Bitcoin Forum
November 18, 2017, 01:04:51 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 4 5 6 »  All
  Print  
Author Topic: How to recover btc after windows reinstall  (Read 5838 times)
Gamepakhsh
Newbie
*
Offline Offline

Activity: 1


View Profile WWW
June 25, 2017, 01:21:29 PM
 #21

try
https://www.easeus.com/partition-recovery/
1511010291
Hero Member
*
Offline Offline

Posts: 1511010291

View Profile Personal Message (Offline)

Ignore
1511010291
Reply with quote  #2

1511010291
Report to moderator
A blockchain platform for effective freelancing
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511010291
Hero Member
*
Offline Offline

Posts: 1511010291

View Profile Personal Message (Offline)

Ignore
1511010291
Reply with quote  #2

1511010291
Report to moderator
morbius55
Member
**
Offline Offline

Activity: 99


View Profile
June 25, 2017, 06:08:34 PM
 #22

Will a private key show as a 51 character string starting with 5, or will it be in another form?, when searching the hdd. Thanks.
HCP
Sr. Member
****
Offline Offline

Activity: 420

<insert witty quote here>


View Profile
June 26, 2017, 01:28:54 AM
 #23

Generally, most wallet files will encrypt the private keys... and they'll be stored in possibly binary or hex format. Attempting to identify them simply by scanning bytes on the harddrive is going to be like looking for a needle in a stack of needles. Undecided


Casy
Member
**
Offline Offline

Activity: 116

🔴🔵 FoxMixer.com 🔵🔴


View Profile WWW
June 26, 2017, 12:28:03 PM
 #24

Just had a preliminary search of the drive using recuva but only let it run for 15 minutes before it was indicating that it had found 10's of thousands of files. Why so many? and what file path should i search rather than the whole hdd. Thanks.

You could search in the app data dir of the user that was logged in.
Alternatively, if you have a second hdd you could restore all the discovered files of recuva to that second hdd and scan for your wallet within these files afterwards. It's probably the better way as the more you do on your current hdd, the more likely it is that you overwrite your wallet permanently.

HI-TEC99
Legendary
*
Offline Offline

Activity: 1050



View Profile
June 26, 2017, 02:35:07 PM
 #25

There are instructions for setting pywallet up in this post. However the post was made in 2015 and I don't know if all the download links for the dependencies work any more.

https://bitcointalk.org/index.php?topic=1288078.msg13238007#msg13238007

Also achow101 says the wallet.dat format changed, and pywallet struggles to work on the new format. I can't say what format your wallet.dat would be because I think the change of format was in 2013 when you say your brother installed his Bitcoin software.

The Bitcoin Core wallet structure has changed since pywallet was last updated so pywallet will not work very well with new wallets.

I suggest that you use Bitcoin Core's dumpwallet console command to get all of your private keys instead of a 3rd party tool.
xFiber
Sr. Member
****
Offline Offline

Activity: 252


Ice Rock Mining- The Most Profitable Mining


View Profile
June 26, 2017, 03:27:16 PM
 #26

32 Bitcoin is not nothing so I'd rather spent a 100$ to get it done porfessionally and ultimately get 84K rather than messing with it myself. I advise you to not mess a lot with it man. Get it done professionally and hopefully you can enjoy your treasure Cheesy
HI-TEC99
Legendary
*
Offline Offline

Activity: 1050



View Profile
June 26, 2017, 04:12:28 PM
 #27

Was the wallet encrypted (did it have a password)? If it wasn't encrypted then attempting salvaging the coins will be easier than if it was.

There is an alternative to using pywallet, but it requires more time and effort.

If it wasn't encrypted you could use a hex editor capable of searching a whole hard drive to search for this string of bytes 0201010420. The next the thirty-two bytes after that string could be a private key.

If you find one you can change it from raw hex to a normal format by pasting the thirty-two bytes into an offline copy of this webpage, which will also give you its associated address.

https://www.bitaddress.org/

This post explains how to use the webpage.

https://bitcointalk.org/index.php?topic=1961924.msg19522772#msg19522772

This hex editor is capable of searching a whole hard drive.

https://sourceforge.net/projects/wxhexeditor/

These screenshots explain how to open a disk, then search it for the hex string.

