Wallet.Dat Recovery... Recover Your Own Lost Bitcoins!

[etotheipi]

Not necessary, I have no problem converting hex to binary on-the-fly.  I just gotta dig into pywallet code (eventually) and figure out how to get what I want out of it.

[1713940654]

1713940654

[1713940654]

1713940654

[1713940654]

1713940654

[jackjack]

Actually it's not even binary, it's a pywallet format
I just finished the code, I run some tests and push the commit

[jackjack]

Done, it's much more useful with hex support anyway
If you want to use it, grab the last version and run './pywallet.py  --importprivkey blahblahblah --importhex', with --datadir and --wallet maybe

[etotheipi]

Is this only for a single private key?  Can I supply a file with a list of private keys instead?  I started to try to figure out the mechanism by which the code tracks the keys and writes them to the wallet file, but so far I've been unsuccessful.  I also didn't try very hard...

[jackjack]

Yes, only for a single key
I plan to add json file support soon though

[adlib]

Hello, I need some help please.

So, I followed the instructions on the first post, and I found many occurences of the byte series "01 03 6B 65 79 41 04" for "keyA" on my disk.
I don't know what to do now, the first post tells about private keys, but what about the public keys? How can I find the public-private key combinations? Or is there a way to recover the wallet.dat file as a whole?
Also there are texts like "pool", "wallet.dat", "addr.dat", "blkindex.dat" in between random characters around that area.

Thanks!

[Stevets]

I accidentally formatted the wrong drive which had my wallet on it!

I was able to recover everything using Reclaime http://www.reclaime.com/library/

Interestingly enough, I recovered more data than the original drive held. The recovery even included files that I had deleted prior to my stupid self inflicted disaster.

I already had a backup of my drive but it was six months old and didn't include my current wallet. Now I back up every night and I back up the backup! Terrabyte drives are cheap compared to what I thought I had lost forever.

[DewJunkie]

just wanted to say thanks, thanks, thanks casascius, I was able to recover a lost wallet with your info.  I thought I'd add some helpful steps to automate it.  Not 100% automated, but saved a bunch of time and automated enough for me.
Here are the tools I used:
pywallet.py https://github.com/jackjack-jj/pywallet Save this in the folder/drive where you will be doing the recovery from. ie 1.2.1
Notepad++ http://notepad-plus-plus.org/  If you're good with sed or for then you can probably get away without this, but this is a great editor 10/10 would recommend for just about anything.
MultiBit https://multibit.org/ Multibit allows you to import private keys, that's why I chose it.
WinHex http://www.x-ways.net/winhex/

My 1st step suggestion would be to try testdiskhttp://www.cgsecurity.org/wiki/TestDisk_Download.  This program has no gui, but I have had much success with it in the past.  Unfortunately for me this time, the file it recovered had already been overwritten, and had spam data in it.

I created an image of my hard drive with WinHex.  I had the luxury of having another disk.  Any time you are doing data recovery your best bet is to not touch.  Ideally don't even boot off of the drive with the data you are recovering.  I was booted off of the disk I recovered from, so it is possible.  I didn't have a huge amount of BTC, so loosing them would have been a bummer, but not worth the hassle of moving the drive to another machine for me.  If you don't have an extra disk with enough space to store the partition you are trying to recover, this won't work for you.  Anyway on to the guide.  I did this on Windows 8.1, but should work on any version of windows past XP.  Also I'm writing this after the fact, but I'll try not to miss any steps.  I just figured it would have saved me some time.

To paste in the command window you have to right click and choose paste, ctrl+v does something else.  If you don't get a menu when you right click, click on the upper window icon, and Edit->Paste will be there.

1) Image the hard drive with WinHex.  This will take a while, took 3-4 hours on my computer iirc
  1.1)File->Create Disk Image...
    1.1.1)Edit Disk Window will open, select the partition where your wallet was.
  1.2)Next the Create Disk Image will open
    1.2.1)In Path and File name, choose a seperate disk to back up to, I don't know what the assigned automatically would do.  My choice was R:\Drive C.whx
    1.2.2)Scope:Sectors, put 0 in the first box
    1.2.3)Compression, choose none
    1.2.4)Split image into segments of, I left this at the default of 4096MB

from here on out we will be working in a cmd window.  Start->Run cmd doesn't need to be admin, but you'll need write access on the drive.  And Notepadd++.  Don't close either after a step, we'll be switching back and forth between them.
The drive i dumped to was R:\ from step 1.2.1.

