Title: Guide to BitCoin wallet data recovery Post by: captainspringfield on August 21, 2018, 10:17:20 AM I made this guide for the folks over at /r/bitcoin but thought you all could get some use out of it to. If you have any questions, post them and I'll do my best to answer them : )
After seeing a lot of dangerous advice about DIY ways of recovering Bitcoin, I wanted to write a guide to help other HODLers recover their wallets when their hard drives crash. This guide is mostly oriented towards conventional spinning disks but I have some tips for phones, SSDs, etc. I have been doing data recovery professionally for over 10 years at a firm that shall remain nameless, so I have a great amount of expertise in diagnosing and recovering from various media, operating systems, etc. If needed, I'd be happy to provide proof to the mods. BEFORE CONTINUING TO READ THIS GUIDE OR ATTEMPTING ANY DATA RECOVERY TURN OFF AND DISCONNECT THE DEVICE YOU WISH TO RECOVER DATA FROM. ANY FURTHER USE OF THE DEVICE GREATLY LESSENS THE CHANCE YOUR DATA WILL BE RECOVERABLE! As a general disclaimer: If you suspect or know your device is failing and you have Bitcoin or other valuable data on it, the safest route is to send your device to a data recovery lab that has the appropriate training and equipment to recover it. Stop and think about how much your data is worth. If it's worth paying a $300-$1500 to recover (or will be worth this in the future when you have more money), DO NOT ATTEMPT TO RECOVER IT YOURSELF. I understand you are freaked out right now that your BTC may be lost forever, but you will make the best decision with a calm mind that takes its time to think through things. You may only get one chance at a successful recovery. Every time you do any attempts at DIY recovery, you lessen the chances that your data will be recoverable. This is especially true if you have a drive that failed directly after being dropped, is making clicking or grinding noises, or had liquid damage of any kind. Even spinning up a drive once for a few seconds that has a damaged head can permanently destroy your data by literally scraping it off the platters. All that being said, if it's worth taking the risk, hopefully this guide can help you. I am providing this information without any warranty, if you lose all your data following my instructions, that's your own fault for not taking it to a professional. For many of the links referenced in here, I may have not tested the instructions fully. I have my own way of doing things in the shop which isn't written down and uses much more advanced tools, so for any step which uses external instructions, try to read a few other guides as well to make sure you know what you're doing before you try doing it. If you do take your device to be recovered professionally, transfer your BTC to a new wallet. Many data recovery providers will be happy to sign NDAs, but it's better to protect yourself by simply emptying the wallet they had access to. Step 1: Diagnose your device The first step in recovering your data is determining the health of the device.
Step 2: Attempt to image the device If the device turns on and spins up (even if there is some clicking) but doesn't show up as a drive on your computer, there's a decent chance you can still recover the data using a Linux live CD/USB and ddrescue. Here's [a guide for that](https://www.data-medics.com/forum/how-to-clone-a-hard-drive-with-bad-sectors-using-ddrescue-t133.html). Ddrescue makes an image of the entire drive sector-by-sector and is agnostic to filesystems (meaning it will work on drives from any operating system, SD cards, DVDs, etc). The image will take up the same amount of space as the device you're imaging. So if you are imaging a 500GB drive, the ddrescue image will be 500GB. It's important to make an image FIRST before attempting recovery with any software. Once you make the image, you can work on copies of the image and throw as much software at is as you want as opposed to running the software on the drive and risking losing the data permanently. If you have more than a couple dozen bad sectors, ddrescue can shred your disk in the process of trying to image it. This would likely be due to platter damage or a bad head. If the drive doesn't register in a Linux live CD/ddrescue doesn't work on it (and you've ruled out a PCB swap), you won't be able to recover the data without investing in expensive data recovery hardware or sending it to a pro. Sorry. If the device you're imaging is an android phone, a [guide like this](https://dfir.science/2017/04/Imaging-Android-with-root-netcat-and-dd.html) can help you make a dd image of the internal memory. Side note: There are some cases where imaging may not be the way to go. For example, if you know the file's location (and it wasn't deleted or is still in the MFT), some tools will be able to recover it by only touching the sectors they need to. A drive with platter damage or crashed heads (where the data isn't affected by the crashed head) or failing but sometimes working heads is an example of where such a technique might be valuable. By doing this, you lessen the chance that you'll accidentally destroy your wallet in attempts to image less important parts of the