Bitcoin Wallet Retrieval from 2009-2010 Help

[bitdamien]

Hi All,

So i finally was able to get access to 4 hard drives (from different family and personal computers) that I used in my younger days where I recall dealing with bitcoin. I don't recall ever mining it myself but receiving some from users in a forum I was an admin of. Now I am trying to get access to it and unfortunately lost. I am 99% certain there is bitcoin that I had somewhere on these drives (and hopefully not on a website?)

I have used this forum and ChatGPT to get to a certain point but I do need guidance like a 5 year old. Any help would be greatly appreciated.

For point of reference, I am currently using a Macbook connected to the internet (will refer to as MacInt) and a Macbook that is brand new and was never connected to the internet (will refer to as AirtghtMac).

The AirtightMac is where I want to do all my recovery. This is running on a M2 Chip running macOS Sequoia 15.1.

These are the steps I have taken so far, please point me in the right direction how to proceed or if I did anything wrong.

- Loaded all 4 old hard drives one by one on r-studio on MacInt, created images and restored all files in 2 separate external harddrives.

-In AirtightMac, I installed Python 3.9.13 as it was the earliest one the Mac would install without Rossetta or an Internet Connection

- In AirtightMac, I was able to successfully install PyWallet 2.6.1 after I added the Berkeley DB files and modifying the code pywallet.py as needed. I found out that PyWallet was not made to work with Python3X.
This took a better portion of 10 hours for me as I have no experience in python, Terminal (for mac), or any of this stuff but ChatGPT was a major help and walked me through everything. After a grueling day, I was able to get PyWallet to run successfully on the AirtightMac.

- I confirmed PyWallet was working by running: python3 pywallet.py --help and getting the usage instructions.

- After attempting to run python3 pywallet.py --recover --recov_device=/Volumes/Drive1 --recov_size=50G ChatGPT informed me that this would not work with versions after Python3x or newer.



I so far have run the following searches/commands without yielding any positive results

- find /Volumes/ExtHD -type f -name "wallet.dat" 2>/dev/null

- sudo find /Volumes/ExtHD -type f -name "wallet.dat"

- sudo find /Volumes/ExtHD -type f -name "*.dat" This one gave me 100s of results but nothing that I thought was correct

- sudo grep -r "5[HJK]" /Volumes/ExtHD > /Users/me/pywallet/private_keys_found.txt followed by grep -Eo "5[HJK][a-zA-Z0-9]{49,51}|[LK][a-zA-Z0-9]{51}" /Users/me/pywallet/private_keys_found.txt

- I then ran find /Volumes/ExtHD/HD1Image -type f \( -name "*.dat" -o -name "*.bin" -o -name "*.key" \) > /Users/me/pywallet/hd1_encrypted_wallets.txt


- find /Volumes/ExtHD/HD1Image -type f -exec xxd {} \; | grep -E "5[HJK][a-zA-Z0-9]{50,52}" > /Users/me/pywallet/hd1_hex_keys.txt

- grep -Ero "[13][a-km-zA-HJ-NP-Z1-9]{25,34}" /Volumes/ExtHD/HD1Image > /Users/me/pywallet/hd1_wallet_addresses.txt

All these so far have yielded no results, granted I am only on the first of 4 hard drives.


It seems that I have not really used PyWallet yet despite downloading it and tweaking to make it work. I am not sure if Im doing the right steps and what my next steps should be. Any help would be greatly appreciated. Thank you.

[bulleteyedk]

If looking for the wallet.dat files logically isnt giving you any hits, maybe they were deleted?

If so, you could search in the unallocated space for a specific header of the wallet.dat file
this is the hex values for such a header:

\x00\x05\x31\x62\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00

if you get any hits from searching the header, you need to go manually through each hit, and extract the area containing header start to what seems to be the end of the file.
Im not familiar with a specific footer of the wallet.dat file.

Good luck!  

[bitdamien]

If looking for the wallet.dat files logically isnt giving you any hits, maybe they were deleted?

If so, you could search in the unallocated space for a specific header of the wallet.dat file
this is the hex values for such a header:

\x00\x05\x31\x62\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00

if you get any hits from searching the header, you need to go manually through each hit, and extract the area containing header start to what seems to be the end of the file.
Im not familiar with a specific footer of the wallet.dat file.

Good luck!  

Thank you for the response!

There is a good chance they might have been deleted since my account was deleted on the family computers at least in two different occasions.

Do you have more intel on how to search for the hex values. This is all a foreign language to me as of now and ChatGPT has been my savior/guide thus far.