Code:

r:
cd (directory where you did the dump to, if you dumped to a subdirectory)

2) scan the dumps with pywallet.py
  2.1)  Get a list of the dumps

Code:

dir /s /b /od (path you selected in 1.2.1 with a well place * wildcard) >> walletrecoveryStep1.cmd

for me this was

Code:

dir /s /b /od "Drive C*.whx" >> walletrecoveryStep1.cmd

3) Create a password input file pass.txt, this will automate pywallet so you don't have to type in a password to use for the recovery wallet, and passwords to try on the dumps.  Save this in the same folder where you did the dumps.  Use notepad, notepad++, echo whatever you are most comfortable with, but it must be a plain text editor.  No word or whatever else.  Extra lines won't matter, but if you don't have enough, pywallet.py will be prompting you for them.  If pywallet is not running all of them automatically, and is asking for input, then you don't have enough empty lines in your pass.txt

Code:

Pass
RecovePass1
RecovePass2
etc...

Mine looked like this, because my original wallet did not have a password on it.

Code:

Pass

4) Open wallet recoveryStep1.cmd in notepad++.  Notpad++ allows column selection and editing, that is the main feature we will be using.  A little bit of search and replace also.  Column selection works by holding shift+alt
File will look like this

Code:

R:\Drive C.whx
R:\Drive C-2.whx
...

but many more dumps, mine went up to 233
  3.1) build the beginning of each line. Open Replace with ctrl+f, then select the replace tab
    3.1.1) findwhat =

Code:

^

   3.1.2) replace with =

Code:

pywallet.py --recover --recov_size=5Gio --recov_outputdir="r:\WalletRecovery" --recov_device="

   3.1.3) Search mode = Regular expression
  3.2) build the end of each line.  Open Replace with ctrl+f, then select the replace tab
    3.2.1) findwhat =

Code:

$

   3.2.2) replace with =

Code:

"< pass.txt

   3.2.3) Search mode = Regular expression
  3.3) Delete the last line if if looks like this, ie has no recov_device

Code:

pywallet.py --recover -recov_size=5Gio --recov_outputdir="r:\WalletRecovery" --recov_device=""< pass.txt

 3.3) Save the file, it should now look like this

Code:

pywallet.py --recover -recov_size=5Gio --recov_outputdir="r:\WalletRecovery" --recov_device="R:\Drive C.whx"< pass.txt
pywallet.py --recover -recov_size=5Gio --recov_outputdir="r:\WalletRecovery" --recov_device="R:\Drive C-2.whx"< pass.txt
...

4) Create the WalletRecovery directory. pywallet will fail if it doesn't exist

Code:

mkdir WalletRecovery

4) run your generated cmd file. in the command window you openned earlier.  This will take a while, but not as much time as 1)

Code:

walletrecoveryStep1.cmd

5) You should now have files in your WalletRecovery directory, the important ones are recovered_wallet_*.dat, hopefully you have some with a size > 32KB, this means pywallet.py has found something.
6) Build a script to extract the keys
  6.1)

Code:

dir /s/b WalletRecovery\recov*.dat > walletrecoveryStep2.cmd

 6.2) open walletrecoveryStep2.cmd in notepad++, should look like this

Code:

R:\WalletRecovery\recovered_wallet_1423758885.dat
R:\WalletRecovery\recovered_wallet_1423758939.dat
...

