Igor76200 (OP)
Member
Offline
Activity: 102
Merit: 10
|
|
March 05, 2021, 05:35:08 PM Last edit: March 13, 2021, 02:30:07 PM by Igor76200 |
|
I lost a .dat wallet with 1.54BTC. I found the file by scanning the original laptop used to create the wallet in 2014. Unfortunately the file seem to be highly damaged. Someone tried to extract the keys using Pywallet but it failed. I am looking for a deep disk partition research, in order to find the key. Unfortunately I am not capable of doing this. I am willing to give 10% to the person able to succeed. If that's even possible. Which is around ~7500$ now. I created an image of the disk here : https://mega.nz/file/ux4WQLDB#cc_OHpVKRNszxDrnl5Y4A1GwzfszlNNpVJwi43vtXJYAlternative download link : https://bitcointalk.org/index.php?topic=5321900.msg56502435#msg56502435Address : 1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq https://www.blockchain.com/btc/address/1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUqWallet have a strong password. I'm ready to visit that person, or the other way around, preferably in the EU due to travel restrictions. In order to make the transaction as safe as possible. More infos It's an old netbook from 2010 or even older. I bought it second hand just to create the wallets. I very rarely use it because it's very old and slow. I can't remember what I did with this laptop... I think I messed with windows in May 2020 (reinstall, recover...) I'm not sure. I created about 20 altcoin wallets and 5 bitcoin wallets with that computer. So there might be other keys around. Crossing fingers. Thanks for your help. [08.03.21] Current state of search : Found 22 altcoin wallets and 38 other wallets, while scanning .db files : Berkeley DB (Btree, version 9, native byte-order)
17 wallets with a size of 9 bytes which is impossible to recover 21 wallets of 29 bytes many of these can not be dumped because encrypted.
Now have to check the ones that are encrypted and their files size this will show if it can be done and be used as an indicator for the amount of effort it will take to try.
We know the wallet is encrypted so it all does make sense at this point in time. Will require further investigation likely examination on the bit level.
A wallet has a specific structure, for example like a start header and end header. Positions of the elements in between is fixed so we know what should be where after a certain start header and before a certain end header.
This means you drag a partial overlay over the remaining data and when it slides over a old damaged wallet, and there are still elements present then the overlay will match and ID the underlaying data and we make a snapshot of that for further examination.
If there are enough bits left on the drive then you would be able to recover the coins.
The 9 bytes wallets mentioned earlier are the standard that gets written in case of failure. Those look like this:
main \00\00\00\02 DATA=END
It is empty, but it can be empty for many reasons that is why you have to compare those nine bytes to the original file. If the original file is larger then it means that there is more then those nine bytes.
|
Crypto.com wallet and card app. Subscribe using my link and get a 50$ sign-up bonus. Welcome.
|
|
|
|
|
|
"This isn't the kind of software where we can leave so many unresolved bugs that we need a tracker for them." -- Satoshi
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
escobol
Member
Offline
Activity: 154
Merit: 39
|
|
March 05, 2021, 10:38:25 PM |
|
You are sure that You want to share vhd like that?
|
|
|
|
logfiles
Copper Member
Legendary
Offline
Activity: 1974
Merit: 1649
Top Crypto Casino
|
|
March 05, 2021, 11:09:38 PM |
|
You are sure that You want to share vhd like that?
Perhaps he's so sure that the password he used for the wallet is very strong and any other recoverable files in the VHD are not that important
|
|
|
|
escobol
Member
Offline
Activity: 154
Merit: 39
|
|
March 05, 2021, 11:18:44 PM |
|
to the OP, for the deep recovery - there is need to do it on actual disk (not image).
|
|
|
|
Igor76200 (OP)
Member
Offline
Activity: 102
Merit: 10
|
|
March 05, 2021, 11:32:43 PM Last edit: March 09, 2021, 12:56:02 AM by Igor76200 |
|
You are sure that You want to share vhd like that?
Yes password is strong. This laptop have no value for me, there is nothing important on the disk.
|
Crypto.com wallet and card app. Subscribe using my link and get a 50$ sign-up bonus. Welcome.
