Is it possible to know the date I changed my wallet.dat password?

[mapuche33]

Hi, I'd like to know if it possible to get to know the last date I changed the password of my wallet.dat ?
 
Here is the situation: I moved most of my BTC to an address I created back in 2013 on a new fresh wallet.dat, I remember the exact day I created the password because it was the same day I replicated the process on my LTC wallet.dat (which I can unlock). Unfortunately I used a totally different set of characters for the heaviest one.
I have already put a lot of effort trying to remember as well as trying different combinations of the string of characters I believe I pick. Currently I'm stuck at a point where I don't know anymore which is certain and which is not. Also I'm not sure anymore if I changed the password again back in 2014 (2 months later) or not.

I already tried "getwalletinfo" as well as different commands on the console without any success. I couldn't find any documentacion regard the subject of metadata neither. Getting to know the last date the password was modified would be useful for me pursuing the path of recalling it from memory I guess.
 
Other alternative could be trying to brute force it myself or hiring Dave services. Neither way I need to be certain for targeting purposes.
Any ideas / suggestions?
 
Thanks

[1715381891]

1715381891

[1715381891]

1715381891

[1715381891]

1715381891

[shield132]

And what about to move your mouse cursor near that wallet.dat file and see this: Data modified?

[mapuche33]

And what about to move your mouse cursor near that wallet.dat file and see this: Data modified?

Because I encrypted the .dat file into a .pea file with my PGP signature, then I uploaded it into my email accounts on January 2014. When I extract the wallet to examine it properties the metadata is altered, here an example:
Created: June 15, 2018 | Modified: Sunday, June 3, 2018 | Accessed: June 15, 2018
 
Perhaps some forensic tool would help, any ideas which one to try analyze the data related to the password creation date ?

[HCP]

I don't believe that data is stored within the wallet for older, non-HD wallets.

With the newer HD wallets, whenever you change the password, it will modify the seed and the master key and then generate new keys/addresses... I have two old dumpwallet outputs from a testnet wallet, one before a password change, and one after. The timestamps in these files show the original creation date for the keys (ie. when the keys were generated to fill the keypool)...

So, by looking at the current "hdmaster" key timestamp, I can tell when the password was changed. Unfortunately, given that your wallet was created in 2013, that would predate Bitcoin Core HD Wallets

[achow101]

I don't believe that data is stored within the wallet for older, non-HD wallets.

With the newer HD wallets, whenever you change the password, it will modify the seed and the master key and then generate new keys/addresses... I have two old dumpwallet outputs from a testnet wallet, one before a password change, and one after. The timestamps in these files show the original creation date for the keys (ie. when the keys were generated to fill the keypool)...

So, by looking at the current "hdmaster" key timestamp, I can tell when the password was changed. Unfortunately, given that your wallet was created in 2013, that would predate Bitcoin Core HD Wallets

You don't need an HD wallet to observe this. With both HD and non-HD wallets, you should see a block of 100 (or 1000) keys created at one time, and then another block of 100 keys created at another time. That other time would be the time that the password was changed.

Just use dumpwallet and look at the dates in the resulting dump. The block of 100 keys with the most recent timestamp is the time the encryption was changed. Also, note that if you have used the wallet, you will see some keys that do not fit into these blocks of 100 keys. Those keys are generated after a key from the keypool is used.

[mapuche33]

Just use dumpwallet and look at the dates in the resulting dump. The block of 100 keys with the most recent timestamp is the time the encryption was changed. Also, note that if you have used the wallet, you will see some keys that do not fit into these blocks of 100 keys. Those keys are generated after a key from the keypool is used.

Thanks, I already tried dumpwallet however it ask me to enter the wallet passphrase first which I have forgotten. If you know how to bypass this hurdle please let us know.

[achow101]

Just use dumpwallet and look at the dates in the resulting dump. The block of 100 keys with the most recent timestamp is the time the encryption was changed. Also, note that if you have used the wallet, you will see some keys that do not fit into these blocks of 100 keys. Those keys are generated after a key from the keypool is used.

Thanks, I already tried dumpwallet however it ask me to enter the wallet passphrase first which I have forgotten. If you know how to bypass this hurdle please let us know.

Right, duh.

The way to get this information out without using dumpwallet is to use BDB's db_dump utility which will output all of the raw records from the wallet. What you want are the keymeta ones. When you use db_dump, you will get a bunch of hex output. What you want to do is look for the lines which begin with the hex 076b65796d65746121. The line immediately after contains the actual key metadata which has the timestamp for key creation. These timestamps are 8 byte, little endian integers. They begin at the 5th byte after the beginning of the line, so 8 characters after the beginning.

For example, here is a keymeta record from one of my wallets:

Code:

076b65796d6574612103ffc5d227b2e27f2e1253eb44c359eed1af38ec6028da2ec62205f479f533c6d7
0b0000005c147e5b000000000c6d2f30272f30272f35373727eaa6033dd5740c71a55efd9e7e6c8d102974535f0000000000000000000000000000000000000000

As you can see, the first line begins with 076b65796d65746121. Then on the second line, the timestamp is 5c147e5b00000000. Converting this to the unix timestamp results in 1534989404. This is a UNIX timestamp. As an actual date and time, it is Thursday, August 23, 2018 1:56:44 AM UTC.

This is a bit more manual, but it could probably be scripted.

Also, make sure you use the BDB 4.8 version of db_dump which can be downloaded from http://www.oracle.com/technetwork/database/database-technologies/berkeleydb/downloads/index-082944.html (scroll down to 4.8.30).

