Show Posts
After seeing a lot of dangerous advice about DIY ways of recovering Bitcoin, I wanted to write a guide to help other HODLers recover their wallets when their hard drives crash. This guide is mostly oriented towards conventional spinning disks but I have some tips for phones, SSDs, etc. I have been doing data recovery professionally for over 10 years at a firm that shall remain nameless, so I have a great amount of expertise in diagnosing and recovering from various media, operating systems, etc. If needed, I'd be happy to provide proof to the mods.
BEFORE CONTINUING TO READ THIS GUIDE OR ATTEMPTING ANY DATA RECOVERY TURN OFF AND DISCONNECT THE DEVICE YOU WISH TO RECOVER DATA FROM. ANY FURTHER USE OF THE DEVICE GREATLY LESSENS THE CHANCE YOUR DATA WILL BE RECOVERABLE!
As a general disclaimer: If you suspect or know your device is failing and you have Bitcoin or other valuable data on it, the safest route is to send your device to a data recovery lab that has the appropriate training and equipment to recover it. Stop and think about how much your data is worth. If it's worth paying a $300-$1500 to recover (or will be worth this in the future when you have more money), DO NOT ATTEMPT TO RECOVER IT YOURSELF. I understand you are freaked out right now that your BTC may be lost forever, but you will make the best decision with a calm mind that takes its time to think through things. You may only get one chance at a successful recovery. Every time you do any attempts at DIY recovery, you lessen the chances that your data will be recoverable. This is especially true if you have a drive that failed directly after being dropped, is making clicking or grinding noises, or had liquid damage of any kind. Even spinning up a drive once for a few seconds that has a damaged head can permanently destroy your data by literally scraping it off the platters. All that being said, if it's worth taking the risk, hopefully this guide can help you. I am providing this information without any warranty, if you lose all your data following my instructions, that's your own fault for not taking it to a professional. For many of the links referenced in here, I may have not tested the instructions fully. I have my own way of doing things in the shop which isn't written down and uses much more advanced tools, so for any step which uses external instructions, try to read a few other guides as well to make sure you know what you're doing before you try doing it.
If you do take your device to be recovered professionally, transfer your BTC to a new wallet. Many data recovery providers will be happy to sign NDAs, but it's better to protect yourself by simply emptying the wallet they had access to.
Step 1: Diagnose your device
The first step in recovering your data is determining the health of the device.
- If you accidentally deleted your wallet or formatted your device but your device is in otherwise good health, you have a good chance of being able to recover your data. A professional recovery like this can run as low as $300.
- If your device stopped working (or got significantly less functional) directly after a fall and it is a conventional spinning disk drive, there is a good chance there is damage to the heads, platters, or both. A professional could recover data from this scenario for $600 to over $1,000 depending on the situation. Head swaps are complex enough that they're beyond the scope of this guide. I would suggest [this guide](http://hddsurgery.com/pdfs/samtshbfinal.pdf) and [this video](https://www.youtube.com/watch?v=uIPZtJyrVPw) which show how head swaps work in general and [this guide](https://www.donordrives.com/blog/matching-guide) for finding appropriate donor drives. Some drives you can find donors for by simply matching some information from the drive label on eBay, others require advanced equipment like a PC-3000. This is because some drives have specific information about them (microjogs etc) which you can't know unless you can access the drive's terminal and firmware. I implore you to send cases like this to a professional. I should add that while many places say you need a clean room if you open a drive, this is not the case. Clean rooms are great if your data is worth thousands of dollars and you can afford the clean room rate, but you can successfully run a drive after opening it without a clean room, some drives will even operate just fine, for hours, with the cover off. If a piece of dust or pollen gets in-between the drive heads and the drive platters (often this space is mere nanometers), it can rip the data off the platters. However, as drives spin they create an air pocket which can prevent such dust from landing on it. There is an element of risk in non-cleanroom recovery, and that risk is real, but it is not nearly as dire as some data recovery companies present it to be. If you don't believe me, take a hard drive you don't care about, open it, re-assemble it, and see if it works. It probably will, though some drives like WD may not because a screw in their case is needed to properly operate the actuator arm. And I wouldn't suggest continuing to use that drive for obvious reasons.
- If your device was damaged by water, you should dry out the device first as much as you can. Tricks like rice are dumb, all they do is prevent air from getting to your device and drying it out. Simply leaving your device out in the open air and time is all you need, though you can speed the process with some gentle heat. If you got your laptop, phone, or other enclosure wet, remove the data storage device from the enclosure itself. By gently cleaning the device with rubbing alcohol (99% or higher suggested) and a q-tip, you can arrest much of the corrosion and speed the drying process. The cost of having a device damaged by water recovered varies greatly depending on the device type, what was damaged, etc. But don't expect to get this recovered for less than $600.
- Do not put your device in the freezer. Doing so creates condensation on the platters which will destroy your data and it leaves you with less room to store leftovers. This technique can work in an extremely limited set of scenarios, but you'd be better off simply placing the drive in front of an air conditioner than subjecting it to a freezer if you happened to be in one of those scenarios. Which I would bet good money you are not.
