Can the encrypted wallet be recovered using the unencrypted?

[helloworld]

I lost over 1300 btc.  Where does that put me on the loser's list of losses due to carelessness?

My guess is "nowhere near the top of the list" unfortunately.

[JoelKatz]

The developers and in fact the entire community have failed you and lots of other people. This and the investment scams are the two biggest problems facing Bitcoin right now.

[scintill]

I lost over 1300 btc.

Ouch, sorry.  When you said, "There are enough bitcoins on this wallet to put a huge amount of work into recovering them" I misread and thought there weren't very many coins.

So, have you learned anything about the possible backup on the thumb drive?  For this much money, I think it worth it to hire someone trustworthy with experience in this.  I think Casascius has recovered (unencrypted?) wallets and seems willing to do it for a smallish payment.

Good luck.

[flatfly]

Approaching this from a different angle (assuming the thief hasn't found and spent the coins already - hopefully your password was strong enough, but check on blockchain.info whether the coins have moved):

try everything you can to recover the stolen laptop. This may be possible with some luck and if the thief isn't too smart.

You mentioned you are a dropbox user. Try the following: log on to the dropbox website and check your access logs - perhaps you'll discover the thief's ip address. Some people have been known to track and recover their stolen laptop thanks to dropbox logs. 

Or perhaps you have some other software running on that laptop allowing you to remotely access it? Teamviewer, remote desktop, ftp, telnet perhaps? 

[Revalin]

This is absolutely not generally understood, and the main dev team should not assume this.

+1.  It caught me by surprise.

I lost over 1300 btc.  Where does that put me on the loser's list of losses due to carelessness?

Ouch.  That's enough to warrant some serious exploration of your USB stick.  Definitely make a dd block dump of it before you do anything.  Even if the undelete utilities can't find anything, we may be able to scrounge something.  There's a good utility here for recovering unencrypted keys by looking for their raw signature:  https://bitcointalk.org/index.php?topic=25091.0 .  If they were encrypted you can probably place a bounty for someone to extend the program to recognize encrypted keys.

[Jutarul]

Ouch.  That's enough to warrant some serious exploration of your USB stick.  Definitely make a dd block dump of it before you do anything.  Even if the undelete utilities can't find anything, we may be able to scrounge something.  There's a good utility here for recovering unencrypted keys by looking for their raw signature:  https://bitcointalk.org/index.php?topic=25091.0 .  If they were encrypted you can probably place a bounty for someone to extend the program to recognize encrypted keys.

+1

There are several threads where raw data inspection has been discussed to find out whether wallet data is on the deleted drive. E.g. a recommended a procedure is a deep scan, here:
https://bitcointalk.org/index.php?topic=91702.msg1016998#msg1016998

If you are not familiar with these techniques, find someone trustworthy who is.

[Dabs]

What's the update on the OP? You can try piriform's recuva. That works on deleted files that have not been wiped.

The current bitcoin client (satoshi) is not making any specific warnings when encrypting the wallet about making a backup.

I did an experiment and made a backup of my wallet file, encrypted it, and made a backup of the encrypted wallet file. I then used pywallet to extract the keys and made a comparison.

It seems that my unencrypted wallet has 108 keys. The encrypted wallet has 208 keys. Getting the keys into a spreadsheet and doing a basic lookup, and / or dupe check, it seems the encrypted wallet now has 100 new additional keys, in addition to the existing keys that were in the unencrypted wallet.

This tells me, than the unencrypted wallet has all the old keys, the encrypted wallet has new keys, but it's possible that the change bitcoins were sent to one of the new keys instead of the old keys.

When you lost the new encrypted wallet, you essentially lost the change bitcoins that were sent to one of the new keys.

In my experiment, all the new keys are of the compressed type (private keys beginning with L or K instead of 5.)

[sethsethseth]

Still a tiny chance of recovering the laptop.  The encrypted wallet is not on the flash drives.  In my mind at the time, I thought that encrypting the wallet was a repeatable process just like encrypting any other file, so I did not think to back it up again.

[Jutarul]

Still a tiny chance of recovering the laptop.  The encrypted wallet is not on the flash drives.  In my mind at the time, I thought that encrypting the wallet was a repeatable process just like encrypting any other file, so I did not think to back it up again.

Yes the developers really screwed that one up. That's why bitcoin still deserves beta status.

[casascius]

To answer the question as to whether the deleted encrypted wallet material is still on the drive, I think it should be deterministically possible to confirm it or rule it out with a simple disk scan with a hex editor.

My understanding is that an encrypted wallet is simply an unencrypted database with encrypted records in it.  I think the wallet file itself, the database overhead being unencrypted, could easily be found on a hard drive simply by scanning all disk sectors for unique string markers that are plenty easy to find with a tool like WinHex.

