Computer Stolen, Hard drive reformatted. Computer Rescued! where my BTC at?

[bollywood]

First of all, I'm an idiot.  

Had everything properly backed up before I had to switch wallets to claim BCH.  Made new electrum wallet and had wallet info saved in the following locations:  

Seed written on stickynote on desktop
encrypted notepad file with various crypto data
electrum wallet.dat file (encrypted within electrum, but I still have password to unlock this).

Computer was stolen, sold at a local market, and I tracked it to an address an hour outside of the city using microsoft live - my devices - locate.  Showed up at that address, promised no problems, offered large reward.  Now I have my computer again with the original drives still in it.  Zero new programs were installed, just a fresh OS.  Computer was being used by a 6 year old girl to watch bollywood movies, lol.  

OS was being ran off a 128gb M2 SSD drive.  This is where the new OS is currently installed as well.  I took out this M2 drive and put it in my newly purchased computer.  Runs fine, fresh OS.

Also has a 240gb 2.5" SSD in the stolen computer, which now doesn't show up under my computer.  Disk management does recognize the 2.5" drive, yet it says file system "raw", status "healthy, % Free "100%".  I'm assuming they formatted this drive as well.  Electrum, desktop files, and probably sticky notes are on the M2 drive along with the OS.  Downloads folder and possibly electrum are on the 2.5" drive.

I've read through 10+ threads, all with various suggestions.  I don't want to risk overwriting the drive any more than necessary.  M2 drive has fresh OS, 2.5" drive seems to have been wiped and only shows up under disk management.

Suggestions on where to begin?  I am still in touch with the family that purchased the stolen computer.  They seem willing to help as I generously compensated them for their honestly/responsiveness and work in IT themselves.  Plans today were to purchase a USB to SATA cable in order to mount the 2.5" drive, and hopefully locate an M.2 SATA External SSD Enclosure - USB 3.0. Then I can begin with some home data recovery systems.  Recommendations appreciated.  

[1714779620]

1714779620

[1714779620]

1714779620

[1714779620]

1714779620

[1714779620]

1714779620

[1714779620]

1714779620

[1714779620]

1714779620

[nullius]

You may want to find a more appropriate forum for this.  That being said:

Computer was stolen, sold at a local market, and I tracked it to an address an hour outside of the city using microsoft live - my devices - locate.  Showed up at that address, promised no problems, offered large reward.  Now I have my computer again with the original drives still in it.  Zero new programs were installed, just a fresh OS.  Computer was being used by a 6 year old girl to watch bollywood movies, lol. 

OS was being ran off a 128gb M2 SSD drive.  This is where the new OS is currently installed as well.  I took out this M2 drive and put it in my newly purchased computer.  Runs fine, fresh OS.

Also has a 240gb 2.5" SSD in the stolen computer, which now doesn't show up under my computer.  Disk management does recognize the 2.5" drive, yet it says file system "raw", status "healthy, % Free "100%".  I'm assuming they formatted this drive as well.  Electrum, desktop files, and probably sticky notes are on the M2 drive along with the OS.  Downloads folder and possibly electrum are on the 2.5" drive.

The first question which comes to mind is, did the drives have TRIM run over them?  (Sometimes when this is done to the whole drive at once, it is called “Secure Erase”.)  Or were they only formatted?  Some OS may do this on install.  I know nothing about Microsoft’s recent offerings.

Of course, you don’t yet know the answer to these questions.  I suggest they are questions for which you need an answer.

Before anything else, if I were you, I would image the drives; then, work off the image.  I don’t have many immediate recommendations, other than that.  But if there was a sufficient amount of money involved that you may potentially send this to a data recovery lab, see the caveat below about wear-levelling.

If the drives were TRIMmed, I do not think there is any way you can recover anything with any tools you likely have available to you.  (Perhaps a real hardware hacker would know better.)  If it comes to the point of bypassing the drives’ firmware, or bypassing their electronics altogether, then it may be important to consider the effect of wear-levelling.  SSDs can move blocks around anytime when powered on, even when idle; that means potentially overwriting a block with your wallet data which got TRIMmed, but which may perhaps otherwise still be pulled off the flash chip.  I do not know if or how much that could be important to you; but right now, you really want to keep the drives as close as possible to the state they were in when you got them back.  That is another reason to not work directly off the drives.

