Bitcoin Forum
November 03, 2024, 01:06:15 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Is it possible to know the date I changed my wallet.dat password?  (Read 465 times)
mapuche33 (OP)
Jr. Member
*
Offline Offline

Activity: 55
Merit: 15


View Profile
August 27, 2018, 07:16:05 PM
Last edit: August 27, 2018, 07:57:30 PM by mapuche33
 #1

Hi, I'd like to know if it possible to get to know the last date I changed the password of my wallet.dat ?
 
Here is the situation: I moved most of my BTC to an address I created back in 2013 on a new fresh wallet.dat, I remember the exact day I created the password because it was the same day I replicated the process on my LTC wallet.dat (which I can unlock). Unfortunately I used a totally different set of characters for the heaviest one.
I have already put a lot of effort trying to remember as well as trying different combinations of the string of characters I believe I pick. Currently I'm stuck at a point where I don't know anymore which is certain and which is not. Also I'm not sure anymore if I changed the password again back in 2014 (2 months later) or not.

I already tried "getwalletinfo" as well as different commands on the console without any success. I couldn't find any documentacion regard the subject of metadata neither. Getting to know the last date the password was modified would be useful for me pursuing the path of recalling it from memory I guess.
 
Other alternative could be trying to brute force it myself or hiring Dave services. Neither way I need to be certain for targeting purposes.
Any ideas / suggestions?
 
Thanks
shield132
Hero Member
*****
Online Online

Activity: 2394
Merit: 923


Metawin.com - Truly the best casino ever


View Profile
August 27, 2018, 08:36:17 PM
Last edit: August 27, 2018, 08:56:32 PM by shield132
 #2

And what about to move your mouse cursor near that wallet.dat file and see this: Data modified?

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
mapuche33 (OP)
Jr. Member
*
Offline Offline

Activity: 55
Merit: 15


View Profile
August 27, 2018, 10:26:41 PM
Last edit: August 27, 2018, 10:38:21 PM by mapuche33
 #3

And what about to move your mouse cursor near that wallet.dat file and see this: Data modified?

Because I encrypted the .dat file into a .pea file with my PGP signature, then I uploaded it into my email accounts on January 2014. When I extract the wallet to examine it properties the metadata is altered, here an example:
Created: June 15, 2018 | Modified: Sunday, June 3, 2018 | Accessed: June 15, 2018
 
Perhaps some forensic tool would help, any ideas which one to try analyze the data related to the password creation date ?
HCP
Legendary
*
Offline Offline

Activity: 2086
Merit: 4361

<insert witty quote here>


View Profile
August 28, 2018, 12:55:08 AM
 #4

I don't believe that data is stored within the wallet for older, non-HD wallets.

With the newer HD wallets, whenever you change the password, it will modify the seed and the master key and then generate new keys/addresses... I have two old dumpwallet outputs from a testnet wallet, one before a password change, and one after. The timestamps in these files show the original creation date for the keys (ie. when the keys were generated to fill the keypool)...

So, by looking at the current "hdmaster" key timestamp, I can tell when the password was changed. Unfortunately, given that your wallet was created in 2013, that would predate Bitcoin Core HD Wallets Undecided

█████████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████
█████████████████████████
.
BC.GAME
▄▄░░░▄▀▀▄████████
▄▄▄
██████████████
█████░░▄▄▄▄████████
▄▄▄▄▄▄▄▄▄██▄██████▄▄▄▄████
▄███▄█▄▄██████████▄████▄████
███████████████████████████▀███
▀████▄██▄██▄░░░░▄████████████
▀▀▀█████▄▄▄███████████▀██
███████████████████▀██
███████████████████▄██
▄███████████████████▄██
█████████████████████▀██
██████████████████████▄
.
..CASINO....SPORTS....RACING..
█░░░░░░█░░░░░░█
▀███▀░░▀███▀░░▀███▀
▀░▀░░░░▀░▀░░░░▀░▀
░░░░░░░░░░░░
▀██████████
░░░░░███░░░░
░░█░░░███▄█░░░
░░██▌░░███░▀░░██▌
░█░██░░███░░░█░██
░█▀▀▀█▌░███░░█▀▀▀█▌
▄█▄░░░██▄███▄█▄░░▄██▄
▄███▄
░░░░▀██▄▀


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 3542
Merit: 6885


Just writing some code


View Profile WWW
August 28, 2018, 02:13:47 AM
Merited by vapourminer (1), ABCbits (1)
 #5

I don't believe that data is stored within the wallet for older, non-HD wallets.

With the newer HD wallets, whenever you change the password, it will modify the seed and the master key and then generate new keys/addresses... I have two old dumpwallet outputs from a testnet wallet, one before a password change, and one after. The timestamps in these files show the original creation date for the keys (ie. when the keys were generated to fill the keypool)...

So, by looking at the current "hdmaster" key timestamp, I can tell when the password was changed. Unfortunately, given that your wallet was created in 2013, that would predate Bitcoin Core HD Wallets Undecided
You don't need an HD wallet to observe this. With both HD and non-HD wallets, you should see a block of 100 (or 1000) keys created at one time, and then another block of 100 keys created at another time. That other time would be the time that the password was changed.