[bulleteyedk]

Im not sure with R-Studio it's been over 10 years since i last used it i think

Im using X-Ways Forensics for stuff like this, and it would be able to search regex (grep) with just the line i showed you, and then i would only need to select if the search should apply to a search of the whole harddrive or a selected area (swap files/restore points/recycle bins/and unallocated area)

[bitdamien]

Im not sure with R-Studio it's been over 10 years since i last used it i think

Im using X-Ways Forensics for stuff like this, and it would be able to search regex (grep) with just the line i showed you, and then i would only need to select if the search should apply to a search of the whole harddrive or a selected area (swap files/restore points/recycle bins/and unallocated area)

Thank you for this. It seems X-Ways Forensics does not run on mac but after a bit of research (read asking chatgpt haha) it seems I can use the .dsk image files of the original drive and search for the aforementioned Hex Headers using a grep or python script. I can also search through the recovered files using a hex editor. If i get any hits, then I guess I will see the next steps

[Cricktor]

Make sure you preserve the content of your old drives, never work on the original drive media!

Make a forensic bit-by-bit copy of a drive (preferred is read-only mount of the original storage media, so to never alter the original source drive data content). Now you can put the drive in safe storage and don't need to touch or alter it. From your forensic drive image you can make a work copy which you mount for any recovery procedures.

If you screw something up with your work drive image content, no problem, you have your unaltered forensic base drive image to start over again.

Do this for every storage media you have where you want to try some recovery. Above procedure ensures that you don't accidently destroy data from your original storage media.

[bulleteyedk]

If I may add to my previous post about searching for a wallet.dat header in unallocated areas, I think you may actually be better off by removing a few hex bytes and edit that regular expression to be:

\x00\x05\x31\x62\x00\x00\x00\x01

Using this should catch all variants of the wallet.dat header, sorry I didn't catch this in the first post.

If looking for the wallet.dat files logically isnt giving you any hits, maybe they were deleted?

If so, you could search in the unallocated space for a specific header of the wallet.dat file
this is the hex values for such a header:

\x00\x05\x31\x62\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00

if you get any hits from searching the header, you need to go manually through each hit, and extract the area containing header start to what seems to be the end of the file.
Im not familiar with a specific footer of the wallet.dat file.

Good luck!  

Thank you for the response!

There is a good chance they might have been deleted since my account was deleted on the family computers at least in two different occasions.

Do you have more intel on how to search for the hex values. This is all a foreign language to me as of now and ChatGPT has been my savior/guide thus far.

[bitdamien]

Thank you for the replies.

@Cricktor, I have used r-studio on MacOS to create byte-by-byte images of the drives then I proceeded to mount those and scan those to recover files.

I was able to make pywallet work on my new airtight mac and ran all but one of the wallets through it with no success of it finding anything. Currently in the process of recovering files on my last harddrive image copy in hopes that something comes up. The wallet I'm searching for realistically was in a windows 7 account that was deleted and I'm hoping to recover that somehow but it seems that pywallet --recover is only helping but so much

@bulleteyeddk I need to put that into chatgpt and figure out how to do that. that is my next step. is that a search i do on the .dsk image file or on the folders containing all the files?

Thanks again guys!

[bulleteyedk]

Since you're searching for deleted files, you're best bet is to search in unallocated areas of the harddrive, I really can't remember if R-studio offer that kind of search, but as it's critical for you to find this, I would just search the whole harddrive, it takes a bit longer, but at least you know, you have been through the whole harddrive searching.

With that specific regular expression we're trying to find the header of a wallet.dat file, if your search returns some hits, you need to figure out your self where that piece of file ends and export it as a wallet.dat file.
As with deleted files, they can be somewhat overwritten by other data, as this area has been marked as empty for the operating system to write files.

This is why it's so important not to use such a harddrive anymore, as data can be written just in the area where important data is stored.

[Cricktor]

The wallet I'm searching for realistically was in a windows 7 account that was deleted and I'm hoping to recover that somehow but it seems that pywallet --recover is only helping but so much

It may be uncomfortable but when you accidently deleted some important files, it's not a bad idea to cut the power of the computer as quick as possible (no normal shutdown, I really mean to cut the power). On a desktop computer that's pretty easy: pull the power cord. Most laptops will hard cut the power when you press the power button for a few seconds (you will see the laptop turn off hard).

Do not restart! Either boot from a removable media some suitable Linux OS with tools ready to image your storage device where you have deleted something and want to recover it.

If you're not sure to be able to boot from your removable media (you may need to adjust boot sequence or boot into the boot media menu), it's maybe better to remove the storage media and image it first on another computer mounting it read-only.

If your storage media is encrypted and tied e.g. to some secret keys in a TPM of your motherboard, then you're somewhat in trouble unless you have proper encryption recovery keys and such (Bitlocker encryption can hit you hard if you don't have the recovery key; again, make sure you have it if Bitlocker or other device encryption is enabled).

This can damage the filesystem but it prevents that storage areas of deleted files get overwritten by some stuff that the computer will write sooner or later or which is written by the regular shutdown procedure.

This is of course too late for you. I'm just mentioning it for others to keep in mind should a deletion mishap strike your fate.

Wish you success with your recovery attempts.