drive. Step 3: Run recovery tools on the image to recover your wallet Once you have an image of your device, you can now try various software tools to recover data from the image. The easiest thing to do is mount a read-only image in [Windows](https://www.osforensics.com/tools/mount-disk-images.html) or [Linux](https://major.io/2010/12/14/mounting-a-raw-partition-file-made-with-dd-or-dd_rescue-in-linux/) and see if you can use the drive as normal and see your files. If you deleted your wallet or formatted your drive, this will not work. If you deleted your wallet, you will need to use a file undeletion tool or a file carving tool. When files are deleted, they are not actually deleted, merely the pointers to those files are deleted. It's akin to taking down all the highway signs to New York but leaving the city there. Depending on the filesystem, the pointer may still exist and simply have a "deleted" flag next to it. File carving is used when this isn't the case and your data is somewhere in the "un-used" portion of the drive. DMDE, R-Studio, and GetDataBack are all great tools to undelete files. If you formatted the device your wallet was stored on, you'll need to recover the original formatting or use a file carving tool. Testdisk is a great free tool for search for partitions and filesystems. R-studio, DMDE, and other tools can also do this. For file carving, you need to know which type of wallet you want to recover as different tools support different wallet formats. Many recovery softwares simply call file carving RAW recovery/deep search. If file carving doesn't find your wallet, but you know some keys, addresses, or notes you kept in your wallet, you can manually search the entire drive with a hex editor that supports large files. [Photorec](https://www.cgsecurity.org/wiki/PhotoRec) is a free file carving tool which can recover wallets. There are also [specialized tools](https://Bitcointalk.org/index.php?topic=25091.0) for this purpose. Step 4: You recovered your wallet but don't know the password The guy behind [walletrecoveryservices.com](http://www.walletrecoveryservices.com) can crack your password in some instances. He has done some amazing work and is one of the few people who offers this service. Step 5: Importing your wallet and setting up a backup system Backup your existing wallet(s) and try importing the one you recovered. If it fails to import, you may need to extract the private keys from it and import those manually as the wallet could be corrupted. File carving is likely to produce corrupted wallets. Once you have imported your wallet successfully, setup a backup system so this never happens to you again! I intend to update this guide once I know more about what parts people find confusing or useful. Title: Re: Guide to BitCoin wallet data recovery Post by: Strufmbae on August 27, 2018, 04:38:16 AM I really eant to recover my private keys and i thought that this one is helpful, base on my own understanding this is helpful for ledger or hardware wallets? Am i right? Sorry i am not expert about recovering. Can i use the step number four on my lost private keys in my electrum application?
Title: Re: Guide to BitCoin wallet data recovery Post by: HCP on September 01, 2018, 01:15:49 AM I really eant to recover my private keys and i thought that this one is helpful, base on my own understanding this is helpful for ledger or hardware wallets? Am i right? Sorry i am not expert about recovering. No. It is not useful for hardware wallets... The private keys NEVER leave the hardware wallets, that is the entire point.You will not be able to use any of the recover methods listed here to recover a hardware wallet. The only recovery you can use is the 12/24 word seed mnemonic that you should have written down and stored safely and securely when you first initialised the hardware wallet. Quote Can i use the step number four on my lost private keys in my electrum application? That depends on what sort of wallet you had setup with Electrum. If it was a standard Electrum wallet, again you should have a 12 word seed mnemonic written down, and can use that to recover your wallet.If you have an imported wallet with imported private keys, then it's possible that someone could "crack" the wallet if you've forgotten your password... It's not easy and is very dependent on how much of the password you can remember and how complex it was. If it was an Electrum wallet that you used with your hardware wallet, it doesn't contain any private keys... They never leave the hardware wallet... So cracking the wallet password won't do you any good. Title: Re: Guide to BitCoin wallet data recovery Post by: bob123 on September 03, 2018, 07:13:27 AM Can i use the step number four on my lost private keys in my electrum application? How did you lose your private keys ? Step 4) is to crack the password of a wallet file. So, if you have a electrum wallet file and don't remember the password, yes. But if you lost your seed and don't have a (password protected) file anymore or have used electrum to access a hardware wallet, step 4 is not for you. There might be other options to gain access to your private keys. How did you store them (which wallet) ? And did you have any kind of backup ? |