I don't have a computer with an encrypted wallet.dat handy, but I will bet I could find tons of strings in the file that would be highly likely to appear in every wallet.dat, and I am sure others can provide a suitable search string as well.

[Jutarul]

My understanding is that an encrypted wallet is simply an unencrypted database with encrypted records in it.  I think the wallet file itself, the database overhead being unencrypted, could easily be found on a hard drive simply by scanning all disk sectors for unique string markers that are plenty easy to find with a tool like WinHex.

Exactly. https://bitcointalk.org/index.php?topic=91702.msg1016998#msg1016998

I suppose the OP explored this option already. If not - I recommend reading the advice more carefully...

[casascius]

My understanding is that an encrypted wallet is simply an unencrypted database with encrypted records in it.  I think the wallet file itself, the database overhead being unencrypted, could easily be found on a hard drive simply by scanning all disk sectors for unique string markers that are plenty easy to find with a tool like WinHex.

Exactly. https://bitcointalk.org/index.php?topic=91702.msg1016998#msg1016998

I suppose the OP explored this option already. If not - I recommend reading the advice more carefully...

Ironically, I don't think the wallet file stores Bitcoin addresses in human-readable text form anywhere in the wallet.dat, even in an unencrypted wallet.  I believe it only stores the actual underlying public key and hash, which are just random-looking binary data.  So even if this wallet existed on the drive, if I'm right about this, the script wouldn't be able to find it.

You would, rather, be searching for strings that appear, such as "blockindex", "bestblock", "pool"... the most valuable record is "key", and surely there has got to be a few relatively static bytes that could be searched.

[scintill]

I believe it only stores the actual underlying public key and hash, which are just random-looking binary data.

Maybe if he knows an address, he could search for that in hex?  (Going on the assumption there might be something to recover.)

I just pulled two addresses out of my wallet, one I received coins at and one I sent coins to; base58-decoded them into hex at brainwallet.org, and searched wallet.dat for them in a hex editor, found both in the clear in my encrypted wallet.  (This is pretty disconcerting, depending on what you were hoping an encrypted wallet would do for you.)

So, if you do this on a whole disk and find stuff, there's a good chance they're wallet fragments.  From there I guess you start looking for nearby markers like Casascius talked about.

[Jutarul]

My understanding is that an encrypted wallet is simply an unencrypted database with encrypted records in it.  I think the wallet file itself, the database overhead being unencrypted, could easily be found on a hard drive simply by scanning all disk sectors for unique string markers that are plenty easy to find with a tool like WinHex.

Exactly. https://bitcointalk.org/index.php?topic=91702.msg1016998#msg1016998

I suppose the OP explored this option already. If not - I recommend reading the advice more carefully...

Ironically, I don't think the wallet file stores Bitcoin addresses in human-readable text form anywhere in the wallet.dat, even in an unencrypted wallet.  I believe it only stores the actual underlying public key and hash, which are just random-looking binary data.  So even if this wallet existed on the drive, if I'm right about this, the script wouldn't be able to find it.

You would, rather, be searching for strings that appear, such as "blockindex", "bestblock", "pool"... the most valuable record is "key", and surely there has got to be a few relatively static bytes that could be searched.

BTC addresses are stored in binary form. The referenced script works, since the tool grep searches for the supplied key in binary form. Try it out. Replace /dev/sdaX with your wallet file.

[flatfly]

Errr.. Guys, read the OP (and subsequent posts) again. Your advice is good but unfortunately not relevant at this stage. Before any of that can happen, the laptop must be recovered from the thief.

[Jutarul]

Errr.. Guys, read the OP (and subsequent posts) again. Your advice is good but unfortunately not relevant at this stage. Before any of that can happen, the laptop must be recovered from the thief.

https://bitcointalk.org/index.php?topic=110781.msg1206155#msg1206155

[flatfly]

Sorry, I should've emphasized today's update:

Still a tiny chance of recovering the laptop.  The encrypted wallet is not on the flash drives.  

[Jutarul]

Sorry, I should've emphasized today's update:

Still a tiny chance of recovering the laptop.  The encrypted wallet is not on the flash drives.  

Yes. That assumes the OP has done a deep scan. casascius implicitly asked the OP to confirm that.

[Dabs]

There are many laptop tracking software available. A commercial one is Lo Jack for computers. An open source one is Prey.

BUT, they have to be installed and activated prior to your laptop being stolen. (Works with desktops and smart phones too.)

[sethsethseth]

I do not believe I backed the encrypted wallet up on the flash drive.  If on some off chance I did, it is not showing up on the recovery tools.  Perhaps I will mess with this hex thing once I determine if I cannot recover the laptop