Hristiyan99 (OP)
Newbie
 Offline
Activity: 8
Merit: 0
|
 |
March 03, 2025, 02:19:55 AM |
|
Hello everyone,
I found an old HDD where i was mining bitcoin.
The hdd was formatted with OS re-installation.
What would the best tool for recovery attempt be and would R-Studio proffesional version help with this case?
I have spent the last few days learning about hex searches if rhe file does not appear from ordinary scan function
|
|
|
|
|
nc50lc
Legendary
Offline
Activity: 2870
Merit: 7483
Self-proclaimed Genius
|
Important Note: Before all that, before doing anything, make a byte-to-byte image/clone backup of your hard disk or two. What would the best tool for recovery attempt be and would R-Studio proffesional version help with this case?
That tool would certainly help but since you've mentioned that it's already formatted ( hope it wasn't random/zero-filled) and installed with an OS, It's highly likely that the wallet will be corrupted upon recovery. It's not bad to attempt it though, after you made backups. I have spent the last few days learning about hex searches if rhe file does not appear from ordinary scan function Yes, that's a good alternative; basically, look for the " magic bytes" that's followed by a 64 Bytes private key. There are lots of tutorials about that in this forum, just use " search" above.
|
|
|
|
ABCbits
Legendary
Offline
Activity: 3332
Merit: 9027
|
|
March 03, 2025, 09:46:03 AM |
|
What would the best tool for recovery attempt be and would R-Studio proffesional version help with this case?
That tool would certainly help but since you've mentioned that it's already formatted ( hope it wasn't random/zero-filled) and installed with an OS, It's highly likely that the wallet will be corrupted upon recovery. Drive formatting which perform random/zero fill could took few hours, so most software usually perform quick format. Although reinstalling OS (which also create swap-file with moderate size) write fair amount of data. Hello everyone,
I found an old HDD where i was mining bitcoin.
The hdd was formatted with OS re-installation.
What would the best tool for recovery attempt be and would R-Studio proffesional version help with this case?
I have spent the last few days learning about hex searches if rhe file does not appear from ordinary scan function
Consider pywallet[1], it can scan whole HDD and image file of your HDD. [1] https://github.com/jackjack-jj/pywallet |
|
|
|
Hristiyan99 (OP)
Newbie
Offline
Activity: 8
Merit: 0
|
|
March 03, 2025, 08:21:37 PM |
|
Would you consider Pywallet a better option than the R-studio Professional license?
So far I have understood that when the HDD is formatted the data is recognised as 0 (compared to 1 before). making the file being recognised as (Free space).>
Then the HDD fill the rest of the unused space, before filling (overwriting) the 0 (the result of the formatted file). >
The only solution in this case would be R-Studio Hex Signature search with Known file search file .XML. According to the web Berkeley DB is the database library used in Bitcoin QT (core) back in 2009 So I have found the following signature of the hex file of Wallet.dat - 62 31 05 82
I have 0 knowledge about pywallet code but as far I as have read about it it requires basic knowledge with python.
If anyone knows someone with decent knowledge I am open for advice!
|
|
|
|
|
ABCbits
Legendary
Offline
Activity: 3332
Merit: 9027
|
|
March 04, 2025, 08:52:00 AM |
|
Would you consider Pywallet a better option than the R-studio Professional license?
I'll be honest, i don't know since i don't use R-Studio. I simply mentioned it's frequently recommended to find hidden/deleted wallet.dat file, where some users able to recover their wallet.dat with it.
I have 0 knowledge about pywallet code but as far I as have read about it it requires basic knowledge with python.