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4316
<insert witty quote here>
|
|
March 06, 2021, 01:22:31 AM Last edit: November 15, 2023, 12:05:40 AM by HCP Merited by LoyceV (6), ABCbits (3) |
|
PyWallet read the image file... gave this summary: Read 32.7 Go in 1.1 minutes
Found 39 possible wallets Found 11764 possible encrypted keys Found 171 possible unencrypted keys Can't decrypt them as you didn't provide any passphrase. The wallet is encrypted and the passphrase is correct
And then it output 109 private keys (actually 218 as it showed both the uncompressed and compressed keys)... I imported all of those to Electrum and nada: So if there is anything for PyWallet to find, it will be in the "possible but encrypted" wallets/keys... however as mentioned, PyWallet won't do anything with them unless you know the correct passphrases that may have been used that you can feed it so it can attempt to decrypt the "11764 possible encrypted keys".
|
|
|
|
Igor76200 (OP)
Member
Offline
Activity: 102
Merit: 10
|
|
March 06, 2021, 01:40:14 AM |
|
I see... I ignored that. Is there any possible workaround ? Except if we can meet in person I'm afraid I can't reasonably send you my passphrase.
|
Crypto.com wallet and card app. Subscribe using my link and get a 50$ sign-up bonus. Welcome.
|
|
|
Murat
|
|
March 06, 2021, 01:56:56 AM |
|
|
|
|
|
fxsniper
Member
Offline
Activity: 406
Merit: 45
|
|
March 06, 2021, 05:38:05 AM |
|
problem it is store on encrypted keys is very hard to crack
I think using service recover i better way. it need high power GPU calculate
What wallet client use on notebook? possible can not remember password I am can not remember my password often using at 10 year ago.
try write password 10 possible
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4316
<insert witty quote here>
|
|
March 06, 2021, 08:50:32 AM |
|
I see... I ignored that. Is there any possible workaround ? Except if we can meet in person I'm afraid I can't reasonably send you my passphrase.
Given that I have an image of the drive... no. So, you'll probably need to get Python2.7 and "old" PyWallet working (or maybe Python3 + NewPyWallet), so that you can run PyWallet yourself and type in the possible passphrases for the encrypted wallets (assuming you actually think you know what the passphrases for those lost wallets might have been).
|
|
|
|
|
LoyceV
Legendary
Offline
Activity: 3304
Merit: 16593
Thick-Skinned Gang Leader and Golden Feather 2021
|
|
March 06, 2021, 10:39:38 AM |
|
PyWallet read the image file... gave this summary: Found 39 possible wallets Found 11764 possible encrypted keys Found 171 possible unencrypted keys Can't decrypt them as you didn't provide any passphrase. The wallet is encrypted and the passphrase is correct Pywallet n00b here: It gave me 39 possible wallets, 11764 possible encrypted keys and 105 possible unencrypted keys, followed by a segmentation fault. I don't think it wrote any of the keys to the output wallet file. I used this: ./pywallet.py --recover --recover_size 33Gio --recov_device ~/d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd --recov_outputdir recovered_wallets --dumpwallet Can you share the command you used? I imported all of those to Electrum and nada: OP also had altcoin wallets. He did, but only with "completely overwritten" wallet.dat files. A raw search on the entire disk can still produce other results.
|
|
|
|
Igor76200 (OP)
Member
Offline
Activity: 102
Merit: 10
|
|
March 06, 2021, 11:24:00 AM Last edit: March 06, 2021, 11:39:36 AM by Igor76200 |
|
if want to try yourself use python 2.7 from Miniconda2
Thanks I will try tonight. In case there is missing bits in the key, I guess Pywallet will not report it ? That's another thing to consider. A deep analysis is necessary to be really sure. problem it is store on encrypted keys is very hard to crack
I have the password. 100%... No you can't crack it. It's as complex as the private key itself +special characters. Long story short I put 1.5BTC on a SD card for a sibling in 2014. But he lost it. That laptop is all I have now. I already submitted the .dat to someone and he told me it's completely overwritten. If there is no readable keys in the .dat file, is it still possible to find the keys somewhere else on the disk ? Seems difficult but I need to try.
|
Crypto.com wallet and card app. Subscribe using my link and get a 50$ sign-up bonus. Welcome.
|
|
|
Igor76200 (OP)
Member
Offline
Activity: 102
Merit: 10
|
|
March 06, 2021, 11:48:07 AM |
|
Some people complaining about the Mega link, could you suggest a good file sharing website ? File is 30gb. Is www.idrive.com good ?
|
Crypto.com wallet and card app. Subscribe using my link and get a 50$ sign-up bonus. Welcome.
