Looking for advice to recover an Armory wallet

[fatt]

Hello,

I think I'm running out of luck trying to recover a wallet I've had with Armory for a while. The tl;dr is that I unfortunately lost my paper backup and offline machine to extensive water damage in my apartment. My only shred of hope is a usb key I once used as a persistent bootable disk that had the wallet + offline copy on it. It's been reformatted for other purposes (before the leak incident), but I've been running data recovery tools on it to get any scratchings I can from it. I still have my password if ever I can recover the encrypted file. So far, I can pull up a 'watch only' version, and so-called 'fake wallets', but no private keys yet. Are the fake wallets potentially corrupted version of my wallet? However, the ID doesn't match and my password doesn't open it up. I wouldn't know what else to do with it, but here's the consistency check log for it:

Checking wallet 'Fake Wallet 1' (ID: [some other id different from my true wallet]) on Thu Feb  2 21:34:33 2017
Wallet is Watch Only
Highest used index: -1
The wallet file is 28672 bytes, of which 28671 bytes were read
100 chain addresses, 0 imported keys and 0 comments were found
Found 100 chained address entries
No byte errors were found in the wallet file
All chained addresses were arranged sequentially in the wallet file
There are no gaps in the address chain
No chained address fork was found
No chaincode corruption was found
All chained public keys are valid EC points
No chained public key is missing
All entries were saved under their matching hashVal
Found 0 imported address entries
0 errors were found
Recovery done

Would anyone have any ideas/suggestions that could help me recover my keys? Thanks.

[goatpig]

The 'Fake Wallet' is something you created yourself, it's not part of Armory's wallet management process. It is fair to assume it is not related to your actual wallet.

You don't need your whole wallet file to get your coins back, only the first 100 bytes or so. You can check out the header format here:

https://github.com/goatpig/BitcoinArmory/blob/master/armoryengine/PyBtcWallet.py#L1943

What you would need is DMA access to the USB key, that you want to scan for this string:

Code:

'\xbaWALLET\x00'

and check the following 100 bytes or so.

As for how to do it, you'd have to find software that let's you do that or write the code yourself. If your wallet has enough coins in it, it's worth your time.

[fatt]

Thanks for the tip about the file format. At least that gives me something to look for. I haven't had as much time to scrape through the rescued image of the usb since your response, unfortunately. So no news yet, but I'm also not getting my hopes up.

Incidentally, I thought DMA was a thing of the IDE era. Probing my usb key (and also SATA disks) parameters shows that DMA isn't a valid option. I don't suppose it's a huge deal, since I can still easily scan recovered files for that string.

Even if I don't get my coins back, it will at least have been an interesting venture in forensics.

[goatpig]

If you have an image of the entire USB stick, you are don't need anything like DMA.

What I meant by DMA was "get a map of the entire device and read it like any piece of memory". Basically a raw scan of the underlying bytes. Your file recovery process is still relying on some form of reconstruction of the containers file structure. There could be blind spots that a raw read would not miss.

Since you are looking for a specific byte string, this method would yield better results.

[fatt]

Ah, I see. Thanks for the clarification. Makes more sense to look at the raw bytes of the USB image rather than an attempted reconstruction of files that could potentially miss out on my wallet. I'll keep the thread posted on progress.