Seek help to get back my private key... 9000$ reward.

[Igor76200]

I lost a .dat wallet with 1.54BTC.

I found the file by scanning the original laptop used to create the wallet in 2014. Unfortunately the file seem to be highly damaged. Someone tried to extract the keys using Pywallet but it failed.

I am looking for a deep disk partition research, in order to find the key. Unfortunately I am not capable of doing this.

I am willing to give 10% to the person able to succeed. If that's even possible. Which is around ~7500$ now.

I created an image of the disk here :
https://mega.nz/file/ux4WQLDB#cc_OHpVKRNszxDrnl5Y4A1GwzfszlNNpVJwi43vtXJY

Alternative download link :
https://bitcointalk.org/index.php?topic=5321900.msg56502435#msg56502435

Address : 1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq
https://www.blockchain.com/btc/address/1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq

Wallet have a strong password. I'm ready to visit that person, or the other way around, preferably in the EU due to travel restrictions. In order to make the transaction as safe as possible.


More infos

It's an old netbook from 2010 or even older. I bought it second hand just to create the wallets. I very rarely use it because it's very old and slow. I can't remember what I did with this laptop... I think I messed with windows in May 2020 (reinstall, recover...) I'm not sure.

I created about 20 altcoin wallets and 5 bitcoin wallets with that computer. So there might be other keys around.

Crossing fingers. Thanks for your help.



[08.03.21] Current state of search :

Found 22 altcoin wallets and 38 other wallets, while scanning .db files : Berkeley DB (Btree, version 9, native byte-order)

17 wallets with a size of 9 bytes which is impossible to recover
21 wallets of 29 bytes many of these can not be dumped because encrypted.

Now have to check the ones that are encrypted and their files size this will show if it can be done and be used as an indicator for the amount of effort it will take to try.

We know the wallet is encrypted so it all does make sense at this point in time. Will require further investigation likely examination on the bit level.

A wallet has a specific structure, for example like a start header and end header. Positions of the elements in between is fixed so we know what should be where after a certain start header and before a certain end header.

This means you drag a partial overlay over the remaining data and when it slides over a old damaged wallet, and there are still elements present then the overlay will match and ID the underlaying data and we make a snapshot of that for further examination.

If there are enough bits left on the drive then you would be able to recover the coins.

The 9 bytes wallets mentioned earlier are the standard that gets written in case of failure. Those look like this:

main
 \00\00\00\02
DATA=END

It is empty, but it can be empty for many reasons that is why you have to compare those nine bytes to the original file. If the original file is larger then it means that there is more then those nine bytes.

[1714515239]

1714515239

[escobol]

You are sure that You want to share vhd like that?

[logfiles]

You are sure that You want to share vhd like that?

Perhaps he's so sure that the password he used for the wallet is very strong and  any other recoverable files in the VHD are not that important

[escobol]

to the OP, for the deep recovery - there is need to do it on actual disk (not image).

[Igor76200]

You are sure that You want to share vhd like that?

Yes password is strong. This laptop have no value for me, there is nothing important on the disk.

[HCP]

PyWallet read the image file... gave this summary:

Code:

Read 32.7 Go in 1.1 minutes

Found 39 possible wallets
Found 11764 possible encrypted keys
Found 171 possible unencrypted keys
Can't decrypt them as you didn't provide any passphrase.
The wallet is encrypted and the passphrase is correct

And then it output 109 private keys (actually 218 as it showed both the uncompressed and compressed keys)... I imported all of those to Electrum and nada:


So if there is anything for PyWallet to find, it will be in the "possible but encrypted" wallets/keys... however as mentioned, PyWallet won't do anything with them unless you know the correct passphrases that may have been used that you can feed it so it can attempt to decrypt the "11764 possible encrypted keys".

[Igor76200]

I see... I ignored that. Is there any possible workaround ?
Except if we can meet in person I'm afraid I can't reasonably send you my passphrase.

[Murat]

https://www.walletrecoveryservices.com/

Contact them if you haven't!

[fxsniper]

problem it is store on encrypted keys is very hard to crack

I think using service recover i better way. it need high power GPU calculate

What wallet client use on notebook?
possible can not remember password  I am can not remember my password often using at 10 year ago.

try write password 10 possible

[HCP]

I see... I ignored that. Is there any possible workaround ?
Except if we can meet in person I'm afraid I can't reasonably send you my passphrase.

Given that I have an image of the drive... no. So, you'll probably need to get Python2.7 and "old" PyWallet working (or maybe Python3 + NewPyWallet), so that you can run PyWallet yourself and type in the possible passphrases for the encrypted wallets (assuming you actually think you know what the passphrases for those lost wallets might have been).

[fxsniper]

if want to try yourself
use python 2.7 from Miniconda2

https://docs.conda.io/en/latest/miniconda.html
Python 2.7   Miniconda2 Windows 64-bit

install Miniconda2  done you got python 2.7 for run pywallet

and pywallet from github
https://github.com/jackjack-jj/pywallet
https://github.com/joric/pywallet

create folder name
C:\pywallet

command pywallet
python pywallet.py --dumpwallet  --datadir=C:\pywallet --passphrase=PASSWORD > dump.txt
or
python pywallet.py --dumpwallet  --datadir=DATADIR --wallet=WALLETFILE --passphrase=PASSPHRASE

try you password unlimited wallet.dat now lock file

ask command line from thread
https://bitcointalk.org/index.php?topic=34028.0

[LoyceV]

PyWallet read the image file... gave this summary:

Code:

Found 39 possible wallets
Found 11764 possible encrypted keys
Found 171 possible unencrypted keys
Can't decrypt them as you didn't provide any passphrase.
The wallet is encrypted and the passphrase is correct

Pywallet n00b here: It gave me 39 possible wallets, 11764 possible encrypted keys and 105 possible unencrypted keys, followed by a segmentation fault. I don't think it wrote any of the keys to the output wallet file.
I used this:

Code:

./pywallet.py --recover --recover_size 33Gio --recov_device ~/d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd --recov_outputdir recovered_wallets --dumpwallet

Can you share the command you used?