 6.3) Open Replace with ctrl+f, then select the replace tab
    6.3.1) findwhat =

Code:

^

   6.3.2) replace with =

Code:

pywallet.py --dumpwallet --passphrase=Pass --datadir=(your bitcoin directory, default is %appdata%\Bitcoin) --wallet=

here's mine

Code:

pywallet.py --dumpwallet --passphrase=Pass --datadir=g:\\Bitcoin --wallet=

   6.3.3) Search mode = Regular expression
  6.4) build the end of each line.  Open Replace with ctrl+f, then select the replace tab
    6.4.1) findwhat =

Code:

$

   6.4.2) replace with =

Code:

 | findstr \\"sec\\": >> keys.txt

   6.4.3) Search mode = Regular expression
  6.5) Delete the last line if it has not wallet path in it ie

Code:

pywallet.py --dumpwallet --passphrase=Pass --datadir=g:Bitcoin --wallet=| findstr "sec": >> keys.txt

7) Extract the keys

Code:

walletrecoveryStep2.cmd

Open keys.txt in notepad++.  Should Look Something like this.  I had some which were 1 character either longer or shorter, don't remember, and I don't know if this matters or not, but I just used all that it made.

Code:

            "sec": "YepThisIsAKeyItWillHaveLettersUpperAndLowerCaseAnd09", 
            "sec": "YepThisIsAKeyItWillHaveLettersUpperAndLowerCaseAnd09", 
...

 8.1) Open Replace with ctrl+f, then select the replace tab
    8.1.1) findwhat =

Code:

^\s*"sec": "

   8.1.2) replace with = empty
    8.1.3) Search mode = Regular expression
  8.2) Open Replace with ctrl+f, then select the replace tab
    8.2.1) findwhat =

Code:

",\s*$

   8.2.2) replace with =

Code:

 2016-01-01T00:00:00Z 

Change this date so that it is earlier than your last transaction.  There is a space after the date
    8.2.3) Search mode = Regular expression
  8.3) Convert the line endings, Edit->EOL Conversion->Unix/OSX Format
  8.3) Save the file as Keys.key
9) Import the keys into multibit, Tools->Import Private Keys
  9.1) Choose Import File, select keys.key
  9.2) Click Import private keys
10) Profit, you can now either transfer these to a new wallet, move it to your preffered client.  I transferred mine out.
  10.1) I went back and changed the dates on the key file to an earlier date.  and then re-imported them, I don't know if this is needed or not.  I used a later date originally, because I didn't want it to have to sync up with as much.  After you found you wallet, you can then just do a send transaction and send them to a newly generated wallet.

[DewJunkie]

ouch, I have no clue, but I would assume this will only work with a magnetic storage device.  If you were able to image the iphone storage somehow, or gain block level access you could continue on from the steps after having the image created.

[furyo87]

Hi there,

Complete newbie trying a treasure hunt, luckily found your post, Thank You!

So I am scanning the hard drive with WinHex: should it look like this https://imgur.com/a/mrEeL ?

I basically selected the drive, pressed "F9" and pasted, pressed "CTRL+F", and pasted "01 03 6B 65 79 41 04". Looking good?

Cheers!

[fasdorcas]

Hi there,

Complete newbie trying a treasure hunt, luckily found your post, Thank You!

So I am scanning the hard drive with WinHex: should it look like this https://imgur.com/a/mrEeL ?

I basically selected the drive, pressed "F9" and pasted, pressed "CTRL+F", and pasted "01 03 6B 65 79 41 04". Looking good?

Cheers!

I want to know is this a sit from where we can recover our lost bitcoins. And if so how is it possible. Because the past experience shows that when someone hacked or stole your bitcoin it will never be replaced and recover. But if it is possible due to this site it will be appreciable and I will specially warm welcome to this site. The controller should keep all the securities very tight and up to date.

[furyo87]

Hi there guys,

Any reference to professionals providing this service?

Cheers

[CryptoDens]

Is this method still can work to our forgoten private key? if this method still can work was so dangerous to all of us, because easy for hacker to hack our pc or laptop then take out the wallet.dat files to encrypted.

[staleref]

The best technique to do this is to decrypt the whole disk in order to do the search properly. This  also works fine on SSD.

