Another recovery attempt

[Stillgotitye]

Hello,

I've given up hope of solving this without checking in here.

Short story. Did some mining back in 2014. Got a few payouts, nothing major. Found a wallet.dat file dated back to 2014 in my online drive. Ran R-Studio and recovered a few more files from the drive that was used at that time, with another wallet.dat dated to 2014 (I assume is same) and a wallet_backup.dat dated to 2017. The hunt began.
Found login to my slush pool account that was used for the mining, saw the payouts and found my public adress. Coins still there, nice, not enough to quit the job but could still pay a decent vacation or gaming rig. Worth investigating. I've now spent every eveening of the last week trying to find the private key inside the files, to no avail. So posting here is my last resort. After that I'm giving up.

What's been tested:

• Replacing wallet.dat in Bitcoin Core, error: wallet.dat: unexpected file type or format
• Importing to Electrum
• PyWallet (ofc) (https://github.com/jackjack-jj/pywallet)
• Bitcoin wallet recovery tool (https://github.com/ameijer/bitcoin_wallet_recovery_tool) after checking source
• btcrecover (https://github.com/3rdIteration/btcrecover)
• Winhex and searching for common values as found here https://bitcointalk.org/index.php?topic=5071775.msg48043999#msg48043999
• Googling a shit ton

What I have:

• wallet.dat (dated 2014)(6kb) file found in Drive
• wallet.dat (dated 2014)(6kb) file recovered from harddrive
• wallet_backup.dat (dated 2017)(1336 kb)
• A bunch of other files like peers.dat, fee_stimates.dat, mempool.dat dated to 2017

I suspect the files dated to 2017 are irrelevant, I think might have tried to load in the old wallet.dat once before but gave up instantly.

All recovered files seem to have som wierd encoding that I suspect are creating all these issue, opened in Notepad.

https://imgur.com/a/tyP3PuN

Anyone who has any idea on how to "decode" these files? Or is it an corruption?

[jackg]

Files encrypted with a password could look something like that too, it's not too much to go off to determine if it is irrecoverable.

Are the drive and hard drive files the same size? (they probably won't be but I'd be interested to know as that might tell you quite decisively if they're corrupted or not).

You did say you imported them into those recovery tools but didn't provide too much info of what they returned - was it just a standard output or did it give anything more (I'm not sure what they would return but you could share the labels on stuff just not private keys or anything that should be kept secret).

[Stillgotitye]

Files encrypted with a password could look something like that too, it's not too much to go off to determine if it is irrecoverable.

Are the drive and hard drive files the same size? (they probably won't be but I'd be interested to know as that might tell you quite decisively if they're corrupted or not).

You did say you imported them into those recovery tools but didn't provide too much info of what they returned - was it just a standard output or did it give anything more (I'm not sure what they would return but you could share the labels on stuff just not private keys or anything that should be kept secret).

Hi, thanks taking your time and responding.


By "Drive" i mean Google Drive, and yes, they are same size, 6 kb. Seems a bit small?

The general theme is that the file is either unreadable/not recognizeable or that it's not detected as a wallet.

Pywallet:
Running command: python pywallet.py --wallet=recoveredFromHDD/wallet.dat --dumpwallet (tried this on the other one as well)
Using python3. Also tried printing out the some data but from breakpoints in code but conclusion was that bsddb module failed to load the file or did not understand the format.
"(22, 'Invalid argument -- BDB0210 recoveredFromHDD\\wallet.dat: metadata page checksum error')
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again."
Bitcoin was not running at this point, and system was restarted since last running Bitcoin.
It did generate some files tho, not sure if it's relevant: __db.001, __db.002 up until __db.006

Bitcoin wallet recovery tool:
Somehow loaded in the file, I assume it just converted every byte of the file to hex and then checked every possible combination of public and private key. No hits.


btcrecover:
Ran command: python btcrecover.py --tokenlist tokens.txt --wallet wallet.dat
Result:
Starting btcrecover 1.11.0-Cryptoguide on Python 3.9.6 64-bit, 21-bit unicodes, 64-bit ints
Error: unrecognized wallet format; heuristic parser(s) reported:
    WalletPywallet: 'charmap' codec can't decode byte 0x9d in position 100: character maps to <undefined>
    WalletMultiBitHD: MultiBit HD wallet files must be named mbhd.wallet.aes
    WalletBlockchain: 'charmap' codec can't decode byte 0x9d in position 100: character maps to <undefined>


Got similar error as above when I tried to load it into Electrum as well, about some character at some position that was invalid.

Let me know if I missed some info.

[BitMaxz]

If you always get those errors related to the wallet file format then the wallet.dat file might be corrupted.
You tried almost all possible tools to recover that wallet but I'd like to suggest that better to get help from a professional recovery service.

You can try to contact them here http://walletrecoveryservices.com/
Or go to their official thread here https://bitcointalk.org/index.php?topic=240779.0

[jackg]

The general theme is that the file is either unreadable/not recognizeable or that it's not detected as a wallet.