I imported all of those to Electrum and nada:

OP also had altcoin wallets.

https://www.walletrecoveryservices.com/

Contact them if you haven't!

He did, but only with "completely overwritten" wallet.dat files. A raw search on the entire disk can still produce other results.

[Igor76200]

if want to try yourself
use python 2.7 from Miniconda2

Thanks I will try tonight.

In case there is missing bits in the key, I guess Pywallet will not report it ?
That's another thing to consider. A deep analysis is necessary to be really sure.

problem it is store on encrypted keys is very hard to crack

I have the password. 100%... No you can't crack it. It's as complex as the private key itself +special characters.

Long story short I put 1.5BTC on a SD card for a sibling in 2014. But he lost it. That laptop is all I have now.

I already submitted the .dat to someone and he told me it's completely overwritten. If there is no readable keys in the .dat file, is it still possible to find the keys somewhere else on the disk ? Seems difficult but I need to try.

[Igor76200]

Some people complaining about the Mega link, could you suggest a good file sharing website ?
File is 30gb.

Is www.idrive.com good ?

[LoyceV]

Some people complaining about the Mega link, could you suggest a good file sharing website ?
File is 30gb.

I've uploaded the file to blockdata.loyce.club/tmp/d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd.gz. I'll update this post when it's ready. Done!
Let me know when you want it removed.

I compressed the file to increase download speed. These are sha256sum checksums:

Code:

d253d04a9bfa6768dd8ed3276d78eb44b90bb8f00a97f07344e32f42a538907a d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd # 32GB
599ce3cdd36d8a5954258b7edea94b1a6055f90fb490575de96de0e1a61f5257 d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd.gz # 17 GB

[Igor76200]

Thank you much appreciated.

Here is the links to the .dat files (original+copy)
The original title on disk was ballet.dat and ballet_1.dat

They are highly damaged. There is not much to see.
http://www.filedropper.com/wallet_5
http://www.filedropper.com/wallet1

[LoyceV]

The original title on disk was ballet.dat and ballet_1.dat

Just a guess: the first character ("w") of the filename was removed, and made up by the the recovery program?

You said Dave checked those files, in that case I trust there's nothing there. Have you considered disclosing the password with the entire partition to Dave? I think he charges 20%.

[Igor76200]

No I gave random names to differentiate between all my wallets.

There seem to be two recovery businesses operating

David from https://walletrecovery.info/
Dave from https://walletrecoveryservices.com/

I contacted David but got no answer from Dave so far. Not sure what happened.

If you open the .dat files with windows notepad, both seem completely unreadable. The data recovery software still managed to compile the « wastes » under the right name.

Right now I think I should do

1. Rescan with Pywallet + passphrase
2. Raw partition search for keys or key fragments (I can't do that myself)
3. Forensic data recovery lab. But I don't even know what to tell them. They probably don't know so much about private keys and stuff

[LoyceV]

There seem to be two recovery businesses operating
David from https://walletrecovery.info/
Dave from https://walletrecoveryservices.com/

The second one has been around for years. Don't make a typo though, you might end up on a phishing site.
The first one you mentioned looks like an imposter: both the guy's name and the site's name seem to be created to make you think it's the real deal.

I contacted David but got no answer from Dave so far. Not sure what happened.

You keep confusing who's who too.

If you open the .dat files with windows notepad, both seem completely unreadable.

It's not supposed to be clear text.

1. Rescan with Pywallet + passphrase

That's a good start

2. Raw partition search for keys or key fragments (I can't do that myself)

I have no idea how likely this is to find anything useful when keys are encrypted. And I don't think it's very likely to find a part of a key still intact, while the rest is overwritten.

3. Forensic data recovery lab. But I don't even know what to tell them. They probably don't know so much about private keys and stuff

Add the fact that you're not even sure if there's any value left on the disk, and you may end up with an expensive disappointment.

@HCP: out of the 11764 possible encrypted keys, how many of those are duplicates?

[Igor76200]

Oh wait... could someone confirm it's actually useless to make a raw disk search for encrypted wallets ?

Related to this I found
https://bitcoin.stackexchange.com/questions/48070/format-of-mkey-field-in-encrypted-wallet-dat-file

That's what Pywallet is doing... Is there another, deeper method that Pywallet don't support ?

This thing is so frustrating because there is just too many things I don't understand. I will post this announcement on bitcoin stack as well. Hopefully some coding genius with 150IQ will be able to try something.

I don't have high hopes at this point but must try...

3. Forensic data recovery lab. But I don't even know what to tell them. They probably don't know so much about private keys and stuff

I think my best shot would be to ask them to search for the ballet.dat file itself. Hoping they will be able to recover a better version of it.

Then try to extract the content with Pywallet.