Seed written on stickynote on desktop

Do you mean some kind of software “sticky note”?  Oh, I see.  At first I thought, “No problem, he has the seed mnemonic written on a (physical) sticky note on his (physical) desk!”

[bob123]

Generally it would be kinda easy to recover most of your files. But since you mentioned everything was stored on SSD's thats a completely different situation.
The first steps to start working on a hard drive in a forensic mean is to make a forensic correct backup.
On a HDD you would have simply to plug it into a linux machine and run the dd command to create such a forensic backup, or better: 2 (https://en.wikipedia.org/wiki/Dd_(Unix)).
Afterwards you should only work on the 2nd copy and let the original disk stay unused (every single action could "destroy" the information on the memorycell containing your private keys).
If you have stored large amounts of BTC i would recommend a write-blocker, to be on the safe side (http://www.forensicswiki.org/wiki/Write_Blockers).
If you indeed have large amounts stored and don't want to mess up, i would advise you to look for someone in your local are who is a specialist at forensics.

[timisis]

Unless you tried hard, that other, blank drive is irrelevant for your search. You should not be doing anything on that computer, you were supposed to use another computer , and most definitely not a Mac because Macs write like crazy to disks they connect to, but hey, last time I had something like that happen I could not even recover 10% of my files.

[nullius]

If you have stored large amounts of BTC i would recommend a write-blocker, to be on the safe side (http://www.forensicswiki.org/wiki/Write_Blockers).

Good call on the write-blocker.  However, even that would not stop some flash drive firmwares which do wear-levelling re-arrangements over cells the firmware has marked free (such as with TRIM).  Even when not writing—even when idle—any time when powered.  I’ve heard that certain police forensics labs have had trouble with that; I don’t know what they do about it.  The problem with flash is that it’s very difficult to intentionally destroy when you want it gone, but also difficult to prevent from destroying data you actually want.

If you indeed have large amounts stored and don't want to mess up, i would advise you to look for someone in your local are who is a specialist at forensics.

Yes.  That.  Or more likely than a forensic specialist, a commercial data recovery service which has competency in dealing with SSDs.  That may perhaps be easier, as a practical matter.

They will charge a pretty penny satoshi.  But above a certain value threshold, it does make sense to not fool around.

[bollywood]

The first question which comes to mind is, did the drives have TRIM run over them?  (Sometimes when this is done to the whole drive at once, it is called “Secure Erase”.)  Or were they only formatted?  Some OS may do this on install.  I know nothing about Microsoft’s recent offerings.

Before anything else, if I were you, I would image the drives; then, work off the image.  I don’t have many immediate recommendations, other than that.  But if there was a sufficient amount of money involved that you may potentially send this to a data recovery lab, see the caveat below about wear-levelling.

If the drives were TRIMmed, I do not think there is any way you can recover anything with any tools you likely have available to you.  (Perhaps a real hardware hacker would know better.)  .........  That is another reason to not work directly off the drives.

I've read this before, and do not know, although also saw this:  Windows 7 and above are set to automatically enable TRIM on solid-state drives.  I purchased a USB cable adapter for both drives, will make an image of both in order to work from.


Do you mean some kind of software “sticky note”?  Oh, I see.  At first I thought, “No problem, he has the seed mnemonic written on a (physical) sticky note on his (physical) desk!”
[/quote]

yep, digital stickynote, which may also be located in the appdata/microsoft folder it seems, although on my newest computer I cannot locate it.

Afterwards you should only work on the 2nd copy and let the original disk stay unused (every single action could "destroy" the information on the memorycell containing your private keys).
If you have stored large amounts of BTC i would recommend a write-blocker, to be on the safe side (http://www.forensicswiki.org/wiki/Write_Blockers).
If you indeed have large amounts stored and don't want to mess up, i would advise you to look for someone in your local are who is a specialist at forensics.

Will do, tyvm for the write blocker tip.  Seems like paying a specialist is going to be my only option, but I'll still make a quick image of each drive to run scans on with multiple softwares anyways.