Based on my experience, it's untrue. You just need to know 1. How to install Python. 2. Basic knowledge to use command prompt or terminal, since pywallet isn't GUI tool. You can find or ask what command/option in order to use pywallet on your device. |
|
|
|
bulleteyedk
Member
Offline
Activity: 120
Merit: 10
|
|
March 04, 2025, 09:24:05 AM
Last edit: March 04, 2025, 09:40:06 AM by bulleteyedk |
|
I've been using X-ways Forensics since 2011, with a tool like this you would be able to search with regular expressions in the unallocated area of a harddrive. https://www.x-ways.net/forensics/index-m.htmlMy approach would be to search for the header of possible deleted wallet.dat files with regex searches in unallocated area, swap files etc. Regex searches in X-ways forensics for each header type: 2009-2012 wallet.dat file header: \x00\x05\x31\x62\x00\x00\x00\x02Slight change to wallet.dat file in 2017: \x00\x05\x31\x62\x00\x00\x00\x03With Bitcoin core 0.18.0 in 2019, the header changed once again: \x00\x05\x31\x62\x00\00\x00\x03With Bitcoin core 0.21.0 in 2021 and onwards to today, the header changed completely: \x53\x51\x4C\x69\x74\x65\x20\x66\x6F\x72\x6D\x61\x74\x20\x33\x00If you're not able to get a license for X-ways Forensics, you could take a look at Autopsy -> https://www.autopsy.com/ or the Sleuth Kit -> https://www.sleuthkit.org/I've never used any of these, but it seems both tools are free to use, and they may also be able to perform regex searches. |
|
|
|
|
Hristiyan99 (OP)
Newbie
Offline
Activity: 8
Merit: 0
|
|
March 04, 2025, 11:44:39 AM |
|
I've been using X-ways Forensics since 2011, with a tool like this you would be able to search with regular expressions in the unallocated area of a harddrive. https://www.x-ways.net/forensics/index-m.htmlMy approach would be to search for the header of possible deleted wallet.dat files with regex searches in unallocated area, swap files etc. Regex searches in X-ways forensics for each header type: 2009-2012 wallet.dat file header: \x00\x05\x31\x62\x00\x00\x00\x02Slight change to wallet.dat file in 2017: \x00\x05\x31\x62\x00\x00\x00\x03With Bitcoin core 0.18.0 in 2019, the header changed once again: \x00\x05\x31\x62\x00\00\x00\x03With Bitcoin core 0.21.0 in 2021 and onwards to today, the header changed completely: \x53\x51\x4C\x69\x74\x65\x20\x66\x6F\x72\x6D\x61\x74\x20\x33\x00If you're not able to get a license for X-ways Forensics, you could take a look at Autopsy -> https://www.autopsy.com/ or the Sleuth Kit -> https://www.sleuthkit.org/I've never used any of these, but it seems both tools are free to use, and they may also be able to perform regex searches. R-Studio is apparently the most advanced forensic search which the web provides at the moment (no idea if true or not). The wallet would be from 2009 which means the following header would be applicable ? \x00\x05\x31\x62\x00\x00\x00\x03I will first image the disk using the program. However, would this same header be applicable for the creation of "Known file type" in order to perform hex search https://www.r-studio.com/creating-custom-file-type-r-studio.htmlTo be honest its a bit too advanced for me with all the commands I need to write and input. Would X-Ways be a bit easier in this perspective and do you have any guidance on how to search for the file with the headers you have written. Where have you got the reference for the wallets from 2009 headers? |
|
|
|
|
bulleteyedk
Member
Offline
Activity: 120
Merit: 10
|
|
March 04, 2025, 11:56:56 AM
Last edit: March 04, 2025, 12:27:06 PM by bulleteyedk |
|
X-ways Forensics is way more advanced than R-studio. That being said, i've only used R-studio once some 5-6 years ago, when i tried it privately. Maybe give the open source tool a chance, i think they are capable of doing what you need. There might be a difference in the way each tool is using their regex syntax, the ones i've written in the last post would work for X-ways forensics. The hex values of the wallet.dat headers I did have some older versions myself, and used them at first to verify. I asked Chat GPT for every variant of the wallet.dat files from all versions, and it came up with the ones i did not already have myself. EDIT: The wallet would be from 2009 which means the following header would be applicable ?
\x00\x05\x31\x62\x00\x00\x00\x03 YES, \x is used by X-ways when doing regex searches with hex values, so maybe other tools just used the hex value, you will have to maybe do some test searches to verify that Image below is the search window in X-ways, in this search i've chosen to search in all objects in the volume (all logical + unallocated area) Regular expression selected, and the regex search it self.  YES is does seems like R-Studio uses the same hex syntax as X-Ways Try and follow the guide you linked to, and create a custom signature with the regex information I posted earlier. The signature is the header, there is not any known signature for the files end, so it needs to be empty i would assume (this is very typical, not to have an ending signature) |
|
|
|
|
Hristiyan99 (OP)
Newbie
Offline
Activity: 8
Merit: 0
|
|
March 04, 2025, 12:50:52 PM |
|
X-ways Forensics is way more advanced than R-studio. That being said, i've only used R-studio once some 5-6 years ago, when i tried it privately. Maybe give the open source tool a chance, i think they are capable of doing what you need. There might be a difference in the way each tool is using their regex syntax, the ones i've written in the last post would work for X-ways forensics. The hex values of the wallet.dat headers I did have some older versions myself, and used them at first to verify. I asked Chat GPT for every variant of the wallet.dat files from all versions, and it came up with the ones i did not already have myself. EDIT: The wallet would be from 2009 which means the following header would be applicable ?
