just wanted to say thanks, thanks, thanks casascius, I was able to recover a lost wallet with your info. I thought I'd add some helpful steps to automate it. Not 100% automated, but saved a bunch of time and automated enough for me.
Here are the tools I used:
Save this in the folder/drive where you will be doing the recovery from. ie 1.2.1
If you're good with sed or for then you can probably get away without this, but this is a great editor 10/10 would recommend for just about anything.
Multibit allows you to import private keys, that's why I chose it.
My 1st step suggestion would be to try testdiskhttp://www.cgsecurity.org/wiki/TestDisk_Download
. This program has no gui, but I have had much success with it in the past. Unfortunately for me this time, the file it recovered had already been overwritten, and had spam data in it.
I created an image of my hard drive with WinHex. I had the luxury of having another disk. Any time you are doing data recovery your best bet is to not touch. Ideally don't even boot off of the drive with the data you are recovering. I was booted off of the disk I recovered from, so it is possible. I didn't have a huge amount of BTC
, so loosing them would have been a bummer, but not worth the hassle of moving the drive to another machine for me. If you don't have an extra disk with enough space to store the partition you are trying to recover, this won't work for you. Anyway on to the guide. I did this on Windows 8.1, but should work on any version of windows past XP. Also I'm writing this after the fact, but I'll try not to miss any steps. I just figured it would have saved me some time.
To paste in the command window you have to right click and choose paste, ctrl+v does something else. If you don't get a menu when you right click, click on the upper window icon, and Edit->Paste will be there.
1) Image the hard drive with WinHex. This will take a while, took 3-4 hours on my computer iirc
1.1)File->Create Disk Image...
1.1.1)Edit Disk Window will open, select the partition where your wallet was.
1.2)Next the Create Disk Image will open
1.2.1)In Path and File name, choose a seperate disk to back up to, I don't know what the assigned automatically would do. My choice was R:\Drive C.whx
1.2.2)Scope:Sectors, put 0 in the first box
1.2.3)Compression, choose none
1.2.4)Split image into segments of, I left this at the default of 4096MB
from here on out we will be working in a cmd window. Start->Run cmd doesn't need to be admin, but you'll need write access on the drive. And Notepadd++. Don't close either after a step, we'll be switching back and forth between them.
The drive i dumped to was R:\ from step 1.2.1.
cd (directory where you did the dump to, if you dumped to a subdirectory)
2) scan the dumps with pywallet.py
2.1) Get a list of the dumps
dir /s /b /od (path you selected in 1.2.1 with a well place * wildcard) >> walletrecoveryStep1.cmd
for me this was
dir /s /b /od "Drive C*.whx" >> walletrecoveryStep1.cmd
3) Create a password input file pass.txt, this will automate pywallet so you don't have to type in a password to use for the recovery wallet, and passwords to try on the dumps. Save this in the same folder where you did the dumps. Use notepad, notepad++, echo whatever you are most comfortable with, but it must be a plain text editor. No word or whatever else. Extra lines won't matter, but if you don't have enough, pywallet.py will be prompting you for them. If pywallet is not running all of them automatically, and is asking for input, then you don't have enough empty lines in your pass.txt
Mine looked like this, because my original wallet did not have a password on it.
4) Open wallet recoveryStep1.cmd in notepad++. Notpad++ allows column selection and editing, that is the main feature we will be using. A little bit of search and replace also. Column selection works by holding shift+alt
File will look like this
but many more dumps, mine went up to 233
3.1) build the beginning of each line. Open Replace with ctrl+f, then select the replace tab
3.1.1) findwhat =
3.1.2) replace with =
pywallet.py --recover --recov_size=5Gio --recov_outputdir="r:\WalletRecovery" --recov_device="
3.1.3) Search mode = Regular expression
3.2) build the end of each line. Open Replace with ctrl+f, then select the replace tab
3.2.1) findwhat =
3.2.2) replace with =
3.2.3) Search mode = Regular expression
3.3) Delete the last line if if looks like this, ie has no recov_device
pywallet.py --recover -recov_size=5Gio --recov_outputdir="r:\WalletRecovery" --recov_device=""< pass.txt
3.3) Save the file, it should now look like this
pywallet.py --recover -recov_size=5Gio --recov_outputdir="r:\WalletRecovery" --recov_device="R:\Drive C.whx"< pass.txt
pywallet.py --recover -recov_size=5Gio --recov_outputdir="r:\WalletRecovery" --recov_device="R:\Drive C-2.whx"< pass.txt
4) Create the WalletRecovery directory. pywallet will fail if it doesn't exist
4) run your generated cmd file. in the command window you openned earlier. This will take a while, but not as much time as 1)
5) You should now have files in your WalletRecovery directory, the important ones are recovered_wallet_*.dat, hopefully you have some with a size > 32KB, this means pywallet.py has found something.
6) Build a script to extract the keys
dir /s/b WalletRecovery\recov*.dat > walletrecoveryStep2.cmd
6.2) open walletrecoveryStep2.cmd in notepad++, should look like this
6.3) Open Replace with ctrl+f, then select the replace tab
6.3.1) findwhat =
6.3.2) replace with =
pywallet.py --dumpwallet --passphrase=Pass --datadir=(your bitcoin directory, default is %appdata%\Bitcoin) --wallet=
pywallet.py --dumpwallet --passphrase=Pass --datadir=g:\\Bitcoin --wallet=
6.3.3) Search mode = Regular expression
6.4) build the end of each line. Open Replace with ctrl+f, then select the replace tab
6.4.1) findwhat =
6.4.2) replace with =
| findstr \\"sec\\": >> keys.txt
6.4.3) Search mode = Regular expression
6.5) Delete the last line if it has not wallet path in it ie
pywallet.py --dumpwallet --passphrase=Pass --datadir=g:Bitcoin --wallet=| findstr "sec": >> keys.txt
7) Extract the keys
Open keys.txt in notepad++. Should Look Something like this. I had some which were 1 character either longer or shorter, don't remember, and I don't know if this matters or not, but I just used all that it made.
8.1) Open Replace with ctrl+f, then select the replace tab
8.1.1) findwhat =
8.1.2) replace with = empty
8.1.3) Search mode = Regular expression
8.2) Open Replace with ctrl+f, then select the replace tab
8.2.1) findwhat =
8.2.2) replace with =
Change this date so that it is earlier than your last transaction. There is a space after the date
8.2.3) Search mode = Regular expression
8.3) Convert the line endings, Edit->EOL Conversion->Unix/OSX Format
8.3) Save the file as Keys.key
9) Import the keys into multibit, Tools->Import Private Keys
9.1) Choose Import File, select keys.key
9.2) Click Import private keys
10) Profit, you can now either transfer these to a new wallet, move it to your preffered client. I transferred mine out.
10.1) I went back and changed the dates on the key file to an earlier date. and then re-imported them, I don't know if this is needed or not. I used a later date originally, because I didn't want it to have to sync up with as much. After you found you wallet, you can then just do a send transaction and send them to a newly generated wallet.