The computer was used for weeks, but only for this guys daughter to watch movies.  No programs installed at all, just very light browsing, mostly youtube.  I'd hope that a quick plugin to copy an image of each of the drives and looking for myself won't cause considerably more damage or overwriting?  I'm obviously skeptical of sending the drives in to a company in a 3rd world country to look at for weeks, telling them to look for untraceable cryptocurrency and hoping they just hand it over if found.

I've found the following software and planning to try:   recuva
ReclaiMe
Yodot Hard Drive Recovery
undeleteplus.com
easeus.com
testdisk

It seems like my next step is both to research write-blockers and how to make an image copy of each drive. 

Mod please feel free to move to appropiate forum.  Thank you all for the suggestions thus far.

[bob123]

I’ve heard that certain police forensics labs have had trouble with that; I don’t know what they do about it. 

This mostly depends on the amount of work which is put into extracting the data.
But the police forensics (here in my country), has special tools which extract data directly from the memory cells.
So the SSD is taken apart and those cells will directly get attached to their tools to read the data out, bypassing any controller.

The problem with flash is that it’s very difficult to intentionally destroy when you want it gone, but also difficult to prevent from destroying data you actually want.

This is so true.

I'd hope that a quick plugin to copy an image of each of the drives and looking for myself won't cause considerably more damage or overwriting? 

SSD's are bitches. You shouldn't do any further damage with just copying the HD, but there is still a risk.
If you have considerable money on this hard drive, i wouldn't mess with it. Professionals are the only ones which can help you in this case.

I've found the following software and planning to try:   recuva
ReclaiMe
Yodot Hard Drive Recovery
undeleteplus.com
easeus.com
testdisk

Never heard of any from this software. But this doesn't mean that its not good.
A forensics surveyor once recommended me ddrescue (https://en.wikipedia.org/wiki/ddrescue) for such cases.

[bollywood]

hmm, thank you.  How do I go about finding the best of the best SSD data recovery company, location not an issue - but obviously discretion/confidentiality/likelihood of them not stealing my coins is a huge concern.  Singapore/Tokyo possibly the easiest for Asia?

[ggbtctalk000]

I havent read it fully but in general, be it a PC or smartphone, I dont start transferring lot of money before I can at least backup and restore onto another device and make sure it can function on both device. The minimum number should be 2. Than I can say the backup/restore mechanism works.

[Kakmakr]

If you made a reliable copy/image of the drive onto another drive, then you should have no problem experimenting with any data recovery software. <Just keep the master/original untouched>

I use a double docking station with offline imaging to make backups of my drives, but never recovered formatted data from the backup image. <not sure if that is also imaged>

How many bitcoins are we talking about? < If we saying 100 or more, then a trip to a first world country might be in order >

[nullius]

(Noting penultimate thought up top before posting:  Do you remember any part of the seed, or any hints about it?  If yes, see below.  Not to get your hopes up:  An Electrum seed is quite secure, and you would need to narrow it down very substantially to make it feasible to bruteforce the rest.)

I will defer to bob123 on the forensics.  I do know enough about this subject to reliably sniff out when somebody else’s knowledge exceeds mine.  The advice thus far given by him is sound.

But I had another disturbing thought:  Have you any way to verify that your coins have not moved?  Do you have any other record of your Bitcoin addresses with balances?  If at all possible, I would suggest you check them on the blockchain before you spend more effort and potentially much more money on data recovery.

If you did not have full disk encryption, and the seed was in a “sticky note” on your desktop, then you are gambling that either the thieves didn’t look at your files—or they were too abjectly stupid to realize what they had found.  I sincerely hope that they were idiots who just want to grab a computer, install a fresh OS, and flip it for a few fast rupees.  That seems likely, but uncertain.  Nowadays, would even the dumbest thief grab a computer and not even pause to snoop for info on Paypal, credit cards, banks, etc.?

(Ask yourself, What other interesting data was unencrypted there?  As a presumptive worst-case scenario, you should treat your own privacy compromise as if the thieves made and retained images of your drives using such methods as here discussed.  It’s fast, it’s easy, and it would let the thieves examine your files at leisure.  Going forward, I suggest full disk encryption.)

