Bitcoin Forum
September 24, 2018, 12:41:53 PM *
News: ♦♦ New info! Bitcoin Core users absolutely must upgrade to previously-announced 0.16.3 [Torrent]. All Bitcoin users should temporarily trust confirmations slightly less. More info.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Is it possible to know the date I changed my wallet.dat password?  (Read 118 times)
mapuche33
Jr. Member
*
Offline Offline

Activity: 34
Merit: 10


View Profile
August 27, 2018, 07:16:05 PM
 #1

Hi, I'd like to know if it possible to get to know the last date I changed the password of my wallet.dat ?
 
Here is the situation: I moved most of my BTC to an address I created back in 2013 on a new fresh wallet.dat, I remember the exact day I created the password because it was the same day I replicated the process on my LTC wallet.dat (which I can unlock). Unfortunately I used a totally different set of characters for the heaviest one.
I have already put a lot of effort trying to remember as well as trying different combinations of the string of characters I believe I pick. Currently I'm stuck at a point where I don't know anymore which is certain and which is not. Also I'm not sure anymore if I changed the password again back in 2014 (2 months later) or not.

I already tried "getwalletinfo" as well as different commands on the console without any success. I couldn't find any documentacion regard the subject of metadata neither. Getting to know the last date the password was modified would be useful for me pursuing the path of recalling it from memory I guess.
 
Other alternative could be trying to brute force it myself or hiring Dave services. Neither way I need to be certain for targeting purposes.
Any ideas / suggestions?
 
Thanks
1537792913
Hero Member
*
Offline Offline

Posts: 1537792913

View Profile Personal Message (Offline)

Ignore
1537792913
Reply with quote  #2

1537792913
Report to moderator
1537792913
Hero Member
*
Offline Offline

Posts: 1537792913

View Profile Personal Message (Offline)

Ignore
1537792913
Reply with quote  #2

1537792913
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1537792913
Hero Member
*
Offline Offline

Posts: 1537792913

View Profile Personal Message (Offline)

Ignore
1537792913
Reply with quote  #2

1537792913
Report to moderator
1537792913
Hero Member
*
Offline Offline

Posts: 1537792913

View Profile Personal Message (Offline)

Ignore
1537792913
Reply with quote  #2

1537792913
Report to moderator
shield132
Hero Member
*****
Offline Offline

Activity: 868
Merit: 523


Watch Agents Of Shield On ABC


View Profile
August 27, 2018, 08:36:17 PM
 #2

And what about to move your mouse cursor near that wallet.dat file and see this: Data modified?

.BITSLER.                 ▄███
               ▄████▀
             ▄████▀
           ▄████▀  ▄██▄
         ▄████▀    ▀████▄
       ▄████▀        ▀████▄
     ▄████▀            ▀████▄
   ▄████▀                ▀████▄
 ▄████▀ ▄████▄      ▄████▄ ▀████▄
█████   ██████      ██████   █████
 ▀████▄ ▀████▀      ▀████▀ ▄████▀
   ▀████▄                ▄████▀
     ▀████▄            ▄████▀
       ▀████▄        ▄████▀
         ▀████▄    ▄████▀
           ▀████▄▄████▀
             ▀██████▀
               ▀▀▀▀
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄            
▄▄▄▄▀▀▀▀    ▄▄█▄▄ ▀▀▄         
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄      
█  ▀▄▄  ▀█▀▀ ▄      ▀████   ▀▀▄   
█ █▄  ▀▄   ▀████       ▀▀ ▄██▄ ▀▀▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
█  ▀▀       ▀▄▄ ▀████      ▄▄▄▀▀▀  █
█            ▄ ▀▄    ▄▄▄▀▀▀   ▄▄  █
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
█ ▄▄   ███   ▀██  █           ▀▀  █ 
█ ███  ▀██       █        ▄▄      █ 
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
▀▄            █        ▀▀      █  
▀▀▄   ███▄  █   ▄▄          █   
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀    
▀▀▄   █   ▀▀▄▄▄▀▀▀         
▄▄▄▄▄▄▄▄▄▄▄█▄▄▀▀▀▀              
              ▄▄▄██████▄▄▄
          ▄▄████████████████▄▄
        ▄██████▀▀▀▀▀▀▀▀▀▀██████▄
▄     ▄█████▀             ▀█████▄
██▄▄ █████▀                ▀█████
 ████████            ▄██      █████
  ████████▄         ███▀       ████▄
  █████████▀▀     ▄███▀        █████
   █▀▀▀          █████         █████
     ▄▄▄         ████          █████
   █████          ▀▀           ████▀
    █████                     █████
     █████▄                 ▄█████
      ▀█████▄             ▄█████▀
        ▀██████▄▄▄▄▄▄▄▄▄▄██████▀
          ▀▀████████████████▀▀
              ▀▀▀██████▀▀▀
            ▄▄▄███████▄▄▄
         ▄█▀▀▀ ▄▄▄▄▄▄▄ ▀▀▀█▄
       █▀▀ ▄█████████████▄ ▀▀█
     █▀▀ ███████████████████ ▀▀█
    █▀ ███████████████████████ ▀█
   █▀ ███████████████▀▀ ███████ ▀█
 ▄█▀ ██████████████▀      ▀█████ ▀█▄
███ ███████████▀▀            ▀▀██ ███
███ ███████▀▀                     ███
███ ▀▀▀▀                          ███
▀██▄                             ▄██▀
  ▀█▄                            ▀▀
    █▄       █▄▄▄▄▄▄▄▄▄█
     █▄      ▀█████████▀
      ▀█▄      ▀▀▀▀▀▀▀
        ▀▀█▄▄  ▄▄▄
            ▀▀█████
[]
mapuche33
Jr. Member
*
Offline Offline

Activity: 34
Merit: 10


View Profile
August 27, 2018, 10:26:41 PM
 #3

And what about to move your mouse cursor near that wallet.dat file and see this: Data modified?

