first 24KB of the 30.6KB gone from your hard disk. It is highly likely the Berkeley DB table that holds the private keys was at the beginning of the file and therefore overwritten. Unless you have clones from before the time you installed Firefox, your odds of recovery are low. I'm not sure if even a recovery service can help you here since the sector data was overwritten. Thank you Sir! I agree with it being overwritten with Firefox! Recuva is just the recovery software I was dumb enough to use without having cloned the HD beforehand. (don't judge too much installing Firefox... it was all the rage back then). This certainly lowers the Chance of Success and increases a bit the frustration - it really seems that it is close. How I wish the private keys were at those last 6 KB! If you were in my shoes, do you think considering professional data recovery service would be an option? I read somewhere that sometimes it is possible to infer underlaying data after being overwritten (it sure beats my simple brain model of a hard drive where you have either a 0 or a 1 recorded in a magnetic plate). If going for that would you still Clone beforehand or just don't touch it any more? Cheers
The software support both option (to single file or another drive), but i would recommend first option.
If you're linux user, you could use built-in tools called dd Thank you Sir! Straight to the point. I will look into linux DD (a decade or so ago I did play around with Linux but never used it day to day - I couldn't Game with it!!!) Cheers
If you're linux user, you could use built-in tools called dd dd is a very dangerous tool because a single mistype of a disk letter will overwrite the wrong disk and cause even more data to be lost. So I would not recommend it for newbies. For example, you have an empty hard disk at /dev/sdc, your bad hard disk as at /dev/sdb and your operating system is at /dev/sea, normally you'd type dd if=/dev/sdb of=/dev/sdc bs=4K, but if you are careless and are just pressing up and down arrow keys on the terminal to get this command you ran before, you might forget to change "sda" to "sdc" and it will overwrite your OS drive! Thank you for the warning Sir! If going this way I will make sure to test on something else before. Cheers [moderator's note: consecutive posts merged] (@mod thank you and sorry!) Title: Re: Treasure Hunt - Recover wallet.dat from JAN2010 Post by: NotATether on February 12, 2021, 03:50:43 PM If you were in my shoes, do you think considering professional data recovery service would be an option? I read somewhere that sometimes it is possible to infer underlaying data after being overwritten (it sure beats my simple brain model of a hard drive where you have either a 0 or a 1 recorded in a magnetic plate). If going for that would you still Clone beforehand or just don't touch it any more? Reading from the disk does not mess with its contents so you're alright with cloning it before sending it off to a recovery firm. With the current BTC price at $47K, once-measly amounts of bitcoin are now worth fortunes especially given that you got a wallet from 2010. If the amount of bitcoin in the wallet exceeds the costs of a professional data recovery then do it, especially given that 5 or even just 1 BTC is worth tens of thousands of dollars today. Title: Re: Treasure Hunt - Recover wallet.dat from JAN2010 Post by: furyo87 on February 12, 2021, 05:30:36 PM If you were in my shoes, do you think considering professional data recovery service would be an option? I read somewhere that sometimes it is possible to infer underlaying data after being overwritten (it sure beats my simple brain model of a hard drive where you have either a 0 or a 1 recorded in a magnetic plate). If going for that would you still Clone beforehand or just don't touch it any more? Reading from the disk does not mess with its contents so you're alright with cloning it before sending it off to a recovery firm. With the current BTC price at $47K, once-measly amounts of bitcoin are now worth fortunes especially given that you got a wallet from 2010. If the amount of bitcoin in the wallet exceeds the costs of a professional data recovery then do it, especially given that 5 or even just 1 BTC is worth tens of thousands of dollars today. Thanks. I guess the question than becomes what should I ask them to look for specifically. At my current level of knowledge I am still far away to know how to answer that. Side note: I remember that when I first started messing with hardware, HDs had a combination of pins that would allow a disk to be made read only - not sure if that was a particular thing or a general characteristic. Cheers Title: Re: Treasure Hunt - Recover wallet.dat from JAN2010 Post by: furyo87 on February 15, 2021, 12:38:03 AM Thanks I think I will try to use windows based tools for cloning the disk but I appreciate the suggestion.
As for Proton is something quite interesting specially because it is being developed by Valve - 99% of my games are in a Steam account. Update: While going through what I have done in 2017 I discovered that maybe I am not as stupid as I sound. I did an image of the HD and ran WinHex on said image. I cannot recall exactly but believe the image was done using WinHex - I still have the image on a USB hard drive and plan on running pywallet there. Separately I will proceed to do more clones of the original HD. I spent a few hours with python and was progressing slowly. I was not able to install Twistted because even pip has apparently stopped supporting older versions of python. As I was using my private computer, which runs Windows 7 professional, I was using Python27 and was unable to further progress the preparation to run pywallet. Any suggestions on how to proceed? Seems like booting some linux version on that computer I intend to use to run pywallet is my easiest way out. Cheers Title: Re: Treasure Hunt - Recover wallet.dat from JAN2010 Post by: HCP on February 15, 2021, 04:58:57 AM I spent a few hours with python and was progressing slowly. I was not able to install Twistted because even pip has apparently stopped supporting older versions of python. Note that twisted was only needed for the fancy "WebUI" for PyWallet that never really took off... and which jackjack has removed in the recent updates... it isn't actually needed for the base pywallet.py commandline tool.You do still need the bsddb package though. Title: Re: Treasure Hunt - Recover wallet.dat from JAN2010 Post by: furyo87 on February 15, 2021, 05:47:02 PM I spent a few hours with python and was progressing slowly. I was not able to install Twistted because even pip has apparently stopped supporting older versions of python. Note that twisted was only needed for the fancy "WebUI" for PyWallet that never really took off... and which jackjack has removed in the recent updates... it isn't actually needed for the base pywallet.py commandline tool.You do still need the bsddb package though. Thank you, this is helpfull. I am already setting up a different computer with Win10 pro but will see if I can progress where I left off yesterday without Twistted. cheers Title: Re: Treasure Hunt - Recover wallet.dat from JAN2010 Post by: furyo87 on February 18, 2021, 06:08:45 PM Hi,
Believe I managed to run pywallet.py successfully, on a laptop with a fresh install of MXLinux (first time user). Code: vaio@vaio:~/Downloads I ran the 4 commands above with no problems - even managed to download BTC`s whitepaper, which, I understand from jackjack`s thread, is a recent feature. However when trying to use the --recover command I get the following error: Code: vaio@vaio:~/Downloads I tried a lot of syntax but am still pretty sure I failed it. Is this all I am failing with? Cheers Title: Re: Treasure Hunt - Recover wallet.dat from JAN2010 Post by: HCP on February 25, 2021, 08:48:24 PM it's the way you're using the --recov_size parameter... I think the '.' character and all the extra 0's might be confusing it...
Try using Code: --recov_size 8Gio So, full command: Code: python pywallet.py --recover --recov_size=8Gio --recov_device \vaio\desktop --recov_outputdir \vaio\documents Title: Re: Treasure Hunt - Recover wallet.dat from JAN2010 Post by: Igor76200 on February 26, 2021, 05:49:27 AM Hello sir,
I'm in the exact same situation, I used a file recovery software in order to recover my lost wallet, unfortunately the .dat is partly overwritten. Pywallet could not extract anything. I wonder if I'm screwed. I have less computer knowledge than you so I was wondering, did you tried the recovery professional services ? What would you ask them exactly ? Best of luck. PS : David the owner of walletrecovery.info did the pywallet search for me (for free). |