Out of curiosity, would you have heard of steganography at the time of creating these files? I'm just wondering if you had a "favourite thing to do to files" at some point to hide them - examples are as simple as changing file names to obscure what they are.

And I don't think 6kb is too small if you only had a few keys in it.

I think there are ways to skip the heuristics that are normally run to chack the encoding of a wallet file but I assumed those would be inbuilt and it probably isn't a wallet file as I doubt Google drive would be likely to corrupt files and not make backups.

[Stillgotitye]

The general theme is that the file is either unreadable/not recognizeable or that it's not detected as a wallet.

Out of curiosity, would you have heard of steganography at the time of creating these files? I'm just wondering if you had a "favourite thing to do to files" at some point to hide them - examples are as simple as changing file names to obscure what they are.

And I don't think 6kb is too small if you only had a few keys in it.

I think there are ways to skip the heuristics that are normally run to chack the encoding of a wallet file but I assumed those would be inbuilt and it probably isn't a wallet file as I doubt Google drive would be likely to corrupt files and not make backups.

Now that you mention it, I have a vague memory of possibly using some sort of key chain tool to save the wallet info, but i'm not sure, and don't remember name. It is possible I did encrypt it somehow to make it "extra safe", just wish I knew what tool I possibly used, and I assume it would need a salt to decrypt
Is it possible to somehow detect if the file as a whole file is actually encrypted? (Not just the normal passphrase).
Remember if there was any "security" tools for wallets around 2014 that ware popular?

I'm fairly certain it's a an actuall bitcoin wallet tho, the "Date modified" matches perfectly the dates of the payouts from the mining pool (same year, same month, +/- 1 day).

[Stillgotitye]

If you always get those errors related to the wallet file format then the wallet.dat file might be corrupted.
You tried almost all possible tools to recover that wallet but I'd like to suggest that better to get help from a professional recovery service.

You can try to contact them here http://walletrecoveryservices.com/
Or go to their official thread here https://bitcointalk.org/index.php?topic=240779.0

Might try that as last resort. Thanks!

[NotATether]

Files such as peers.dat and mempool.dat etc. have nothing to do with your wallet so forget about them.

Is it possible to somehow detect if the file as a whole file is actually encrypted? (Not just the normal passphrase).
Remember if there was any "security" tools for wallets around 2014 that ware popular?

I'm fairly certain it's a an actuall bitcoin wallet tho, the "Date modified" matches perfectly the dates of the payouts from the mining pool (same year, same month, +/- 1 day).

Bitcoin Core never encrypts the entire wallet.dat, just the parts that contain the private keys.

Do you remember if you password-protected the wallet.dat (using Core, not some encryption tool)? Can you even open the file in score anymore (at least get to the password prompt phase)?

If it's yes to both of these questions, you can try using Bitcoin2john to get the wallet hash and then brute force the password using Hashcat. Then you should be able to unlock the wallet normally from Core. We wrote all about it here: https://notatether.com/tutorials/what-is-the-bitcoin2john-script-and-how-do-you-use-it/

[Stillgotitye]

Files such as peers.dat and mempool.dat etc. have nothing to do with your wallet so forget about them.

Is it possible to somehow detect if the file as a whole file is actually encrypted? (Not just the normal passphrase).
Remember if there was any "security" tools for wallets around 2014 that ware popular?

I'm fairly certain it's a an actuall bitcoin wallet tho, the "Date modified" matches perfectly the dates of the payouts from the mining pool (same year, same month, +/- 1 day).

Bitcoin Core never encrypts the entire wallet.dat, just the parts that contain the private keys.

Do you remember if you password-protected the wallet.dat (using Core, not some encryption tool)? Can you even open the file in score anymore (at least get to the password prompt phase)?

If it's yes to both of these questions, you can try using Bitcoin2john to get the wallet hash and then brute force the password using Hashcat. Then you should be able to unlock the wallet normally from Core. We wrote all about it here: https://notatether.com/tutorials/what-is-the-bitcoin2john-script-and-how-do-you-use-it/

I'm 70% sure I did password protect it, and have a list of possible combinations.

Can't load wallet in Core tho, tried both of these approaches:
Replacing default wallet.dat and starting it up. Throws "error: wallet.dat: unexpected file type or format" and closes.
Adding "-datadir=....." to shortcut and then manually trying to load the wallet via Bitcoin Core terminal/console, "loadwallet wallet.dat". Gives:
"Wallet file verification failed. Failed to load database path 'x:\xxx\wallet.dat'. Data is not in recognized format. (code -18)"

So, I'm not getting prompted to actually enter any password yet.

[LoyceV]

a wallet_backup.dat dated to 2017. ~ (1336 kb)

Have you tried loading this one into Bitcoin Core? The file size looks much more similar to my own backups, so don't dismiss it without trying.

[Stillgotitye]

a wallet_backup.dat dated to 2017. ~ (1336 kb)

Have you tried loading this one into Bitcoin Core? The file size looks much more similar to my own backups, so don't dismiss it without trying.