Note that you have to use the command line, i.e. the terminal (for unix systems) or the command prompt (windows). The command that you will use is

Code:

db_dump wallet.dat

[codekrash]

achow101 thank you for the insightful info. Also, if you can't find the hex 076b65796d65746121 from the db_dump, then the wallet is fake, does not have key metadata. Correct?

[achow101]

achow101 thank you for the insightful info. Also, if you can't find the hex 076b65796d65746121 from the db_dump, then the wallet is fake, does not have key metadata. Correct?

Not necessarily. Since I wrote this post, there have been changes to the wallet. Notably, a new type of wallet known as a descriptor wallet has been added. Descriptor wallets use a different method for managing keys and they do not have keymeta records.

[BitMaxz]

Also, if you can't find the hex 076b65796d65746121 from the db_dump, then the wallet is fake, does not have key metadata. Correct?

Why would you think it was fake? Are you sure that this is your backup or this is another wallet.dat file that was selling on the market or get them free from any download site?


It seems no one yet mention this tool? There is a way to brute-force the wallet.dat if you can't remember the exact password of your wallet.dat you can brute-force it using this tool "BTCrecovery tool"

I hope that you know some parts of the password because if not it might take years before you can find the exact password.

If you need help in finding the wallet password contact -bringbackmycrypto.com

Be careful on this site it's new and it's not safe to share the wallet.dat file to unknown or newbie users like this.

If you want a well-known and I think legit service to recovering wallet passwords I will suggest this https://walletrecoveryservices.com

[bjpark]

Just use dumpwallet and look at the dates in the resulting dump. The block of 100 keys with the most recent timestamp is the time the encryption was changed. Also, note that if you have used the wallet, you will see some keys that do not fit into these blocks of 100 keys. Those keys are generated after a key from the keypool is used.

Thanks, I already tried dumpwallet however it ask me to enter the wallet passphrase first which I have forgotten. If you know how to bypass this hurdle please let us know.

Right, duh.

The way to get this information out without using dumpwallet is to use BDB's db_dump utility which will output all of the raw records from the wallet. What you want are the keymeta ones. When you use db_dump, you will get a bunch of hex output. What you want to do is look for the lines which begin with the hex 076b65796d65746121. The line immediately after contains the actual key metadata which has the timestamp for key creation. These timestamps are 8 byte, little endian integers. They begin at the 5th byte after the beginning of the line, so 8 characters after the beginning.

For example, here is a keymeta record from one of my wallets:

Code:

076b65796d6574612103ffc5d227b2e27f2e1253eb44c359eed1af38ec6028da2ec62205f479f533c6d7
0b0000005c147e5b000000000c6d2f30272f30272f35373727eaa6033dd5740c71a55efd9e7e6c8d102974535f0000000000000000000000000000000000000000

As you can see, the first line begins with 076b65796d65746121. Then on the second line, the timestamp is 5c147e5b00000000. Converting this to the unix timestamp results in 1534989404. This is a UNIX timestamp. As an actual date and time, it is Thursday, August 23, 2018 1:56:44 AM UTC.

This is a bit more manual, but it could probably be scripted.

Also, make sure you use the BDB 4.8 version of db_dump which can be downloaded from http://www.oracle.com/technetwork/database/database-technologies/berkeleydb/downloads/index-082944.html (scroll down to 4.8.30).

Note that you have to use the command line, i.e. the terminal (for unix systems) or the command prompt (windows). The command that you will use is

Code:

db_dump wallet.dat

5c147e5b00000000 is 1534989404
I want to know how it was converted
Hex 5c147e5b ==>>>0x5c147e5b
1544846939

There is a difference between 1534989404 and 1544846939
I'd like to know how to convert
And my wallet change time is 932d44e00000000
Thank you for your reply in advance

[achow101]

5c147e5b00000000 is 1534989404
I want to know how it was converted
Hex 5c147e5b ==>>>0x5c147e5b
1544846939

There is a difference between 1534989404 and 1544846939
I'd like to know how to convert

It is a little endian number. You need to reverse the bytes before doing the conversion (or inform your conversion tool that it is little endian). It is also a fixed width of 8 bytes, so you must not truncate it as otherwise you may get an incorrect value.

And my wallet change time is 932d44e00000000
Thank you for your reply in advance

One character is missing. This is not 8 bytes, and so it cannot be correctly converted.

[NotATether]

I want to know how it was converted
Hex 5c147e5b ==>>>0x5c147e5b

Just to clarify the endian conversion process, it is not simply reversing the order of each hex character! This is a common mistake and will emit a completely different number. Rather, you must reverse the order of groups of 2 hex characters:

5c 14 7e 5b
5b 7e 14 5c    <= reverse endian

[PawGo]

I want to know how it was converted
Hex 5c147e5b ==>>>0x5c147e5b

Just to clarify the endian conversion process, it is not simply reversing the order of each hex character! This is a common mistake and will emit a completely different number. Rather, you must reverse the order of groups of 2 hex characters:

5c 14 7e 5b
5b 7e 14 5c    <= reverse endian

Yes, because you do not reverse (convert) any "characters" but bytes.

5c147e5b00000000 is 1534989404
I want to know how it was converted
Hex 5c147e5b ==>>>0x5c147e5b
1544846939

5c147e5b00000000 in hex is 6635067080330706944 in decimal.
000000005b7e145c in hex is 1534989404 in decimal.