Bitcoin Forum
November 16, 2018, 12:32:05 AM *
News: Latest Bitcoin Core release: 0.17.0 [Torrent].
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Guide to BitCoin wallet data recovery  (Read 142 times)
captainspringfield
Newbie
*
Offline Offline

Activity: 1
Merit: 0


View Profile
August 21, 2018, 10:17:20 AM
 #1

I made this guide for the folks over at /r/bitcoin but thought you all could get some use out of it to. If you have any questions, post them and I'll do my best to answer them : )

After seeing a lot of dangerous advice about DIY ways of recovering Bitcoin, I wanted to write a guide to help other HODLers recover their wallets when their hard drives crash. This guide is mostly oriented towards conventional spinning disks but I have some tips for phones, SSDs, etc. I have been doing data recovery professionally for over 10 years at a firm that shall remain nameless, so I have a great amount of expertise in diagnosing and recovering from various media, operating systems, etc. If needed, I'd be happy to provide proof to the mods.

BEFORE CONTINUING TO READ THIS GUIDE OR ATTEMPTING ANY DATA RECOVERY TURN OFF AND DISCONNECT THE DEVICE YOU WISH TO RECOVER DATA FROM. ANY FURTHER USE OF THE DEVICE GREATLY LESSENS THE CHANCE YOUR DATA WILL BE RECOVERABLE!

As a general disclaimer: If you suspect or know your device is failing and you have Bitcoin or other valuable data on it, the safest route is to send your device to a data recovery lab that has the appropriate training and equipment to recover it. Stop and think about how much your data is worth. If it's worth paying a $300-$1500 to recover (or will be worth this in the future when you have more money), DO NOT ATTEMPT TO RECOVER IT YOURSELF. I understand you are freaked out right now that your BTC may be lost forever, but you will make the best decision with a calm mind that takes its time to think through things. You may only get one chance at a successful recovery. Every time you do any attempts at DIY recovery, you lessen the chances that your data will be recoverable. This is especially true if you have a drive that failed directly after being dropped, is making clicking or grinding noises, or had liquid damage of any kind. Even spinning up a drive once for a few seconds that has a damaged head can permanently destroy your data by literally scraping it off the platters. All that being said, if it's worth taking the risk, hopefully this guide can help you. I am providing this information without any warranty, if you lose all your data following my instructions, that's your own fault for not taking it to a professional. For many of the links referenced in here, I may have not tested the instructions fully. I have my own way of doing things in the shop which isn't written down and uses much more advanced tools, so for any step which uses external instructions, try to read a few other guides as well to make sure you know what you're doing before you try doing it.

If you do take your device to be recovered professionally, transfer your BTC to a new wallet. Many data recovery providers will be happy to sign NDAs, but it's better to protect yourself by simply emptying the wallet they had access to.