How many thieves know how to install an OS, but have never even heard of Bitcoin?  I don’t know.  I do know that thieves who know about Bitcoin, are hot to steal it.  If Electrum was listed in your Start Menu (or whatever Microsoft now calls it), then that is a big hint—both to look for Bitcoin, and to interpret the random words in the sticky note.  If you have no other record of your public addresses, then wiping the disks would conveniently cover their tracks.

Thinking one step further—and not to ask you questions, but to suggest what you ought think about:  Who knew that you had Bitcoin, or how much you had?  For a targeted theft of a computer to get Bitcoin, it would make sense to fake it as simple theft of a computer—perhaps even to hire ordinary street thieves to grab it from you.  Then after the Bitcoin is taken, the hard drives are wiped and the useless computer can be dumped/fenced/sold anywhere.  Or perhaps then the computer could even be given to an associate, for their kid to watch movies—so they can get a report on whether you track down the computer, and what your reactions are.  (I am not trying to indict that family as such; they probably did buy it off the street.  But as you understand, a detective should be reasonably suspicious of everybody involved, and objectively scrutinize each party.)

I don’t know (and I don’t ask) what evidence you have, or anything whatsoever about your circumstance.  It is for you to think about the likelihood.

Another thought, and I’m surprised it didn’t occur to me before:  Criminals who know how to install an OS, probably also knew enough to helpfully infect it with malware.  Neither is an elite hacker job; there exist point-and-click malware kits, you know.  If that family’s “light browsing” included any bank logins, etc., then I think they should change their passwords (and be more careful about where they buy computers).  As for you—have the drives made any contact with a clean computer, via USB-SATA adapters or otherwise?  If so, it may no longer be so clean.  Better be safe than sorry.

If I absolutely must access a questionable drive, the following is a deliberately rough sketch of my procedure:

0. Temporarily disable my kernel’s drive-“tasting” functions, so that the kernel will not try to read partition information and filesystems.  (The forensics wonk will probably tell me to use a “live CD” system, too.)  Of course, my system does not have Autoplay; but even if it did, Autoplay would never start because the system would not reach the userland part of peeking at the drive.

1. Take an image of the drive with dd, a dead simple block copier with no imaginable attack surface via data passed blindly from the input file (drive) to the output file.

2. Try to interpret the image with carefully contained userland tools:  ntfsprogs for NTFS, mtools for msdosfs/FAT filesystem... or in your case, just something which searches a huge file for binary patterns which look like an Electrum wallet file, regular expressions for a seed phrase, etc.  The Forensics Wiki probably lists a good tool for that.  Any which way, the point here is that tools which try to interpret data stay trapped in ring3.  I would not mount the drive image.  No, not even through FUSE.

Then my only concern would be trojaned firmware, a sophisticated attack which will not be planted by street thieves.  Well, give it a few years; easy exploit kits will eventually get that, too.

That’s roughly what I would do (have done before).  I am not a forensics expert, far from it—just a bit of a Unix curmudgeon with a taste for security.

As for the seed phrase:  Could you narrow it down, even by remembering the first letter of certain words, remembering words out of order, etc.?  It may be useful if you could remember about 7–8 words, or remember enough hints to give equivalent information for someone who understands these things.

Yes, I think you would need to narrow it by significantly more than half unless you could pay for cloud compute tantamount to a supercomputer.  Beyond that, how much you’d need to narrow it depends on how much Bitcoin is at stake.  The amount of raw cracking power worthwhile to throw at it depends whether you had 1000 BTC, 100 BTC, 10 BTC, 1 BTC, etc.  I’m only explaining; please wisely continue to give no indication of the amount publicly.

If you could give enough hints about the seed, I may be able to help you with this for a fee on terms discussed privately; though to be honest, I would be competing with people who do that as a business and have dedicated cracking rigs.  Some post on this forum.  I can’t recommend anybody in particular.  I do think that cracking an Electrum seed phrase based on a grab-bag of hints might be an interesting and rewarding little project.


The foregoing represents the simplified view of a thought process.  If you have crypto-money on a disk, and the disk disappears, and you get the disk back—well, then it’s easy to become too focused on one only objective, and only one means of achieving that objective.  I suggest instead a top-down approach for identifying objectives and risks, followed by seeking all feasible avenues for achieving each objective.  Should you wish to discuss that further, feel free to contact me privately.

Any which way, good luck recovering your private keys.