|
|
|
LoyceV
Legendary
Offline
Activity: 3304
Merit: 16593
Thick-Skinned Gang Leader and Golden Feather 2021
|
|
March 06, 2021, 12:09:21 PM Last edit: March 06, 2021, 05:49:38 PM by LoyceV |
|
Some people complaining about the Mega link, could you suggest a good file sharing website ? File is 30gb. I've uploaded the file to blockdata.loyce.club/tmp/d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd.gz. I'll update this post when it's ready. Done! Let me know when you want it removed. I compressed the file to increase download speed. These are sha256sum checksums: d253d04a9bfa6768dd8ed3276d78eb44b90bb8f00a97f07344e32f42a538907a d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd # 32GB 599ce3cdd36d8a5954258b7edea94b1a6055f90fb490575de96de0e1a61f5257 d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd.gz # 17 GB
|
|
|
|
Igor76200 (OP)
Member
Offline
Activity: 102
Merit: 10
|
|
March 06, 2021, 12:56:40 PM |
|
Thank you much appreciated. Here is the links to the .dat files (original+copy) The original title on disk was ballet.dat and ballet_1.dat They are highly damaged. There is not much to see. http://www.filedropper.com/wallet_5http://www.filedropper.com/wallet1
|
Crypto.com wallet and card app. Subscribe using my link and get a 50$ sign-up bonus. Welcome.
|
|
|
LoyceV
Legendary
Offline
Activity: 3304
Merit: 16593
Thick-Skinned Gang Leader and Golden Feather 2021
|
|
March 06, 2021, 01:02:10 PM |
|
The original title on disk was ballet.dat and ballet_1.dat Just a guess: the first character ("w") of the filename was removed, and made up by the the recovery program? You said Dave checked those files, in that case I trust there's nothing there. Have you considered disclosing the password with the entire partition to Dave? I think he charges 20%.
|
|
|
|
Igor76200 (OP)
Member
Offline
Activity: 102
Merit: 10
|
|
March 06, 2021, 01:52:37 PM |
|
No I gave random names to differentiate between all my wallets. There seem to be two recovery businesses operating David from https://walletrecovery.info/Dave from https://walletrecoveryservices.com/I contacted David but got no answer from Dave so far. Not sure what happened. If you open the .dat files with windows notepad, both seem completely unreadable. The data recovery software still managed to compile the « wastes » under the right name. Right now I think I should do 1. Rescan with Pywallet + passphrase 2. Raw partition search for keys or key fragments (I can't do that myself) 3. Forensic data recovery lab. But I don't even know what to tell them. They probably don't know so much about private keys and stuff
|
Crypto.com wallet and card app. Subscribe using my link and get a 50$ sign-up bonus. Welcome.
|
|
|
LoyceV
Legendary
Offline
Activity: 3304
Merit: 16593
Thick-Skinned Gang Leader and Golden Feather 2021
|
|
March 06, 2021, 02:29:17 PM |
|
The second one has been around for years. Don't make a typo though, you might end up on a phishing site. The first one you mentioned looks like an imposter: both the guy's name and the site's name seem to be created to make you think it's the real deal. I contacted David but got no answer from Dave so far. Not sure what happened. You keep confusing who's who too. If you open the .dat files with windows notepad, both seem completely unreadable. It's not supposed to be clear text. 1. Rescan with Pywallet + passphrase That's a good start 2. Raw partition search for keys or key fragments (I can't do that myself) I have no idea how likely this is to find anything useful when keys are encrypted. And I don't think it's very likely to find a part of a key still intact, while the rest is overwritten. 3. Forensic data recovery lab. But I don't even know what to tell them. They probably don't know so much about private keys and stuff Add the fact that you're not even sure if there's any value left on the disk, and you may end up with an expensive disappointment. @HCP: out of the 11764 possible encrypted keys, how many of those are duplicates?
|
|
|
|
Igor76200 (OP)
Member
Offline
Activity: 102
Merit: 10
|
|
March 06, 2021, 03:34:45 PM Last edit: March 06, 2021, 03:54:49 PM by Igor76200 |
|
Oh wait... could someone confirm it's actually useless to make a raw disk search for encrypted wallets ? Related to this I found https://bitcoin.stackexchange.com/questions/48070/format-of-mkey-field-in-encrypted-wallet-dat-fileThat's what Pywallet is doing... Is there another, deeper method that Pywallet don't support ? This thing is so frustrating because there is just too many things I don't understand. I will post this announcement on bitcoin stack as well. Hopefully some coding genius with 150IQ will be able to try something. I don't have high hopes at this point but must try... 3. Forensic data recovery lab. But I don't even know what to tell them. They probably don't know so much about private keys and stuff I think my best shot would be to ask them to search for the ballet.dat file itself. Hoping they will be able to recover a better version of it. Then try to extract the content with Pywallet.
|
Crypto.com wallet and card app. Subscribe using my link and get a 50$ sign-up bonus. Welcome.
|
|
|
|