Step 1: Diagnose your device

The first step in recovering your data is determining the health of the device.
  • If you accidentally deleted your wallet or formatted your device but your device is in otherwise good health, you have a good chance of being able to recover your data. A professional recovery like this can run as low as $300.
  • If your device stopped working (or got significantly less functional) directly after a fall and it is a conventional spinning disk drive, there is a good chance there is damage to the heads, platters, or both. A professional could recover data from this scenario for $600 to over $1,000 depending on the situation. Head swaps are complex enough that they're beyond the scope of this guide. I would suggest [this guide](http://hddsurgery.com/pdfs/samtshbfinal.pdf) and [this video](https://www.youtube.com/watch?v=uIPZtJyrVPw) which show how head swaps work in general and [this guide](https://www.donordrives.com/blog/matching-guide) for finding appropriate donor drives. Some drives you can find donors for by simply matching some information from the drive label on eBay, others require advanced equipment like a PC-3000. This is because some drives have specific information about them (microjogs etc) which you can't know unless you can access the drive's terminal and firmware. I implore you to send cases like this to a professional. I should add that while many places say you need a clean room if you open a drive, this is not the case. Clean rooms are great if your data is worth thousands of dollars and you can afford the clean room rate, but you can successfully run a drive after opening it without a clean room, some drives will even operate just fine, for hours, with the cover off. If a piece of dust or pollen gets in-between the drive heads and the drive platters (often this space is mere nanometers), it can rip the data off the platters. However, as drives spin they create an air pocket which can prevent such dust from landing on it. There is an element of risk in non-cleanroom recovery, and that risk is real, but it is not nearly as dire as some data recovery companies present it to be. If you don't believe me, take a hard drive you don't care about, open it, re-assemble it, and see if it works. It probably will, though some drives like WD may not because a screw in their case is needed to properly operate the actuator arm. And I wouldn't suggest continuing to use that drive for obvious reasons.
  • If your device was damaged by water, you should dry out the device first as much as you can. Tricks like rice are dumb, all they do is prevent air from getting to your device and drying it out. Simply leaving your device out in the open air and time is all you need, though you can speed the process with some gentle heat. If you got your laptop, phone, or other enclosure wet, remove the data storage device from the enclosure itself. By gently cleaning the device with rubbing alcohol (99% or higher suggested) and a q-tip, you can arrest much of the corrosion and speed the drying process. The cost of having a device damaged by water recovered varies greatly depending on the device type, what was damaged, etc. But don't expect to get this recovered for less than $600.
  • Do not put your device in the freezer. Doing so creates condensation on the platters which will destroy your data and it leaves you with less room to store leftovers. This technique can work in an extremely limited set of scenarios, but you'd be better off simply placing the drive in front of an air conditioner than subjecting it to a freezer if you happened to be in one of those scenarios. Which I would bet good money you are not.
  • Conventional hard drives make all sorts of interesting noises when they fail. If you hear a noise that sounds like grinding or scraping, stop attempting the recovery immediately and inspect the platters and heads, it's likely that you have a crashed head. If you hear clicking, this can be caused by PCB/firmware issues or platter/head damage. Clicking can also be caused by damage to/corruption of the service area of the drive which can be bypassed or repaired with advanced equipment.
  • Inspect the PCB board on the outside of the drive by removing it and using a magnifying glass if necessary. If you see any areas that are burned or smell smoky, the PCB likely needs to be replaced. PCB damage is more likely if your device failed directly after a power outage/brownout/power supply failure in your machine. You cannot simply swap a PCB board, you need to transfer the ROM and adaptive information using a tool like a PC-3000 or by de-soldering the ROM chip and re-soldering it to a new board. Many sellers on eBay can do this for you for around $60-$80, Outsource data recovery also [offers this for $60]( https://outsourcedatarecovery.com/repair-services/), I have used them in the past and they are great. If you have contacts that are corroded or dirty, gently clean them with an eraser. Data recovery for drives with damaged PCBs typically runs $400-$800.

Step 2: Attempt to image the device

If the device turns on and spins up (even if there is some clicking) but doesn't show up as a drive on your computer, there's a decent chance you can still recover the data using a Linux live CD/USB and ddrescue. Here's [a guide for that](https://www.data-medics.com/forum/how-to-clone-a-hard-drive-with-bad-sectors-using-ddrescue-t133.html). Ddrescue makes an image of the entire drive sector-by-sector and is agnostic to filesystems (meaning it will work on drives from any operating system, SD cards, DVDs, etc). The image will take up the same amount of space as the device you're imaging. So if you are imaging a 500GB drive, the ddrescue image will be 500GB. It's important to make an image FIRST before attempting recovery with any software. Once you make the image, you can work on copies of the image and throw as much software at is as you want as opposed to running the software on the drive and risking losing the data permanently. If you have more than a couple dozen bad sectors, ddrescue can shred your disk in the process of trying to image it. This would likely be due to platter damage or a bad head. If the drive doesn't register in a Linux live CD/ddrescue doesn't work on it (and you've ruled out a PCB swap), you won't be able to recover the data without investing in expensive data recovery hardware or sending it to a pro. Sorry.

If the device you're imaging is an android phone, a [guide like this](https://dfir.science/2017/04/Imaging-Android-with-root-netcat-and-dd.html) can help you make a dd image of the internal memory.

Side note: There are some cases where imaging may not be the way to go. For example, if you know the file's location (and it wasn't deleted or is still in the MFT), some tools will be able to recover it by only touching the sectors they need to. A drive with platter damage or crashed heads (where the data isn't affected by the crashed head) or failing but sometimes working heads is an example of where such a technique might be valuable. By doing this, you lessen the chance that you'll accidentally destroy your wallet in attempts to image less important parts of the drive.

Step 3: Run recovery tools on the image to recover your wallet

Once you have an image of your device, you can now try various software tools to recover data from the image. The easiest thing to do is mount a read-only image in [Windows](https://www.osforensics.com/tools/mount-disk-images.html) or [Linux](https://major.io/2010/12/14/mounting-a-raw-partition-file-made-with-dd-or-dd_rescue-in-linux/) and see if you can use the drive as normal and see your files. If you deleted your wallet or formatted your drive, this will not work.
If you deleted your wallet, you will need to use a file undeletion tool or a file carving tool. When files are deleted, they are not actually deleted, merely the pointers to those files are deleted. It's akin to taking down all the highway signs to New York but leaving the city there. Depending on the filesystem, the pointer may still exist and simply have a "deleted" flag next to it. File carving is used when this isn't the case and your data is somewhere in the "un-used" portion of the drive. DMDE, R-Studio, and GetDataBack are all great tools to undelete files.