Just use dumpwallet and look at the dates in the resulting dump. The block of 100 keys with the most recent timestamp is the time the encryption was changed. Also, note that if you have used the wallet, you will see some keys that do not fit into these blocks of 100 keys. Those keys are generated after a key from the keypool is used.

mapuche33 (OP)
Jr. Member
*
Offline Offline

Activity: 55
Merit: 15


View Profile
August 28, 2018, 02:51:13 PM
 #6

Just use dumpwallet and look at the dates in the resulting dump. The block of 100 keys with the most recent timestamp is the time the encryption was changed. Also, note that if you have used the wallet, you will see some keys that do not fit into these blocks of 100 keys. Those keys are generated after a key from the keypool is used.

Thanks, I already tried dumpwallet however it ask me to enter the wallet passphrase first which I have forgotten. If you know how to bypass this hurdle please let us know.
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 3542
Merit: 6885


Just writing some code


View Profile WWW
August 28, 2018, 03:31:45 PM
Merited by ABCbits (2), bob123 (2), vapourminer (1), BitMaxz (1), A-Bolt (1), aliashraf (1)
 #7

Just use dumpwallet and look at the dates in the resulting dump. The block of 100 keys with the most recent timestamp is the time the encryption was changed. Also, note that if you have used the wallet, you will see some keys that do not fit into these blocks of 100 keys. Those keys are generated after a key from the keypool is used.

Thanks, I already tried dumpwallet however it ask me to enter the wallet passphrase first which I have forgotten. If you know how to bypass this hurdle please let us know.
Right, duh.

The way to get this information out without using dumpwallet is to use BDB's db_dump utility which will output all of the raw records from the wallet. What you want are the keymeta ones. When you use db_dump, you will get a bunch of hex output. What you want to do is look for the lines which begin with the hex 076b65796d65746121. The line immediately after contains the actual key metadata which has the timestamp for key creation. These timestamps are 8 byte, little endian integers. They begin at the 5th byte after the beginning of the line, so 8 characters after the beginning.

For example, here is a keymeta record from one of my wallets:
Code:
076b65796d6574612103ffc5d227b2e27f2e1253eb44c359eed1af38ec6028da2ec62205f479f533c6d7
0b0000005c147e5b000000000c6d2f30272f30272f35373727eaa6033dd5740c71a55efd9e7e6c8d102974535f0000000000000000000000000000000000000000
As you can see, the first line begins with 076b65796d65746121. Then on the second line, the timestamp is 5c147e5b00000000. Converting this to the unix timestamp results in 1534989404. This is a UNIX timestamp. As an actual date and time, it is Thursday, August 23, 2018 1:56:44 AM UTC.

This is a bit more manual, but it could probably be scripted.

Also, make sure you use the BDB 4.8 version of db_dump which can be downloaded from http://www.oracle.com/technetwork/database/database-technologies/berkeleydb/downloads/index-082944.html (scroll down to 4.8.30).

Note that you have to use the command line, i.e. the terminal (for unix systems) or the command prompt (windows). The command that you will use is
Code:
db_dump wallet.dat

codekrash
Newbie
*
Offline Offline

Activity: 3
Merit: 0


View Profile
August 28, 2021, 05:23:14 PM
 #8

achow101 thank you for the insightful info. Also, if you can't find the hex 076b65796d65746121 from the db_dump, then the wallet is fake, does not have key metadata. Correct?
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 3542
Merit: 6885


Just writing some code


View Profile WWW
August 28, 2021, 09:32:59 PM
 #9

achow101 thank you for the insightful info. Also, if you can't find the hex 076b65796d65746121 from the db_dump, then the wallet is fake, does not have key metadata. Correct?
Not necessarily. Since I wrote this post, there have been changes to the wallet. Notably, a new type of wallet known as a descriptor wallet has been added. Descriptor wallets use a different method for managing keys and they do not have keymeta records.

BitMaxz
Legendary
*
Offline Offline

Activity: 3430
Merit: 3161


Is the $100k BTC possible?


View Profile WWW
August 30, 2021, 03:31:26 PM
 #10

Also, if you can't find the hex 076b65796d65746121 from the db_dump, then the wallet is fake, does not have key metadata. Correct?

Why would you think it was fake? Are you sure that this is your backup or this is another wallet.dat file that was selling on the market or get them free from any download site?


It seems no one yet mention this tool? There is a way to brute-force the wallet.dat if you can't remember the exact password of your wallet.dat you can brute-force it using this tool "BTCrecovery tool"

I hope that you know some parts of the password because if not it might take years before you can find the exact password.

If you need help in finding the wallet password contact -bringbackmycrypto.com


Be careful on this site it's new and it's not safe to share the wallet.dat file to unknown or newbie users like this.

