Old HDD with wallet.dat, several reformatting and heavy use, is all hope lost?

[ice-gram]

I got some bitcoins back in 2011. Recently I found the old HDD where I put the wallet.dat file. The HDD had been reformatted several times and used as the system disk (drive C:) for several years.
I followed the instructions in this post: https://bitcointalk.org/index.php?topic=2857580.0 and made an image of the disk and searched for 308201130201010420 with WinHex. No results. (I have tried to search for other values to make sure I'm doing it right.)
So, is all hope lost? Is there any other way where I can try to retrieve my bitcoins, or should I just give up?
Thank you very much.

[kano]

Formatting a HDD in windows or linux usually does very little to the HDD.
It usually just resets the disk headers and disk usage information to 'empty'

However, using the HDD repeatedly will of course wipe over old data.
There are various free 'undelete' programs that may find old files, and it is possible (but unlikely) to find parts of the wallet file.

It's unlikely, but if your time is worth less than how much the wallet is worth, keep looking

[HCP]

Did you try any data recovery tools? Or did you just make an image of the drive and search through the image?

[BASE16]

Mount the disk read only in linux and use photorec to copy all files that are found to another harddisk, and then look for files that have .db extension.
If you find any of those use the file <filename> command to examine the exact file type and if its a Berkeley DB Btree then it's most likely your wallet.
Photorec works on RAW data so it will not restore actual filenames like for example wallet.dat.
In stead it will give each file it finds a number, and look at the bytes and try to figure out the filetype from that so it does not matter how many times you formatted the drive if the bytes are still there then you will find it.

See here for more: https://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step
This tutorial suggests to try testdisk first but in your case it is best you start with Photorec directly.

[ice-gram]

Thanks for all your replies.

However, there are few other magic bytes you could try such as 62 31 05 00 09 00 00 00 according to https://bitcoin.stackexchange.com/a/41450.

I tried but couldn't find anything. I also tried the other bytes in the linked post. I found some results for "defaultkey" but what follows the string is "site-packages/route.py". I guess it's from some other apps and not what a normal wallet.dat file contains?

Did you try any data recovery tools? Or did you just make an image of the drive and search through the image?

Yes, I first tried some data recovery tools such as disk genius. I couldn't find any file named "wallet.dat" and got thousands of unnamed files which are impractical to go through manually.

Mount the disk read only in linux and use photorec to copy all files that are found to another harddisk, and then look for files that have .db extension.
If you find any of those use the file <filename> command to examine the exact file type and if its a Berkeley DB Btree then it's most likely your wallet.
Photorec works on RAW data so it will not restore actual filenames like for example wallet.dat.
In stead it will give each file it finds a number, and look at the bytes and try to figure out the filetype from that so it does not matter how many times you formatted the drive if the bytes are still there then you will find it.

See here for more: https://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step
This tutorial suggests to try testdisk first but in your case it is best you start with Photorec directly.

Thank you very much. I tried this software. I looked for .db files and couldn't find anything. Looking for other types of files yields some results. I wonder if I should look for all types and turn on options like "brute force"?

[HCP]

In that case, it looks very very likely that you are not going to be able to recover anything of value

I guess it can't hurt to try looking for all files and trying the brute force option... at worst you'll waste some time, at best you might you might stumble across a wallet file.

Best of luck.

[BASE16]

Thanks for all your replies.

However, there are few other magic bytes you could try such as 62 31 05 00 09 00 00 00 according to https://bitcoin.stackexchange.com/a/41450.

I tried but couldn't find anything. I also tried the other bytes in the linked post. I found some results for "defaultkey" but what follows the string is "site-packages/route.py". I guess it's from some other apps and not what a normal wallet.dat file contains?

Did you try any data recovery tools? Or did you just make an image of the drive and search through the image?

Yes, I first tried some data recovery tools such as disk genius. I couldn't find any file named "wallet.dat" and got thousands of unnamed files which are impractical to go through manually.

Mount the disk read only in linux and use photorec to copy all files that are found to another harddisk, and then look for files that have .db extension.
If you find any of those use the file <filename> command to examine the exact file type and if its a Berkeley DB Btree then it's most likely your wallet.
Photorec works on RAW data so it will not restore actual filenames like for example wallet.dat.
In stead it will give each file it finds a number, and look at the bytes and try to figure out the filetype from that so it does not matter how many times you formatted the drive if the bytes are still there then you will find it.

See here for more: https://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step
This tutorial suggests to try testdisk first but in your case it is best you start with Photorec directly.

Thank you very much. I tried this software. I looked for .db files and couldn't find anything. Looking for other types of files yields some results. I wonder if I should look for all types and turn on options like "brute force"?

Ok so the best thing you can do is to look for files like jpg and png, these are image files (or mp3 if you are into music etc.) and if it finds any you open them and see if they are from the previous system installation.
If that is the case then you found proof that there is residual data from the former installation still on that disk.
This is likely because when you reinstall the operating system it will usually do a soft format by just wiping the partition table and leaving the old data it'self intact.
If you really wanted to destroy the data it would have be overwritten by manually making a hard/total format which could take a very long time for big disks, or you would have had used the new operating system extensively and filled up the drive to near full capacity thereby also overwriting the old data.
So if you can find any files that belong to the previous installation, then this indicates that you need to do a deeper scan

[kaggie]

I could add even more. Applying the specialized equipment it is possible  to restore the old info  that were repeatedly wiped over and  overwritten by new data. This is because the  heads of any HDD are  not remain  perfectly positioned every time the plates spin.  Generally speaking the reliable destruction of data HDD holds is a challengeable problem. That is why such erasing scheme  scheme as  Gutman, USDoD 5220.22-M, Shneier and some others were developed.

That may be true, but the difficulty of doing such is quite extreme.
It also would depend on how many times the disks spun over the overwritten data, and the reliability
of the positioning between each spin. Depending on the manufacturer, there would be higher/lower chances
of recovery.

Data recovery for a hard disk can be near a grand for mechanical failure, for a normal disk.
Overwritten data will cost quite a bit more to recover, require much more specialised services,
and has an even lower guarantee for success.

If a person really lost a significant amount of early bitcoin, they could attempt such recovery -
but then you run into all sorts of additional issues. The data would likely be unencrypted, and I
imagine that recovery centers have all sorts of reporting or checking that they do to prevent
themselves from legal trouble.

A user that attempted such a recovery would have a hard time keeping their bitcoin if successful,
and it's not even clear that such a thing would be successful -- especially because it depends on the
number of rewrites.