Click "devices", then "open disk device", then select the disk letter you want to search.



Click "edit", then "find".



This window should open. Paste the hex string into the the text box labelled "search", then click the button labelled "find all" and wait a very long time for it to search the whole drive.



If you try it run all software offline inside a virtual machine like virtualbox or vmware. Don't ever risk putting a private key on a computer that will ever be connected to the internet.

If you find any private keys you can install the electrum wallet and either import or sweep them into it using these instructions.

http://docs.electrum.org/en/latest/faq.html#can-i-import-private-keys-from-other-bitcoin-clients

http://docs.electrum.org/en/latest/faq.html#can-i-sweep-private-keys-from-other-bitcoin-clients

Electrum should sync almost immediately and give you fast access to your coins.

Don't ever boot from that hard drive again because doing so could wipe all traces of your coins.
Casy
Member
**
Offline Offline

Activity: 116

🔴🔵 FoxMixer.com 🔵🔴


View Profile WWW
June 26, 2017, 08:09:10 PM
 #28

Wow, nice and detailed explanation HI-TEC99, thumbs up for this.

morbius55
Member
**
Offline Offline

Activity: 99


View Profile
June 26, 2017, 08:36:12 PM
 #29

Was the wallet encrypted (did it have a password)? If it wasn't encrypted then attempting salvaging the coins will be easier than if it was.

There is an alternative to using pywallet, but it requires more time and effort.

If it wasn't encrypted you could use a hex editor capable of searching a whole hard drive to search for this string of bytes 0201010420. The next the thirty-two bytes after that string could be a private key.

If you find one you can change it from raw hex to a normal format by pasting the thirty-two bytes into an offline copy of this webpage, which will also give you its associated address.

https://www.bitaddress.org/

This post explains how to use the webpage.

https://bitcointalk.org/index.php?topic=1961924.msg19522772#msg19522772

This hex editor is capable of searching a whole hard drive.

https[Suspicious link removed]ditor/

These screenshots explain how to open a disk, then search it for the hex string.

Click "devices", then "open disk device", then select the disk letter you want to search.



Click "edit", then "find".



This window should open. Paste the hex string into the the text box labelled "search", then click the button labelled "find all" and wait a very long time for it to search the whole drive.



If you try it run all software offline inside a virtual machine like virtualbox or vmware. Don't ever risk putting a private key on a computer that will ever be connected to the internet.

If you find any private keys you can install the electrum wallet and either import or sweep them into it using these instructions.

http://docs.electrum.org/en/latest/faq.html#can-i-import-private-keys-from-other-bitcoin-clients

http://docs.electrum.org/en/latest/faq.html#can-i-sweep-private-keys-from-other-bitcoin-clients

Electrum should sync almost immediately and give you fast access to your coins.

Don't ever boot from that hard drive again because doing so could wipe all traces of your coins.
Thanks, really appreciate this. Probably last chance saloon if my attempt with Recuva is anything to go by.
I do have the password, but don't know whether the wallet was locked the last time it was used. If this doesn't find anything then would pywallet be able to scan the whole drive?. Thanks again, and to anyone else that has given helpful comments. Smiley
HI-TEC99
Legendary
*
Offline Offline

Activity: 1050



View Profile
June 26, 2017, 08:51:58 PM
 #30

Was the wallet encrypted (did it have a password)? If it wasn't encrypted then attempting salvaging the coins will be easier than if it was.

There is an alternative to using pywallet, but it requires more time and effort.

If it wasn't encrypted you could use a hex editor capable of searching a whole hard drive to search for this string of bytes 0201010420. The next the thirty-two bytes after that string could be a private key.

If you find one you can change it from raw hex to a normal format by pasting the thirty-two bytes into an offline copy of this webpage, which will also give you its associated address.

https://www.bitaddress.org/

This post explains how to use the webpage.

https://bitcointalk.org/index.php?topic=1961924.msg19522772#msg19522772

This hex editor is capable of searching a whole hard drive.

https[Suspicious link removed]ditor/

These screenshots explain how to open a disk, then search it for the hex string.