[haltingprobability]

@OP:

I've used Recuva to recover an external hard-drive that was dropped while running. It worked like a charm. The drive could mount but could not be accessed, even by formatting tools, so I was impressed that Recuva was able to read the drive. It does not write to the drive. You probably don't need to use a write-blocker because write-blockers are really used for legal purposes (to convince the court that the data on the drive was not fabricated by the forensics).

If you have a large cash-value of Bitcoins stored on the drive (more than $10k), you need to get it done by a professional to be sure that all recoverable data is recovered. Given that the drive has been formatted and overwritten by a running OS and apps, there is no guarantee that your wallet still exists on that drive. Even just a few missing bytes will mean your wallet is gone for good. I once lost a hard drive on a work laptop (not dropped, just went dead) and my employer shipped the laptop to Kroll OnTrack. I think the total bill was around $3k and they recovered 100% of all data on the drive, as far as I could tell. I got 100% of my working files back, anyway. Because they handle high-value customers like major corporations, I think the probability of having your coins stolen during recovery is near zero. Besides your private keys are stored encrypted by your passphrase, so they'd have to hack the passphrase. Unless it's a huge amount, I wouldn't worry about it.

Hope you get your coins back!

[bollywood]

appreciate the responses nullius, been doing a lot of work on this the last few days.  responses in bold below, and I remember zero part of the seed.

But I had another disturbing thought:  Have you any way to verify that your coins have not moved?  Do you have any other record of your Bitcoin addresses with balances?  If at all possible, I would suggest you check them on the blockchain before you spend more effort and potentially much more money on data recovery.

I have the address and seeds have indeed not been touched.   I kept them all in the same single address and not change addresses.  I do have access to the last account the BTC were in, and which sent the full balance to the last account (had to switch wallets from the BCH airdrop)

If you did not have full disk encryption, and the seed was in a “sticky note” on your desktop, then you are gambling that either the thieves didn’t look at your files—or they were too abjectly stupid to realize what they had found.  I sincerely hope that they were idiots who just want to grab a computer, install a fresh OS, and flip it for a few fast rupees.  That seems likely, but uncertain.  Nowadays, would even the dumbest thief grab a computer and not even pause to snoop for info on Paypal, credit cards, banks, etc.?

My desktop had a password on it, the thief seemed to just immediately sell the laptop to another person who wasn't malicious, just saw a good deal and bought a computer - saw it was locked so reinstalled the OS to be able to use the computer.

As for you—have the drives made any contact with a clean computer, via USB-SATA adapters or otherwise?  If so, it may no longer be so clean.  Better be safe than sorry.

Yes they have, but this whole thing was a bit of an odd situation, my fault, and the timing/computer logins of everything completely point towards a poor person stealing a computer, then selling it to someone in their low rent hotel.  The person they sold it to seems nice, refugee from Pakistan and I met their whole family, he simply felt sorry and was very very happy to hand over the computer as I paid him 3x the price of what he paid for it

0. Temporarily disable my kernel’s drive-“tasting” functions, so that the kernel will not try to read partition information and filesystems.  (The forensics wonk will probably tell me to use a “live CD” system, too.)  Of course, my system does not have Autoplay; but even if it did, Autoplay would never start because the system would not reach the userland part of peeking at the drive.

1. Take an image of the drive with dd, a dead simple block copier with no imaginable attack surface via data passed blindly from the input file (drive) to the output file.

2. Try to interpret the image with carefully contained userland tools:  ntfsprogs for NTFS, mtools for msdosfs/FAT filesystem... or in your case, just something which searches a huge file for binary patterns which look like an Electrum wallet file, regular expressions for a seed phrase, etc.  The Forensics Wiki probably lists a good tool for that.  Any which way, the point here is that tools which try to interpret data stay trapped in ring3.  I would not mount the drive image.  No, not even through FUSE.

This is where I'm at now.  I made a clone of one of the drives that did not have the OS on it.  160gb of data was found by easeus software (recuva deep scan found nothing).  None of the files have filenames, so its impossible to search for .snt files, .dat files, electrum, or otherwise.  It feels like an overwhelming amount of data to sort through, half of it compressed.  I've spent hours going through it so far and absolutely nothing.
 