Hi, yes, actually tested all the same things as on the other wallet.dat. Same errors from all tools and Bitcoin Core.

Don't know about size. I have found two public address that could possibly be contained inside them, very few transactions in total.
7 in the main one.
1 in the possible extra.

Could it be something about them being written in different file system or older windows?
What happens with files that get moved between FAT and NTFS, in case it was at some point stored on a thumbdrive and I just copied over the files before wiping it for other use.
Maybe the hdd recovery messed something up in them?

Gonna try move them to a FAT formated thumbdrive, but I suspect I shouldn't make a difference.

[LoyceV]

Could it be something about them being written in different file system or older windows?
What happens with files that get moved between FAT and NTFS, in case it was at some point stored on a thumbdrive and I just copied over the files before wiping it for other use.
Maybe the hdd recovery messed something up in them?

HDD recovery can lead to incomplete files, but other than that, "untouched" files should remain just fine. However, I've seen far too many topics made by people complaining about corrupted old wallets, and I don't know what causes that. All my files from years ago are still accessible (unless the disk stops working), so I would expect wallet.dat files not to change "by themselves". I didn't join Bitcoin early enough to have files from before 2015, so I can't test if it's a compatibility problem.

Gonna try move them to a FAT formated thumbdrive, but I suspect I shouldn't make a difference.

Unless you're getting the file from "the original", moving the existing corrupted file won't matter.

[Stillgotitye]

Could it be something about them being written in different file system or older windows?
What happens with files that get moved between FAT and NTFS, in case it was at some point stored on a thumbdrive and I just copied over the files before wiping it for other use.
Maybe the hdd recovery messed something up in them?

HDD recovery can lead to incomplete files, but other than that, "untouched" files should remain just fine. However, I've seen far too many topics made by people complaining about corrupted old wallets, and I don't know what causes that. All my files from years ago are still accessible (unless the disk stops working), so I would expect wallet.dat files not to change "by themselves". I didn't join Bitcoin early enough to have files from before 2015, so I can't test if it's a compatibility problem.

Gonna try move them to a FAT formated thumbdrive, but I suspect I shouldn't make a difference.

Unless you're getting the file from "the original", moving the existing corrupted file won't matter.

I just notice another thing. In the transactions for the addresses checking https://www.blockchain.com/ i notice that the payouts from slushpool are dated 2011. While in slushpool(mining site) they are dated 2014. Weird. But the number of transactions and the btc amount in them matches. I assume https://www.blockchain.com/ info is the correct one. I guess slushpool was bitcoincz back in the days, maybe they just moved the transactions up in their own database when they "moved" to become Slushpool (https://en.bitcoin.it/wiki/Slush_Pool).

So this could be a wallet from 2011. If that changes anything? Doesn't explain the modified date of the file tho (2014). Maybe that's the when I formated the harddrive.

[LoyceV]

I assume https://www.blockchain.com/ info is the correct one.

Probably, but to be thorough, you can compare blockchair.com too.

[nc50lc]

I just notice another thing. In the transactions for the addresses checking https://www.blockchain.com/ i notice that the payouts from slushpool are dated 2011. While in slushpool(mining site) they are dated 2014. Weird. -snip-

You can check the "block height" where the transaction is included.
That way, you can get a close approximate of the txn's date based from the height even if blockexplorers' dates wont match;
In blockchain.com, it is labeled as "Included in Block".

[Stillgotitye]

I just notice another thing. In the transactions for the addresses checking https://www.blockchain.com/ i notice that the payouts from slushpool are dated 2011. While in slushpool(mining site) they are dated 2014. Weird. -snip-

You can check the "block height" where the transaction is included.
That way, you can get a close approximate of the txn's date based from the height even if blockexplorers' dates wont match;
In blockchain.com, it is labeled as "Included in Block".

Checked blockchair.com also. Date same as in blockchain.com. Also found emails from slushpool about payouts also dated 2011. So it's from 2011.

But knowing the date probably doesn't help recovering it anyhow. Probably gonna send it in to some third party service tomorrow to check if they have any luck.
Doesn't look like I will be able to make any progress with all the tests done so far.

[Stillgotitye]

Update.

Decided to throw a last hail mary and search whole drive using WinHex. Following these instructions:
https://bitcointalk.org/index.php?topic=1983382.msg19809022#msg19809022

Theory, recovered wallet.dat is only partial and corrupt. Possible bytes containing private key information might still linger on HDD.

[HCP]

Theory, recovered wallet.dat is only partial and corrupt. Possible bytes containing private key information might still linger on HDD.

Possibly, but if your memory about password protecting your wallet.dat file is correct, your chances of recovery them using a hex search are essentially zero. The hex searching is only really applicable to unencrypted wallet.dat files.

Based on the errors you were getting with the wallet.dat and common tools (Bitcoin Core, btcrecover etc), it honestly just seems like the wallet.dat files you have are corrupted

Best of luck with your continuing search tho!