Click "devices", then "open disk device", then select the disk letter you want to search.



Click "edit", then "find".



This window should open. Paste the hex string into the the text box labelled "search", then click the button labelled "find all" and wait a very long time for it to search the whole drive.



If you try it run all software offline inside a virtual machine like virtualbox or vmware. Don't ever risk putting a private key on a computer that will ever be connected to the internet.

If you find any private keys you can install the electrum wallet and either import or sweep them into it using these instructions.

http://docs.electrum.org/en/latest/faq.html#can-i-import-private-keys-from-other-bitcoin-clients

http://docs.electrum.org/en/latest/faq.html#can-i-sweep-private-keys-from-other-bitcoin-clients

Electrum should sync almost immediately and give you fast access to your coins.

Don't ever boot from that hard drive again because doing so could wipe all traces of your coins.
Thanks, really appreciate this. Probably last chance saloon if my attempt with Recuva is anything to go by.
I do have the password, but don't know whether the wallet was locked the last time it was used. If this doesn't find anything then would pywallet be able to scan the whole drive?. Thanks again, and to anyone else that has given helpful comments. Smiley


Yes pywallet can scan a whole drive for a deleted wallet.dat. However, it's very old software and getting it working requires installing some very old versions of other software that can be difficult to find. I played around with it about half a year ago and had it working, but I can't remember all the steps I made. I'll have to test reinstalling it to work out some instructions.

Hopefully achow101's installation instructions from 2015 still work.

This is a screenshot of pywallet scanning a drive.

|Bitkoin|
Full Member
***
Offline Offline

Activity: 168


View Profile
June 26, 2017, 10:00:33 PM
 #31

Take this with a grain of salt, but consider contacting your local police department. Inform them you lost $100,000 worth of Bitcoins. If they have forensic experts able to recover it, you will donate $20,000 to the department for their services. It is worth a shot at least.

P.S. If it works, I wouldn't mind a small donation either. Smiley
shield132
Hero Member
*****
Offline Offline

Activity: 560


Watch Agents Of Shield On ABC


View Profile
June 26, 2017, 11:22:41 PM
 #32

What about to don't damage your hdd more and try to get help from professionals? 32 btc isn't joke and especially when price is so high. https://www.securedatarecovery.com/services
Can't see that this is so big problem despite the facts which you wrote. I had many moments when I repaired files what I needed. And recuva isn't your last chanse, try more serious services.

.BITSLER.                 ▄███
               ▄████▀
             ▄████▀
           ▄████▀  ▄██▄
         ▄████▀    ▀████▄
       ▄████▀        ▀████▄
     ▄████▀            ▀████▄
   ▄████▀                ▀████▄
 ▄████▀ ▄████▄      ▄████▄ ▀████▄
█████   ██████      ██████   █████
 ▀████▄ ▀████▀      ▀████▀ ▄████▀
   ▀████▄                ▄████▀
     ▀████▄            ▄████▀
       ▀████▄        ▄████▀
         ▀████▄    ▄████▀
           ▀████▄▄████▀
             ▀██████▀
               ▀▀▀▀
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄             
▄▄▄▄▀▀▀▀    ▄▄█▄▄ ▀▀▄         
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄       
█  ▀▄▄  ▀█▀▀ ▄      ▀████   ▀▀▄   
█ █▄  ▀▄   ▀████       ▀▀ ▄██▄ ▀▀▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
█  ▀▀       ▀▄▄ ▀████      ▄▄▄▀▀▀  █
█            ▄ ▀▄    ▄▄▄▀▀▀   ▄▄  █
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
█ ▄▄   ███   ▀██  █           ▀▀  █ 
█ ███  ▀██       █        ▄▄      █ 
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀   
▀▄            █        ▀▀      █   
▀▀▄   ███▄  █   ▄▄          █   
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀     
▀▀▄   █   ▀▀▄▄▄▀▀▀         
▄▄▄▄▄▄▄▄▄▄▄█▄▄▀▀▀▀               
              ▄▄▄██████▄▄▄
          ▄▄████████████████▄▄
        ▄██████▀▀▀▀▀▀▀▀▀▀██████▄
▄     ▄█████▀             ▀█████▄
██▄▄ █████▀                ▀█████
 ████████            ▄██      █████
  ████████▄         ███▀       ████▄
  █████████▀▀     ▄███▀        █████
   █▀▀▀          █████         █████
     ▄▄▄         ████          █████
   █████          ▀▀           ████▀
    █████                     █████
     █████▄                 ▄█████
      ▀█████▄             ▄█████▀
        ▀██████▄▄▄▄▄▄▄▄▄▄██████▀
          ▀▀████████████████▀▀
              ▀▀▀██████▀▀▀
            ▄▄▄███████▄▄▄
         ▄█▀▀▀ ▄▄▄▄▄▄▄ ▀▀▀█▄
       █▀▀ ▄█████████████▄ ▀▀█
     █▀▀ ███████████████████ ▀▀█
    █▀ ███████████████████████ ▀█
   █▀ ███████████████▀▀ ███████ ▀█
 ▄█▀ ██████████████▀      ▀█████ ▀█▄
███ ███████████▀▀            ▀▀██ ███
███ ███████▀▀                     ███
███ ▀▀▀▀                          ███
▀██▄                             ▄██▀
  ▀█▄                            ▀▀
    █▄       █▄▄▄▄▄▄▄▄▄█
     █▄      ▀█████████▀
      ▀█▄      ▀▀▀▀▀▀▀
        ▀▀█▄▄  ▄▄▄
            ▀▀█████
[]
jekjekman
Sr. Member
****
Offline Offline

