Regaining access to wallets in veracrypt after MacBook catastrophe - REWARD

[andrew2406]

I’m reaching out for urgent assistance with a complex data recovery case involving a 2015 MacBook Pro with a soldered internal SSD (~1TB capacity). The device may have contained a hidden Veracrypt or TrueCrypt volume holding cryptocurrency wallet data. We’re seeking to recover this encrypted volume or any associated wallet files.

I am happy to offer a very generous reward to anyone who can figure out how to get this done



Background:


   •   The MacBook likely had a hidden Veracrypt volume stored on the internal SSD.
   •   This volume contained critical crypto wallet files, including:
   ◦   Cake Wallet (Monero) – likely stored with a .keys file or 25-word seed phrase.
   ◦   XMR (monero official wallet)
   ◦   exodus wallet
   •   The computer was later:
   ◦   Involved in a failed Linux dual-boot install (possibly overwriting sectors of the drive)
   ◦   Reformatted and reinitialized with macOS APFS volumes, which now show nearly the entire drive as “free space”
   •   
   •   The Veracrypt volume is no longer visible or mountable, and tools like TestDisk and PhotoRec have not located it.





What We’re Hoping To Recover:


   •   The hidden Veracrypt volume, if still intact deeper on the SSD (e.g., in unallocated or untouched sectors)
   •   Any fragments or full copies of:
   ◦   wallet.stronghold
   ◦   .keys, .json, or .txt files
   ◦   Plaintext or partial seed phrases
   •   
   •   A forensic clone or chip-off recovery if required to bypass TRIM or file system interference

Technical Notes:


   •   SSD is soldered (non-removable)
   •   Veracrypt header may have been overwritten
   •   TRIM status is unknown (but Linux install failed, so possibly never triggered)
   •   Visible volumes now show APFS structure with ~3TB free on each

Request:


Could your team perform:

   •   Full forensic-level SSD image extraction (chip-off if necessary)
   •   Sector-level entropy scanning for encrypted volumes
   •   Recovery attempts for Veracrypt hidden volumes (mounting with offsets)
   •   File carving or keyword searches for seed phrases or wallet files


I’m happy to provide the full MacBook for recovery, or any other details needed.

Please advise:

   •   Whether this is within your scope of services
   •   The process, expected timeline, and potential costs
some extra detail:on what we tried;

When we got the Mac back it had errors booting, believe it was the ? Icon showing. Every step here took a long time, system seemed to we very sluggish

We connected another Mac via usb and did a DFU revive (100% a revive, not a restore) which then made the Mac boot very quickly. I don't recall if that was the original install of macOS from before the laptop was taken or if it was a fresh install. 

From there we installed veracrypt to try and access that partition. We didn't have any success. 

Because the SSD is soldered on we then installed a Linux distribution, FreeBSD on an external hard drive and then tried to access drive again

[LoyceV]

Could your team perform:
   •   Full forensic-level SSD image extraction (chip-off if necessary)
   •   Sector-level entropy scanning for encrypted volumes
   •   Recovery attempts for Veracrypt hidden volumes (mounting with offsets)
   •   File carving or keyword searches for seed phrases or wallet files
I’m happy to provide the full MacBook for recovery, or any other details needed.

This board is for Bitcoin-related questions, not for physical hardware recovery.

[andrew2406]

It’s a wallet with bitcoin in it and I’m even offering a reward. It’s also the tech support forum.

Next time you meet a nice girl you should tell her you moonlight as a bitcoin tech support forum monitor.

Real pantie dropper.

[ABCbits]

First of all, have you tried making raw copy of that SSD? After doing that, you can try perform recovery and analysis rather than SSD itself to prevent accidental overwrite. AFAIK if you can't locate or have backup of TeraCrypt/VeraCrypt header (that store data required for decryption), usually it's considered as lost cause.

Could your team perform:
   •   Full forensic-level SSD image extraction (chip-off if necessary)
   •   Sector-level entropy scanning for encrypted volumes
   •   Recovery attempts for Veracrypt hidden volumes (mounting with offsets)
   •   File carving or keyword searches for seed phrases or wallet files
I’m happy to provide the full MacBook for recovery, or any other details needed.

This board is for Bitcoin-related questions, not for physical hardware recovery.

And despite name of this board, people who make reply usually are community member rather than real expert or professional.

[andrew2406]

Absolutely will be cloning it for tests!

I thought the same about finding the data but i think there are ways around it and some genius may know it.

Cheers

[Cricktor]

   ◦   Reformatted and reinitialized with macOS APFS volumes, which now show nearly the entire drive as “free space”

I don't know how MacOS handles TRIM but I would assume due to not easily replaceable soldered SSD storage that reformated and reinitialized "free space" has been TRIMed already. Question is now how and what data Apple SSD flash storage returns when read again after being TRIMed.

Regarding data recovery from flash media I read somewhere that TRIMed areas can return either garbage, zeroes or (if lucky) the old data that was stored. The problem is that flash media doesn't behave like oldschool harddrive media. Data blocks can be remapped, garbage collection of the flash controller can destroy data of TRIMed regions as those regions are not considered to have data that needs to be kept.

From what I read, data recovery from flash media can be really problematic if you can't stop or avoid the nasty^{with respect to data recovery} things like TRIM and other flash storage controller specialties of wear leveling.

Creating a forensic image of the SSD storage should have been done as early as possible. It doesn't sound like it has been done, does it?

To evaluate further recovery chances one could try to determine what data is recoverable from TRIMed regions of this MacBook model, preferably with another similar MacBook and MacOS version. Because, if TRIMed regions don't return their previous data, I doubt it's worth to proceed further recovery attempts.