- Conventional hard drives make all sorts of interesting noises when they fail. If you hear a noise that sounds like grinding or scraping, stop attempting the recovery immediately and inspect the platters and heads, it's likely that you have a crashed head. If you hear clicking, this can be caused by PCB/firmware issues or platter/head damage. Clicking can also be caused by damage to/corruption of the service area of the drive which can be bypassed or repaired with advanced equipment.
- Inspect the PCB board on the outside of the drive by removing it and using a magnifying glass if necessary. If you see any areas that are burned or smell smoky, the PCB likely needs to be replaced. PCB damage is more likely if your device failed directly after a power outage/brownout/power supply failure in your machine. You cannot simply swap a PCB board, you need to transfer the ROM and adaptive information using a tool like a PC-3000 or by de-soldering the ROM chip and re-soldering it to a new board. Many sellers on eBay can do this for you for around $60-$80, Outsource data recovery also [offers this for $60]( https://outsourcedatarecovery.com/repair-services/), I have used them in the past and they are great. If you have contacts that are corroded or dirty, gently clean them with an eraser. Data recovery for drives with damaged PCBs typically runs $400-$800.
Step 2: Attempt to image the device
If the device turns on and spins up (even if there is some clicking) but doesn't show up as a drive on your computer, there's a decent chance you can still recover the data using a Linux live CD/USB and ddrescue. Here's [a guide for that](https://www.data-medics.com/forum/how-to-clone-a-hard-drive-with-bad-sectors-using-ddrescue-t133.html). Ddrescue makes an image of the entire drive sector-by-sector and is agnostic to filesystems (meaning it will work on drives from any operating system, SD cards, DVDs, etc). The image will take up the same amount of space as the device you're imaging. So if you are imaging a 500GB drive, the ddrescue image will be 500GB. It's important to make an image FIRST before attempting recovery with any software. Once you make the image, you can work on copies of the image and throw as much software at is as you want as opposed to running the software on the drive and risking losing the data permanently. If you have more than a couple dozen bad sectors, ddrescue can shred your disk in the process of trying to image it. This would likely be due to platter damage or a bad head. If the drive doesn't register in a Linux live CD/ddrescue doesn't work on it (and you've ruled out a PCB swap), you won't be able to recover the data without investing in expensive data recovery hardware or sending it to a pro. Sorry.
If the device you're imaging is an android phone, a [guide like this](https://dfir.science/2017/04/Imaging-Android-with-root-netcat-and-dd.html) can help you make a dd image of the internal memory.
Side note: There are some cases where imaging may not be the way to go. For example, if you know the file's location (and it wasn't deleted or is still in the MFT), some tools will be able to recover it by only touching the sectors they need to. A drive with platter damage or crashed heads (where the data isn't affected by the crashed head) or failing but sometimes working heads is an example of where such a technique might be valuable. By doing this, you lessen the chance that you'll accidentally destroy your wallet in attempts to image less important parts of the drive.
Step 3: Run recovery tools on the image to recover your wallet
Once you have an image of your device, you can now try various software tools to recover data from the image. The easiest thing to do is mount a read-only image in [Windows](https://www.osforensics.com/tools/mount-disk-images.html) or [Linux](https://major.io/2010/12/14/mounting-a-raw-partition-file-made-with-dd-or-dd_rescue-in-linux/) and see if you can use the drive as normal and see your files. If you deleted your wallet or formatted your drive, this will not work.
If you deleted your wallet, you will need to use a file undeletion tool or a file carving tool. When files are deleted, they are not actually deleted, merely the pointers to those files are deleted. It's akin to taking down all the highway signs to New York but leaving the city there. Depending on the filesystem, the pointer may still exist and simply have a "deleted" flag next to it. File carving is used when this isn't the case and your data is somewhere in the "un-used" portion of the drive. DMDE, R-Studio, and GetDataBack are all great tools to undelete files.
If you formatted the device your wallet was stored on, you'll need to recover the original formatting or use a file carving tool. Testdisk is a great free tool for search for partitions and filesystems. R-studio, DMDE, and other tools can also do this.
For file carving, you need to know which type of wallet you want to recover as different tools support different wallet formats. Many recovery softwares simply call file carving RAW recovery/deep search. If file carving doesn't find your wallet, but you know some keys, addresses, or notes you kept in your wallet, you can manually search the entire drive with a hex editor that supports large files. [Photorec](https://www.cgsecurity.org/wiki/PhotoRec) is a free file carving tool which can recover wallets. There are also [specialized tools](https://Bitcointalk.org/index.php?topic=25091.0) for this purpose.
Step 4: You recovered your wallet but don't know the password
The guy behind [walletrecoveryservices.com](http://www.walletrecoveryservices.com) can crack your password in some instances. He has done some amazing work and is one of the few people who offers this service.
Step 5: Importing your wallet and setting up a backup system
Backup your existing wallet(s) and try importing the one you recovered. If it fails to import, you may need to extract the private keys from it and import those manually as the wallet could be corrupted. File carving is likely to produce corrupted wallets.
Once you have imported your wallet successfully, setup a backup system so this never happens to you again!
I intend to update this guide once I know more about what parts people find confusing or useful.