Activity: 350


View Profile
June 27, 2017, 06:15:57 AM
 #33

I once read an article about this that you can recover your files in your HDD even though it is reformatted with a specific software to be use, until it has no bad secter or error. installing a new OS to your HDD can partition it and also wipe out it's data

or simply follow this guide, I hope this could help you

https://www.easeus.com/resource/recover-data-after-format.htm

autistaorange
Newbie
*
Offline Offline

Activity: 14


View Profile
June 27, 2017, 08:12:38 AM
 #34

In the passed, when i've installed windows it would leave your old files intact somewhere (unless you specified to nuke them by reformatting your drive). 
morbius55
Member
**
Offline Offline

Activity: 99


View Profile
June 27, 2017, 06:29:40 PM
 #35

Was the wallet encrypted (did it have a password)? If it wasn't encrypted then attempting salvaging the coins will be easier than if it was.

There is an alternative to using pywallet, but it requires more time and effort.

If it wasn't encrypted you could use a hex editor capable of searching a whole hard drive to search for this string of bytes 0201010420. The next the thirty-two bytes after that string could be a private key.

If you find one you can change it from raw hex to a normal format by pasting the thirty-two bytes into an offline copy of this webpage, which will also give you its associated address.

https://www.bitaddress.org/

This post explains how to use the webpage.

https://bitcointalk.org/index.php?topic=1961924.msg19522772#msg19522772

This hex editor is capable of searching a whole hard drive.

https[Suspicious link removed]ditor/

These screenshots explain how to open a disk, then search it for the hex string.

Click "devices", then "open disk device", then select the disk letter you want to search.



Click "edit", then "find".



This window should open. Paste the hex string into the the text box labelled "search", then click the button labelled "find all" and wait a very long time for it to search the whole drive.



If you try it run all software offline inside a virtual machine like virtualbox or vmware. Don't ever risk putting a private key on a computer that will ever be connected to the internet.

If you find any private keys you can install the electrum wallet and either import or sweep them into it using these instructions.

http://docs.electrum.org/en/latest/faq.html#can-i-import-private-keys-from-other-bitcoin-clients

http://docs.electrum.org/en/latest/faq.html#can-i-sweep-private-keys-from-other-bitcoin-clients

Electrum should sync almost immediately and give you fast access to your coins.