If you formatted the device your wallet was stored on, you'll need to recover the original formatting or use a file carving tool. Testdisk is a great free tool for search for partitions and filesystems. R-studio, DMDE, and other tools can also do this.

For file carving, you need to know which type of wallet you want to recover as different tools support different wallet formats. Many recovery softwares simply call file carving RAW recovery/deep search. If file carving doesn't find your wallet, but you know some keys, addresses, or notes you kept in your wallet, you can manually search the entire drive with a hex editor that supports large files. [Photorec](https://www.cgsecurity.org/wiki/PhotoRec)  is a free file carving tool which can recover wallets. There are also [specialized tools](https://Bitcointalk.org/index.php?topic=25091.0) for this purpose.

Step 4: You recovered your wallet but don't know the password

The guy behind [walletrecoveryservices.com](http://www.walletrecoveryservices.com) can crack your password in some instances. He has done some amazing work and is one of the few people who offers this service.

Step 5: Importing your wallet and setting up a backup system

Backup your existing wallet(s) and try importing the one you recovered. If it fails to import, you may need to extract the private keys from it and import those manually as the wallet could be corrupted. File carving is likely to produce corrupted wallets.

Once you have imported your wallet successfully, setup a backup system so this never happens to you again!

I intend to update this guide once I know more about what parts people find confusing or useful.
1542328325
Hero Member
*
Offline Offline

Posts: 1542328325

View Profile Personal Message (Offline)

Ignore
1542328325
Reply with quote  #2

1542328325
Report to moderator
1542328325
Hero Member
*
Offline Offline

Posts: 1542328325

View Profile Personal Message (Offline)

Ignore
1542328325
Reply with quote  #2

1542328325
Report to moderator
1542328325
Hero Member
*
Offline Offline

Posts: 1542328325

View Profile Personal Message (Offline)

Ignore
1542328325
Reply with quote  #2

1542328325
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1542328325
Hero Member
*
Offline Offline

Posts: 1542328325

View Profile Personal Message (Offline)

Ignore
1542328325
Reply with quote  #2

1542328325
Report to moderator
1542328325
Hero Member
*
Offline Offline

Posts: 1542328325

View Profile Personal Message (Offline)

Ignore
1542328325
Reply with quote  #2

1542328325
Report to moderator
Strufmbae
Member
**
Offline Offline

Activity: 196
Merit: 20

Hire me as your assistant with low pay


View Profile
August 27, 2018, 04:38:16 AM
 #2

I really eant to recover my private keys and i thought that this one is helpful, base on my own understanding this is helpful for ledger or hardware wallets?  Am i right?  Sorry i am not expert about recovering.  Can i use the step number four on my lost private keys in my electrum application? 

Contact me on telegram if you are looking for an assistant in managing campaigns. Bounty/sig
Telegram : @Strufmbae
HCP
Hero Member
*****
Offline Offline

Activity: 784
Merit: 951

<insert witty quote here>


View Profile
September 01, 2018, 01:15:49 AM
 #3

I really eant to recover my private keys and i thought that this one is helpful, base on my own understanding this is helpful for ledger or hardware wallets?  Am i right?  Sorry i am not expert about recovering.
No. It is not useful for hardware wallets... The private keys NEVER leave the hardware wallets, that is the entire point.

You will not be able to use any of the recover methods listed here to recover a hardware wallet. The only recovery you can use is the 12/24 word seed mnemonic that you should have written down and stored safely and securely when you first initialised the hardware wallet.


Quote
Can i use the step number four on my lost private keys in my electrum application? 
That depends on what sort of wallet you had setup with Electrum. If it was a standard Electrum wallet, again you should have a 12 word seed mnemonic written down, and can use that to recover your wallet.

If you have an imported wallet with imported private keys, then it's possible that someone could "crack" the wallet if you've forgotten your password... It's not easy and is very dependent on how much of the password you can remember and how complex it was.

If it was an Electrum wallet that you used with your hardware wallet, it doesn't contain any private keys... They never leave the hardware wallet... So cracking the wallet password won't do you any good.

bob123
Hero Member
*****
Offline Offline

Activity: 742
Merit: 696



View Profile WWW
September 03, 2018, 07:13:27 AM
 #4

Can i use the step number four on my lost private keys in my electrum application? 

How did you lose your private keys ?
Step 4) is to crack the password of a wallet file. So, if you have a electrum wallet file and don't remember the password, yes.
But if you lost your seed and don't have a (password protected) file anymore or have used electrum to access a hardware wallet, step 4 is not for you.

There might be other options to gain access to your private keys.
How did you store them (which wallet) ? And did you have any kind of backup ?

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!