 Show Posts
|
|
Pages: [1]
|
PM
yeaaa, I won't be giving you anonymous access to the hard drives containing my private keys. ty though |
|
|
|
appreciate the responses nullius, been doing a lot of work on this the last few days. responses in bold below, and I remember zero part of the seed.
But I had another disturbing thought: Have you any way to verify that your coins have not moved? Do you have any other record of your Bitcoin addresses with balances? If at all possible, I would suggest you check them on the blockchain before you spend more effort and potentially much more money on data recovery.
I have the address and seeds have indeed not been touched. I kept them all in the same single address and not change addresses. I do have access to the last account the BTC were in, and which sent the full balance to the last account (had to switch wallets from the BCH airdrop)
If you did not have full disk encryption, and the seed was in a “sticky note” on your desktop, then you are gambling that either the thieves didn’t look at your files—or they were too abjectly stupid to realize what they had found. I sincerely hope that they were idiots who just want to grab a computer, install a fresh OS, and flip it for a few fast rupees. That seems likely, but uncertain. Nowadays, would even the dumbest thief grab a computer and not even pause to snoop for info on Paypal, credit cards, banks, etc.?
My desktop had a password on it, the thief seemed to just immediately sell the laptop to another person who wasn't malicious, just saw a good deal and bought a computer - saw it was locked so reinstalled the OS to be able to use the computer.
As for you—have the drives made any contact with a clean computer, via USB-SATA adapters or otherwise? If so, it may no longer be so clean. Better be safe than sorry.
Yes they have, but this whole thing was a bit of an odd situation, my fault, and the timing/computer logins of everything completely point towards a poor person stealing a computer, then selling it to someone in their low rent hotel. The person they sold it to seems nice, refugee from Pakistan and I met their whole family, he simply felt sorry and was very very happy to hand over the computer as I paid him 3x the price of what he paid for it
0. Temporarily disable my kernel’s drive-“tasting” functions, so that the kernel will not try to read partition information and filesystems. (The forensics wonk will probably tell me to use a “live CD” system, too.) Of course, my system does not have Autoplay; but even if it did, Autoplay would never start because the system would not reach the userland part of peeking at the drive.
1. Take an image of the drive with dd, a dead simple block copier with no imaginable attack surface via data passed blindly from the input file (drive) to the output file.
2. Try to interpret the image with carefully contained userland tools: ntfsprogs for NTFS, mtools for msdosfs/FAT filesystem... or in your case, just something which searches a huge file for binary patterns which look like an Electrum wallet file, regular expressions for a seed phrase, etc. The Forensics Wiki probably lists a good tool for that. Any which way, the point here is that tools which try to interpret data stay trapped in ring3. I would not mount the drive image. No, not even through FUSE.
This is where I'm at now. I made a clone of one of the drives that did not have the OS on it. 160gb of data was found by easeus software (recuva deep scan found nothing). None of the files have filenames, so its impossible to search for .snt files, .dat files, electrum, or otherwise. It feels like an overwhelming amount of data to sort through, half of it compressed. I've spent hours going through it so far and absolutely nothing.
Any which way, good luck recovering your private keys.
So I have no hints about the seed, and am scared to clone my other M2 drive which has the OS and other data, some of which has surely been overwritten. I don't want to mess anything up more. I've contacted many, many firms around asia and nobody seems very helpful, not even telling me their methods used for attempted recovery. I wanted to know if they use non-invasive methods, what types of hardware (PC3000),if they do binary code extraction, etc etc. Their canned responses were always along the lines of 'we are professionals and have a clean room and good technology.' Just don't feel comfortable with them besides one company in Singapore I might try. Another option is USA, where I spoke with someone at length from DriveSavers who seem extremely professional and seems to think there is a decent chance of recovery. They don't even charge unless the specific data I'm looking for is recovered. So, that's my next step, trying to find a M2 USB to SATA cable here to clone my M2 drive, which I'm not as hopeful about since its been overwritten, and then either ship the drive off or start flying around the world in search of companies that have non-invasive methods of attempting to recover. If not, save the drive in a secure location and maybe in 20 years new tech will be out that can recover everything. Nice to hear that Kroll OnTrack worked decently for you, appreciate that comment. they were the one firm in singapore that after explained in a chain of 5+ emails that 'we so professional and has clean room sir' is simply not good enough for me, she connected me with a higher up in the company who explained more of their procedures and they have some top technology that may be able to help me. It's not a huge amount of coins, but obviously enough to dedicate my life to attempting recovery for quite some time. The problem with easeus is that 80k files were found and none have file names. https://gyazo.com/8b7b63f5bf5acafafdb0b39cf9d9bfb8really do appreciate the responses. Been working on this night and day |
|
|
|
|
hmm, thank you. How do I go about finding the best of the best SSD data recovery company, location not an issue - but obviously discretion/confidentiality/likelihood of them not stealing my coins is a huge concern. Singapore/Tokyo possibly the easiest for Asia?
|
|
|
|
The first question which comes to mind is, did the drives have TRIM run over them? (Sometimes when this is done to the whole drive at once, it is called “Secure Erase”.) Or were they only formatted? Some OS may do this on install. I know nothing about Microsoft’s recent offerings.