Don't ever boot from that hard drive again because doing so could wipe all traces of your coins.
Does that sequence always occur before every private key in your experience?. Thanks again.
[/quote]
HI-TEC99
Legendary
*
Offline Offline

Activity: 1050



View Profile
June 27, 2017, 09:07:04 PM
 #36

Was the wallet encrypted (did it have a password)? If it wasn't encrypted then attempting salvaging the coins will be easier than if it was.

There is an alternative to using pywallet, but it requires more time and effort.

If it wasn't encrypted you could use a hex editor capable of searching a whole hard drive to search for this string of bytes 0201010420. The next the thirty-two bytes after that string could be a private key.

If you find one you can change it from raw hex to a normal format by pasting the thirty-two bytes into an offline copy of this webpage, which will also give you its associated address.

https://www.bitaddress.org/

This post explains how to use the webpage.

https://bitcointalk.org/index.php?topic=1961924.msg19522772#msg19522772

This hex editor is capable of searching a whole hard drive.

https[Suspicious link removed]ditor/

These screenshots explain how to open a disk, then search it for the hex string.

Click "devices", then "open disk device", then select the disk letter you want to search.



Click "edit", then "find".



This window should open. Paste the hex string into the the text box labelled "search", then click the button labelled "find all" and wait a very long time for it to search the whole drive.



If you try it run all software offline inside a virtual machine like virtualbox or vmware. Don't ever risk putting a private key on a computer that will ever be connected to the internet.

If you find any private keys you can install the electrum wallet and either import or sweep them into it using these instructions.

http://docs.electrum.org/en/latest/faq.html#can-i-import-private-keys-from-other-bitcoin-clients

http://docs.electrum.org/en/latest/faq.html#can-i-sweep-private-keys-from-other-bitcoin-clients

Electrum should sync almost immediately and give you fast access to your coins.

Don't ever boot from that hard drive again because doing so could wipe all traces of your coins.
Does that sequence always occur before every private key in your experience?. Thanks again.



Someone else did some testing and found that sequence before every key he tested. I also tested it and came to the same conclusion. However it might not always work.

Another sequence you can try searching for is 01036B65794104. If you find it and also find the sequence 0420 about 180 bytes later, then the next thirty-two bytes are probably a private key.

This quote explains it in more detail.


If you know how to use a hex editor you could try scanning your drive for this sequence of bytes: 01 03 6B 65 79 41 04.

That sequence often occurs in a wallet.dat file about 180 bytes before a private key. If you look forward 180 bytes and can find the byte sequence 04 20 then it's likely a private key is the next the thirty-two bytes.

If you find a private key you can change it to a common format by pasting the thirty-two bytes into an offline copy of this webpage.

https://www.bitaddress.org/

This is an example of the 32 bytes of a private key in botepad.

Quote






This is the private key copied from notepad and pasted into an offline copy of the bitaddress website. Click the view details button to get the private key converted to normal formats.







There's a more detailed explanation of the byte sequences to search for in this quote.

I have been doing some tinkering around, thinking about other people's wallet disasters, and believe I have come to the following conclusion...

If you have lost your wallet.dat for whatever reason (deleted it, formatted your drive, file corruption, etc.) it's possible that it may still be lurking on your computer.  If so, recovery is no longer purely theoretical.  With a little knowledge of what to search for, you can use a hex editor to potentially find usable remnants of your wallet.dat file and get back your bitcoins, even if the original file isn't fully recoverable.

So here goes...

If you can use a hex-editor to do a sector-by-sector search/edit on your entire hard drive, then search your entire hard drive for occurrences of the following byte sequence:

01 03 6B 65 79 41 04...........

the middle four of these bytes represent the string "keyA" in ASCII.

Each time this byte sequence occurs, a Bitcoin private key is probably stored nearby, about 180 bytes later.  The 32-byte private key is the only thing you need to recover your bitcoins!... as long as you find the right one(s).

Approximately 180 bytes after this sequence, you may find the byte sequence 04 20 (hex).  These two bytes seem to precede every private key (the 0x20 suggests a length of 32 bytes).  If you find this sequence, the thirty-two bytes that come after 04 20 are the private key representing a Bitcoin address and might be the private key that recovers some of your lost bitcoins!  Your wallet will have numerous private keys (at least one hundred, due to the pre-allocation of keys)... get as many as you can find.  Carefully search the sectors adjacent to any sector containing the "keyA" sequence above.  Then yell for help!  (But don't share the private keys in public, unless you want to give away your wallet.)