Because I encrypted the .dat file into a .pea file with my PGP signature, then I uploaded it into my email accounts on January 2014. When I extract the wallet to examine it properties the metadata is altered, here an example:
Created: June 15, 2018 | Modified: Sunday, June 3, 2018 | Accessed: June 15, 2018
 
Perhaps some forensic tool would help, any ideas which one to try analyze the data related to the password creation date ?
HCP
Hero Member
*****
Offline Offline

Activity: 728
Merit: 925

<insert witty quote here>


View Profile
August 28, 2018, 12:55:08 AM
 #4

I don't believe that data is stored within the wallet for older, non-HD wallets.

With the newer HD wallets, whenever you change the password, it will modify the seed and the master key and then generate new keys/addresses... I have two old dumpwallet outputs from a testnet wallet, one before a password change, and one after. The timestamps in these files show the original creation date for the keys (ie. when the keys were generated to fill the keypool)...

So, by looking at the current "hdmaster" key timestamp, I can tell when the password was changed. Unfortunately, given that your wallet was created in 2013, that would predate Bitcoin Core HD Wallets Undecided

achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1654


3F1Y9yquzvY6RWvKbw2n2zeo9V5mvBhADU


View Profile WWW
August 28, 2018, 02:13:47 AM
 #5

I don't believe that data is stored within the wallet for older, non-HD wallets.

With the newer HD wallets, whenever you change the password, it will modify the seed and the master key and then generate new keys/addresses... I have two old dumpwallet outputs from a testnet wallet, one before a password change, and one after. The timestamps in these files show the original creation date for the keys (ie. when the keys were generated to fill the keypool)...

So, by looking at the current "hdmaster" key timestamp, I can tell when the password was changed. Unfortunately, given that your wallet was created in 2013, that would predate Bitcoin Core HD Wallets Undecided
You don't need an HD wallet to observe this. With both HD and non-HD wallets, you should see a block of 100 (or 1000) keys created at one time, and then another block of 100 keys created at another time. That other time would be the time that the password was changed.

Just use dumpwallet and look at the dates in the resulting dump. The block of 100 keys with the most recent timestamp is the time the encryption was changed. Also, note that if you have used the wallet, you will see some keys that do not fit into these blocks of 100 keys. Those keys are generated after a key from the keypool is used.

mapuche33
Jr. Member
*
Offline Offline

Activity: 34
Merit: 10


View Profile
August 28, 2018, 02:51:13 PM
 #6

Just use dumpwallet and look at the dates in the resulting dump. The block of 100 keys with the most recent timestamp is the time the encryption was changed. Also, note that if you have used the wallet, you will see some keys that do not fit into these blocks of 100 keys. Those keys are generated after a key from the keypool is used.

Thanks, I already tried dumpwallet however it ask me to enter the wallet passphrase first which I have forgotten. If you know how to bypass this hurdle please let us know.
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1654


3F1Y9yquzvY6RWvKbw2n2zeo9V5mvBhADU


View Profile WWW
August 28, 2018, 03:31:45 PM
Merited by bob123 (2), aliashraf (1)
 #7

Just use dumpwallet and look at the dates in the resulting dump. The block of 100 keys with the most recent timestamp is the time the encryption was changed. Also, note that if you have used the wallet, you will see some keys that do not fit into these blocks of 100 keys. Those keys are generated after a key from the keypool is used.

Thanks, I already tried dumpwallet however it ask me to enter the wallet passphrase first which I have forgotten. If you know how to bypass this hurdle please let us know.
Right, duh.

The way to get this information out without using dumpwallet is to use BDB's db_dump utility which will output all of the raw records from the wallet. What you want are the keymeta ones. When you use db_dump, you will get a bunch of hex output. What you want to do is look for the lines which begin with the hex 076b65796d65746121. The line immediately after contains the actual key metadata which has the timestamp for key creation. These timestamps are 8 byte, little endian integers. They begin at the 5th byte after the beginning of the line, so 8 characters after the beginning.

For example, here is a keymeta record from one of my wallets:
Code:
076b65796d6574612103ffc5d227b2e27f2e1253eb44c359eed1af38ec6028da2ec62205f479f533c6d7
0b0000005c147e5b000000000c6d2f30272f30272f35373727eaa6033dd5740c71a55efd9e7e6c8d102974535f0000000000000000000000000000000000000000
As you can see, the first line begins with 076b65796d65746121. Then on the second line, the timestamp is 5c147e5b00000000. Converting this to the unix timestamp results in 1534989404. This is a UNIX timestamp. As an actual date and time, it is Thursday, August 23, 2018 1:56:44 AM UTC.

This is a bit more manual, but it could probably be scripted.

Also, make sure you use the BDB 4.8 version of db_dump which can be downloaded from http://www.oracle.com/technetwork/database/database-technologies/berkeleydb/downloads/index-082944.html (scroll down to 4.8.30).

Note that you have to use the command line, i.e. the terminal (for unix systems) or the command prompt (windows). The command that you will use is
Code:
db_dump wallet.dat

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!