[Pi07r]

Hi Guys,

Now I'm trying to solve the issue with corrupted wallet.dat for syscoin.
Maybe at first I'll very short describe the situation:
- I was trying to setup SYSCOIN masternode on Allnodes.com
- I was following the instruction:
1. Open your wallet (MAKE SURE IT IS THE 4.1.3 LATEST VERSION).
2. Go to the “Settings” menu and choose “Options”. In the Main tab enable the “Show Masternodes Tab” option and press “OK”.
3. Go to Syscoin Core root directory (location of wallet.dat) and open masternode.conf file with any basic text editor. This file may already contain # as the first item in the lines. These lines are comments and can be left in the file (to open masternode.conf file on MacOS click on the file, then select the “Open file with” option and choose “TextEdit” application there).
4. Insert that special configuration string you received from Allnodes in masternode.conf file below other lines.

And at point 4, I made very big mistake (by acciden or my stupidity) I opened wallet.dat instead of masternode.conf.
Now the wallet.dat is corrupted.

I tried to recover the private key back using pywallet which was desrcibed by jackjack. Python founds tousands of keys, but unfortunatelly any of them after import don't show syscoin in syscoin core wallet.

Do you know what I'm doing wrog or there is no possibility to get the key and syscoin back?

Thank you in advance

[McD2.0]

What if I’m completely technologically illiterate (and a complete idiot) who acquired some BTC on a dinosaur smart phone in 2008 or 2009 as a novelty item, at the time (think Coke points or Marlboro rewards 😆) AND I don’t have access to the old (Yahoo) email address, the phone is gone and I don’t remember the wallet (because it was all practically worthless then) and I abandoned that email and last name? Screwed??? Dude, I had like 23 of them. I’m dead! Anyone have suggestions or should I just shoot myself now?

I have been doing some tinkering around, thinking about other people's wallet disasters, and believe I have come to the following conclusion...

If you have lost your wallet.dat for whatever reason (deleted it, formatted your drive, file corruption, etc.) it's possible that it may still be lurking on your computer.  If so, recovery is no longer purely theoretical.  With a little knowledge of what to search for, you can use a hex editor to potentially find usable remnants of your wallet.dat file and get back your bitcoins, even if the original file isn't fully recoverable.

So here goes...

If you can use a hex-editor to do a sector-by-sector search/edit on your entire hard drive, then search your entire hard drive for occurrences of the following byte sequence:

01 03 6B 65 79 41 04...........

the middle four of these bytes represent the string "keyA" in ASCII.

Each time this byte sequence occurs, a Bitcoin private key is probably stored nearby, about 180 bytes later.  The 32-byte private key is the only thing you need to recover your bitcoins!... as long as you find the right one(s).

Approximately 180 bytes after this sequence, you may find the byte sequence 04 20 (hex).  These two bytes seem to precede every private key (the 0x20 suggests a length of 32 bytes).  If you find this sequence, the thirty-two bytes that come after 04 20 are the private key representing a Bitcoin address and might be the private key that recovers some of your lost bitcoins!  Your wallet will have numerous private keys (at least one hundred, due to the pre-allocation of keys)... get as many as you can find.  Carefully search the sectors adjacent to any sector containing the "keyA" sequence above.  Then yell for help!  (But don't share the private keys in public, unless you want to give away your wallet.)

An example of a hex editor that can scan an entire disk volume for specific byte sequences for Windows is WinHex.  In WinHex, use Tools, Open Disk (F9), and choose the disk you want to scan.  Scanning a full disk can take hours.  WinHex must "run as administrator" to be able to scan a physical disk.  Someone please recommend a good way to do this in Linux, preferably with a known Live CD, if possible.  Also, any time you are scanning a disk for potentially lost data, you should NEVER boot the disk you're searching - always boot from another disk and install the target disk as secondary.

[HCP]

What if I’m completely technologically illiterate (and a complete idiot) who acquired some BTC on a dinosaur smart phone in 2008 or 2009 as a novelty item, at the time (think Coke points or Marlboro rewards 😆) AND I don’t have access to the old (Yahoo) email address, the phone is gone and I don’t remember the wallet (because it was all practically worthless then) and I abandoned that email and last name? Screwed??? Dude, I had like 23 of them. I’m dead! Anyone have suggestions or should I just shoot myself now?

Yes... screwed...

You need at least one of the following:
- A wallet file (and any associated password)
- The private keys
- A seed phrase/recovery phrase (aka 12/24 word seed mnemonic)

It sounds like you don't have any of those things... or any way to recover any of those things. So, yes... screwed.