An example of a hex editor that can scan an entire disk volume for specific byte sequences for Windows is WinHex.  In WinHex, use Tools, Open Disk (F9), and choose the disk you want to scan.  Scanning a full disk can take hours.  WinHex must "run as administrator" to be able to scan a physical disk.  Someone please recommend a good way to do this in Linux, preferably with a known Live CD, if possible.  Also, any time you are scanning a disk for potentially lost data, you should NEVER boot the disk you're searching - always boot from another disk and install the target disk as secondary.
morbius55
Member
**
Offline Offline

Activity: 99


View Profile
June 29, 2017, 04:23:23 PM
 #37

Was the wallet encrypted (did it have a password)? If it wasn't encrypted then attempting salvaging the coins will be easier than if it was.

There is an alternative to using pywallet, but it requires more time and effort.

If it wasn't encrypted you could use a hex editor capable of searching a whole hard drive to search for this string of bytes 0201010420. The next the thirty-two bytes after that string could be a private key.

If you find one you can change it from raw hex to a normal format by pasting the thirty-two bytes into an offline copy of this webpage, which will also give you its associated address.

https://www.bitaddress.org/

This post explains how to use the webpage.

https://bitcointalk.org/index.php?topic=1961924.msg19522772#msg19522772

This hex editor is capable of searching a whole hard drive.

https[Suspicious link removed]ditor/

These screenshots explain how to open a disk, then search it for the hex string.

Click "devices", then "open disk device", then select the disk letter you want to search.



Click "edit", then "find".



This window should open. Paste the hex string into the the text box labelled "search", then click the button labelled "find all" and wait a very long time for it to search the whole drive.



If you try it run all software offline inside a virtual machine like virtualbox or vmware. Don't ever risk putting a private key on a computer that will ever be connected to the internet.

If you find any private keys you can install the electrum wallet and either import or sweep them into it using these instructions.

http://docs.electrum.org/en/latest/faq.html#can-i-import-private-keys-from-other-bitcoin-clients

http://docs.electrum.org/en/latest/faq.html#can-i-sweep-private-keys-from-other-bitcoin-clients

Electrum should sync almost immediately and give you fast access to your coins.

Don't ever boot from that hard drive again because doing so could wipe all traces of your coins.
Does that sequence always occur before every private key in your experience?. Thanks again.



Someone else did some testing and found that sequence before every key he tested. I also tested it and came to the same conclusion. However it might not always work.

Another sequence you can try searching for is 01036B65794104. If you find it and also find the sequence 0420 about 180 bytes later, then the next thirty-two bytes are probably a private key.

This quote explains it in more detail.


If you know how to use a hex editor you could try scanning your drive for this sequence of bytes: 01 03 6B 65 79 41 04.

That sequence often occurs in a wallet.dat file about 180 bytes before a private key. If you look forward 180 bytes and can find the byte sequence 04 20 then it's likely a private key is the next the thirty-two bytes.

If you find a private key you can change it to a common format by pasting the thirty-two bytes into an offline copy of this webpage.

https://www.bitaddress.org/

This is an example of the 32 bytes of a private key in botepad.

Quote






This is the private key copied from notepad and pasted into an offline copy of the bitaddress website. Click the view details button to get the private key converted to normal formats.







There's a more detailed explanation of the byte sequences to search for in this quote.

I have been doing some tinkering around, thinking about other people's wallet disasters, and believe I have come to the following conclusion...

If you have lost your wallet.dat for whatever reason (deleted it, formatted your drive, file corruption, etc.) it's possible that it may still be lurking on your computer.  If so, recovery is no longer purely theoretical.  With a little knowledge of what to search for, you can use a hex editor to potentially find usable remnants of your wallet.dat file and get back your bitcoins, even if the original file isn't fully recoverable.

So here goes...

If you can use a hex-editor to do a sector-by-sector search/edit on your entire hard drive, then search your entire hard drive for occurrences of the following byte sequence:

01 03 6B 65 79 41 04...........

the middle four of these bytes represent the string "keyA" in ASCII.