Any which way, good luck recovering your private keys.

So I have no hints about the seed, and am scared to clone my other M2 drive which has the OS and other data, some of which has surely been overwritten.  I don't want to mess anything up more.  I've contacted many, many firms around asia and nobody seems very helpful, not even telling me their methods used for attempted recovery.  I wanted to know if they use non-invasive methods, what types of hardware (PC3000),if they do binary code extraction, etc etc.  Their canned responses were always along the lines of 'we are professionals and have a clean room and good technology.'  Just don't feel comfortable with them besides one company in Singapore I might try.  Another option is USA, where I spoke with someone at length from DriveSavers who seem extremely professional and seems to think there is a decent chance of recovery.  They don't even charge unless the specific data I'm looking for is recovered.

So, that's my next step, trying to find a M2 USB to SATA cable here to clone my M2 drive, which I'm not as hopeful about since its been overwritten, and then either ship the drive off or start flying around the world in search of companies that have non-invasive methods of attempting to recover.  If not, save the drive in a secure location and maybe in 20 years new tech will be out that can recover everything.

Nice to hear that Kroll OnTrack worked decently for you, appreciate that comment.  they were the one firm in singapore that after explained in a chain of 5+ emails that 'we so professional and has clean room sir' is simply not good enough for me, she connected me with a higher up in the company who explained more of their procedures and they have some top technology that may be able to help me.  It's not a huge amount of coins, but obviously enough to dedicate my life to attempting recovery for quite some time.

The problem with easeus is that 80k files were found and none have file names.

https://gyazo.com/8b7b63f5bf5acafafdb0b39cf9d9bfb8

really do appreciate the responses.  Been working on this night and day

[directoryio]

PM

[bollywood]

PM

yeaaa, I won't be giving you anonymous access to the hard drives containing my private keys.  ty though

[darkangel11]

If you can contact the family that had your computer you should ask them for the details of the transaction. Who and where did they get that computer from?
I'd at the same time try to track down the thief and sue him for damages.
As for the drive a friend had a similar thing happen to his drive, gave it to a lab and they managed to recover most of the files, although a large part of them was corrupt. The files were readable but some of the data was missing, meaning that he had images that were cut in half, audio tracks that were merged together, and so on. Chances of you getting the files back intact are slim. Good luck though, keep us informed.

[tayyabdar]

Hello there,

Please can anyone tell me if i can use my office PC and home PC to keep my same coins??

[Cryptohasher76]

 I do DFIR for a living.  Lmk if you need any help. 

[bob123]

Please can anyone tell me if i can use my office PC and home PC to keep my same coins??

Bitcoins are not stored on your PC.
The ledger (blockchain) keeps track of every transaction and therefore keeps tracks of the UTXO (unspent outputs = 'available coins').
You could say the coins are 'stored on the blockchain' (That might be true in a logical sense, but is still not completely true on a technical level).

Now to awnser your question:
You need a private key, corresponding to the address 'which has funds on'.
Usually private keys are managed within a wallet (wallet = piece of software which manages private/public keys, transactions, ...).
You can easily import the same private key into several different wallets (to be able to access them from different pc's).
Depending on the wallet you should also be able to copy the wallet file (this enables you to additionally also recieve funds to 'both pc's').
Some wallet may have sync problem when working with them in that way. This won't let you lose any funds, but might lead to some displaying issues.

Long answer short: Yes, you can.

[rcoins0720]

Maybe the sticky notes cannot be found again because it is volatile.. but the saved file like notepads and text files can be recovered using a software called EASE.US data recovery.. you can download it freely or craccked it down to use full version .. with that browse the location where your keys and lost important files then recover it.. it take a lot of time but surely your lost file can be recover again

[akes2090]

Sorry to say this but with SSDs - its futile even trying- you can easily Google reasons why (pertain to the architecture).
Been there - done that - tried everything possible...only to find that it is impossible. Forget the data recovery tools on the market..not even forensic grade tools will help here.

[Cryptohasher76]

I do DF for my profession. If you want to try and scratch at it again lmk. I may be able to help

[MaryClark12]

If your computer is stolen, do not worry, the amount of bitcoin you will not lose but to get back you need a Private Key to regain the amount of bitcoin already lost.