Before anything else, if I were you, I would image the drives; then, work off the image. I don’t have many immediate recommendations, other than that. But if there was a sufficient amount of money involved that you may potentially send this to a data recovery lab, see the caveat below about wear-levelling.
If the drives were TRIMmed, I do not think there is any way you can recover anything with any tools you likely have available to you. (Perhaps a real hardware hacker would know better.) ......... That is another reason to not work directly off the drives.
I've read this before, and do not know, although also saw this: Windows 7 and above are set to automatically enable TRIM on solid-state drives. I purchased a USB cable adapter for both drives, will make an image of both in order to work from. Do you mean some kind of software “sticky note”? Oh, I see. At first I thought, “No problem, he has the seed mnemonic written on a (physical) sticky note on his (physical) desk!” [/quote] yep, digital stickynote, which may also be located in the appdata/microsoft folder it seems, although on my newest computer I cannot locate it. Afterwards you should only work on the 2nd copy and let the original disk stay unused (every single action could "destroy" the information on the memorycell containing your private keys). If you have stored large amounts of BTC i would recommend a write-blocker, to be on the safe side ( http://www.forensicswiki.org/wiki/Write_Blockers). If you indeed have large amounts stored and don't want to mess up, i would advise you to look for someone in your local are who is a specialist at forensics. Will do, tyvm for the write blocker tip. Seems like paying a specialist is going to be my only option, but I'll still make a quick image of each drive to run scans on with multiple softwares anyways. The computer was used for weeks, but only for this guys daughter to watch movies. No programs installed at all, just very light browsing, mostly youtube. I'd hope that a quick plugin to copy an image of each of the drives and looking for myself won't cause considerably more damage or overwriting? I'm obviously skeptical of sending the drives in to a company in a 3rd world country to look at for weeks, telling them to look for untraceable cryptocurrency and hoping they just hand it over if found. I've found the following software and planning to try: recuva ReclaiMe Yodot Hard Drive Recovery undeleteplus.com easeus.com testdisk It seems like my next step is both to research write-blockers and how to make an image copy of each drive. Mod please feel free to move to appropiate forum. Thank you all for the suggestions thus far. |
|
|
|
|
First of all, I'm an idiot.
Had everything properly backed up before I had to switch wallets to claim BCH. Made new electrum wallet and had wallet info saved in the following locations:
Seed written on stickynote on desktop
encrypted notepad file with various crypto data
electrum wallet.dat file (encrypted within electrum, but I still have password to unlock this).
Computer was stolen, sold at a local market, and I tracked it to an address an hour outside of the city using microsoft live - my devices - locate. Showed up at that address, promised no problems, offered large reward. Now I have my computer again with the original drives still in it. Zero new programs were installed, just a fresh OS. Computer was being used by a 6 year old girl to watch bollywood movies, lol.
OS was being ran off a 128gb M2 SSD drive. This is where the new OS is currently installed as well. I took out this M2 drive and put it in my newly purchased computer. Runs fine, fresh OS.
Also has a 240gb 2.5" SSD in the stolen computer, which now doesn't show up under my computer. Disk management does recognize the 2.5" drive, yet it says file system "raw", status "healthy, % Free "100%". I'm assuming they formatted this drive as well. Electrum, desktop files, and probably sticky notes are on the M2 drive along with the OS. Downloads folder and possibly electrum are on the 2.5" drive.
I've read through 10+ threads, all with various suggestions. I don't want to risk overwriting the drive any more than necessary. M2 drive has fresh OS, 2.5" drive seems to have been wiped and only shows up under disk management.
Suggestions on where to begin? I am still in touch with the family that purchased the stolen computer. They seem willing to help as I generously compensated them for their honestly/responsiveness and work in IT themselves. Plans today were to purchase a USB to SATA cable in order to mount the 2.5" drive, and hopefully locate an M.2 SATA External SSD Enclosure - USB 3.0. Then I can begin with some home data recovery systems. Recommendations appreciated.
|
|
|
|
|
experty was not on my radar at first, but many friends kept touting it, reinforcing how strong the team is and product implementation underway - the more I look into things the more it does seem to be a viable service if marketed correctly, which if anyone will do, its the team they have put together. looking forward to following your progress
|
|
|
|
|
I for one am excited to see what happens in this space of decentralized computer resource sharing from a p2p perspective. Projects seem to have been in the works for years now but not much has materialized. Hoping that 2018 some of the development that has been taking place for years starts to come to fruition. ETH blockchain based data storage with smart contracts will be a part of the future, just depends on who get there first and gets adopted by the masses. Following on twitter and telegram, thanks for the airdrop
|
|
|
|
|