Each time this byte sequence occurs, a Bitcoin private key is probably stored nearby, about 180 bytes later.  The 32-byte private key is the only thing you need to recover your bitcoins!... as long as you find the right one(s).

Approximately 180 bytes after this sequence, you may find the byte sequence 04 20 (hex).  These two bytes seem to precede every private key (the 0x20 suggests a length of 32 bytes).  If you find this sequence, the thirty-two bytes that come after 04 20 are the private key representing a Bitcoin address and might be the private key that recovers some of your lost bitcoins!  Your wallet will have numerous private keys (at least one hundred, due to the pre-allocation of keys)... get as many as you can find.  Carefully search the sectors adjacent to any sector containing the "keyA" sequence above.  Then yell for help!  (But don't share the private keys in public, unless you want to give away your wallet.)

An example of a hex editor that can scan an entire disk volume for specific byte sequences for Windows is WinHex.  In WinHex, use Tools, Open Disk (F9), and choose the disk you want to scan.  Scanning a full disk can take hours.  WinHex must "run as administrator" to be able to scan a physical disk.  Someone please recommend a good way to do this in Linux, preferably with a known Live CD, if possible.  Also, any time you are scanning a disk for potentially lost data, you should NEVER boot the disk you're searching - always boot from another disk and install the target disk as secondary.
Sorry to bug you again but when i start hex editor, the drive letter doesn't appear, only drive D. Thanks.
HI-TEC99
Legendary
*
Offline Offline

Activity: 1050



View Profile
June 29, 2017, 10:08:55 PM
 #38


Sorry to bug you again but when i start hex editor, the drive letter doesn't appear, only drive D. Thanks.

Are you trying to scan an external drive or your internal one with your operating system running on it? It should already be able to see all your external hard drives.

By default it only scans external drives like the type you plug into a USB port. I only recommend running it inside a vmware or virtual box  virtual machine in case there is anything malicious hidden in it. I wouldn't ever risk searching for private keys in plain text while running it on my internet connected operating system.

If you can't see a particular external hard drive with it then you could try running it with administrative privileges in windows, or as root in linux. However if you risk doing that you must definitely run the hex editor inside a virtual machine for safety. If you give it administrative privileges or make it root then you are giving it control of your operating system, and that's a big security risk. Also, it will be able to open your drive running your operating system which will probably show as physicaldrive0. If you edit the hex on that drive you could crash your operating system.
morbius55
Member
**
Offline Offline

Activity: 99


View Profile
June 29, 2017, 10:29:35 PM
 #39


Sorry to bug you again but when i start hex editor, the drive letter doesn't appear, only drive D. Thanks.

Are you trying to scan an external drive or your internal one with your operating system running on it? It should already be able to see all your external hard drives.

By default it only scans external drives like the type you plug into a USB port. I only recommend running it inside a vmware or virtual box  virtual machine in case there is anything malicious hidden in it. I wouldn't ever risk searching for private keys in plain text while running it on my internet connected operating system.

If you can't see a particular external hard drive with it then you could try running it with administrative privileges in windows, or as root in linux. However if you risk doing that you must definitely run the hex editor inside a virtual machine for safety. If you give it administrative privileges or make it root then you are giving it control of your operating system, and that's a big security risk. Also, it will be able to open your drive running your operating system which will probably show as physicaldrive0. If you edit the hex on that drive you could crash your operating system.
Sussed it thanks, Administrator privileges required when running program. Listed as drive 1 and indicating around 9 hrs per search. Cheers.
morbius55
Member
**
Offline Offline

Activity: 99


View Profile
July 02, 2017, 03:20:56 PM
 #40

Searched using the sequence  0201010420 and didn't get any matches,  but i will try the other sequence when i get chance. I briefly searched the 0420 sequence but as i thought,  after 30 mins there were already some 40000 results.

Can i ask a really basic question?, if there were 32 bitcoins in the account, does that mean 32 private keys?. Thanks again.
Pages: « 1 [2] 3 4 5 6 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!