If you want a well-known and I think legit service to recovering wallet passwords I will suggest this https://walletrecoveryservices.com

█████████████████████████
████████▀▀████▀▀█▀▀██████
█████▀████▄▄▄▄████████
███▀███▄███████████████
██▀█████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
██▄███████████████▀▀▄▄███
███▄███▀████████▀███▄████
█████▄████▀▀▀▀████▄██████
████████▄▄████▄▄█████████
█████████████████████████
 
 BitList 
█▀▀▀▀











█▄▄▄▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
.
REAL-TIME DATA TRACKING
CURATED BY THE COMMUNITY

.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀▀█











▄▄▄▄█
 
  List #kycfree Websites   
bjpark
Jr. Member
*
Offline Offline

Activity: 36
Merit: 2


View Profile
September 13, 2022, 01:06:27 AM
 #11

Just use dumpwallet and look at the dates in the resulting dump. The block of 100 keys with the most recent timestamp is the time the encryption was changed. Also, note that if you have used the wallet, you will see some keys that do not fit into these blocks of 100 keys. Those keys are generated after a key from the keypool is used.

Thanks, I already tried dumpwallet however it ask me to enter the wallet passphrase first which I have forgotten. If you know how to bypass this hurdle please let us know.
Right, duh.

The way to get this information out without using dumpwallet is to use BDB's db_dump utility which will output all of the raw records from the wallet. What you want are the keymeta ones. When you use db_dump, you will get a bunch of hex output. What you want to do is look for the lines which begin with the hex 076b65796d65746121. The line immediately after contains the actual key metadata which has the timestamp for key creation. These timestamps are 8 byte, little endian integers. They begin at the 5th byte after the beginning of the line, so 8 characters after the beginning.

For example, here is a keymeta record from one of my wallets:
Code:
076b65796d6574612103ffc5d227b2e27f2e1253eb44c359eed1af38ec6028da2ec62205f479f533c6d7
0b0000005c147e5b000000000c6d2f30272f30272f35373727eaa6033dd5740c71a55efd9e7e6c8d102974535f0000000000000000000000000000000000000000
As you can see, the first line begins with 076b65796d65746121. Then on the second line, the timestamp is 5c147e5b00000000. Converting this to the unix timestamp results in 1534989404. This is a UNIX timestamp. As an actual date and time, it is Thursday, August 23, 2018 1:56:44 AM UTC.

This is a bit more manual, but it could probably be scripted.

Also, make sure you use the BDB 4.8 version of db_dump which can be downloaded from http://www.oracle.com/technetwork/database/database-technologies/berkeleydb/downloads/index-082944.html (scroll down to 4.8.30).

Note that you have to use the command line, i.e. the terminal (for unix systems) or the command prompt (windows). The command that you will use is
Code:
db_dump wallet.dat
5c147e5b00000000 is 1534989404
I want to know how it was converted
Hex 5c147e5b ==>>>0x5c147e5b
1544846939

There is a difference between 1534989404 and 1544846939
I'd like to know how to convert
And my wallet change time is 932d44e00000000
Thank you for your reply in advance
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 3542
Merit: 6885


Just writing some code


View Profile WWW
September 13, 2022, 01:29:57 AM
 #12

5c147e5b00000000 is 1534989404
I want to know how it was converted
Hex 5c147e5b ==>>>0x5c147e5b
1544846939

There is a difference between 1534989404 and 1544846939
I'd like to know how to convert
It is a little endian number. You need to reverse the bytes before doing the conversion (or inform your conversion tool that it is little endian). It is also a fixed width of 8 bytes, so you must not truncate it as otherwise you may get an incorrect value.

And my wallet change time is 932d44e00000000
Thank you for your reply in advance
One character is missing. This is not 8 bytes, and so it cannot be correctly converted.

NotATether
Legendary
*
Offline Offline

Activity: 1778
Merit: 7357


Top Crypto Casino


View Profile WWW
September 13, 2022, 05:47:01 AM
 #13

I want to know how it was converted
Hex 5c147e5b ==>>>0x5c147e5b

Just to clarify the endian conversion process, it is not simply reversing the order of each hex character! This is a common mistake and will emit a completely different number. Rather, you must reverse the order of groups of 2 hex characters:

5c 14 7e 5b
5b 7e 14 5c    <= reverse endian

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
PawGo
Legendary
*
Offline Offline

Activity: 952
Merit: 1385


View Profile
September 13, 2022, 07:37:59 AM
 #14

I want to know how it was converted
Hex 5c147e5b ==>>>0x5c147e5b
Just to clarify the endian conversion process, it is not simply reversing the order of each hex character! This is a common mistake and will emit a completely different number. Rather, you must reverse the order of groups of 2 hex characters:

5c 14 7e 5b
5b 7e 14 5c    <= reverse endian

Yes, because you do not reverse (convert) any "characters" but bytes.

5c147e5b00000000 is 1534989404
I want to know how it was converted
Hex 5c147e5b ==>>>0x5c147e5b
1544846939

5c147e5b00000000 in hex is 6635067080330706944 in decimal.
000000005b7e145c in hex is 1534989404 in decimal.

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!