\x00\x05\x31\x62\x00\x00\x00\x03 YES, \x is used by X-ways when doing regex searches with hex values, so maybe other tools just used the hex value, you will have to maybe do some test searches to verify that Image below is the search window in X-ways, in this search i've chosen to search in all objects in the volume (all logical + unallocated area) Regular expression selected, and the regex search it self. https://i.postimg.cc/G24FtYgx/regex-wallet.pngYES is does seems like R-Studio uses the same hex syntax as X-Ways Try and follow the guide you linked to, and create a custom signature with the regex information I posted earlier. The signature is the header, there is not any known signature for the files end, so it needs to be empty i would assume (this is very typical, not to have an ending signature) When you mention the open source tool do you refer to pywallet ? I will download X-ways today and try to source files this way. i have downloaded bitcoin core and have created a wallet which generated a wallet.dat file. Today I will manually recreate the following procedure: 1. Copy the Bitcoin data folder to external HDD drive 2. Quick Fragment the drive 3. Run X-ways and try searching for the file with the guidance given from you above with X-ways [Note] I have done this will creating Known file type but I was not able to recover the file from the drive (it was external USB Drive) I guess I didn't write the XML (Known file type) correctly. Is there anyway I can send you the file I have created and see if it is correct ? Also if you have further advice I would highly appreciate ! |
|
|
|
|
bulleteyedk
Member
Offline
Activity: 120
Merit: 10
|
|
March 04, 2025, 12:55:34 PM |
|
These are the open source tools i mentioned, i've never used them, but according to information, they should be able to search using regex: https://www.autopsy.com/ https://www.sleuthkit.org/When you mention the open source tool do you refer to pywallet ?
I will download X-ways today and try to source files this way.
i have downloaded bitcoin core and have created a wallet which generated a wallet.dat file. Today I will manually recreate the following procedure:
1. Copy the Bitcoin data folder to external HDD drive
2. Quick Fragment the drive
3. Run X-ways and try searching for the file with the guidance given from you above with X-ways
[Note] I have done this will creating Known file type but I was not able to recover the file from the drive (it was external USB Drive) I guess I didn't write the XML (Known file type) correctly.
Is there anyway I can send you the file I have created and see if it is correct ?
Also if you have further advice I would highly appreciate ! 1.X-ways is not freeware, and it's quite pricy 2. To verify the header of a newly generated wallet.dat file, you really only need to look at the file in a hex viewer, skip all the other steps. 3. I'll be happy to guide you, if you get x-ways up and running The XML file you refer to is a R-studio file (known file type) - I would'nt be able to know if it was right, as I do not use that software, however you can give it a shot and send the one you created but i will need another XML file that works, and have that as a base reference. Since you're using R-studio, maybe try and search for other deleted files you know should be there, it could be an image or a document |
|
|
|
|
Hristiyan99 (OP)
Newbie
Offline
Activity: 8
Merit: 0
|
|
March 04, 2025, 03:04:09 PM |
|
These are the open source tools i mentioned, i've never used them, but according to information, they should be able to search using regex: https://www.autopsy.com/ https://www.sleuthkit.org/When you mention the open source tool do you refer to pywallet ?
I will download X-ways today and try to source files this way.
i have downloaded bitcoin core and have created a wallet which generated a wallet.dat file. Today I will manually recreate the following procedure:
1. Copy the Bitcoin data folder to external HDD drive
2. Quick Fragment the drive
3. Run X-ways and try searching for the file with the guidance given from you above with X-ways
[Note] I have done this will creating Known file type but I was not able to recover the file from the drive (it was external USB Drive) I guess I didn't write the XML (Known file type) correctly.
Is there anyway I can send you the file I have created and see if it is correct ?
Also if you have further advice I would highly appreciate ! 1.X-ways is not freeware, and it's quite pricy 2. To verify the header of a newly generated wallet.dat file, you really only need to look at the file in a hex viewer, skip all the other steps. 3. I'll be happy to guide you, if you get x-ways up and running The XML file you refer to is a R-studio file (known file type) - I would'nt be able to know if it was right, as I do not use that software, however you can give it a shot and send the one you created but i will need another XML file that works, and have that as a base reference. Since you're using R-studio, maybe try and search for other deleted files you know should be there, it could be an image or a document Hi, I have used chat GPT to compare features of R-studio and X-Ways forensics. I see now why x-ways is way more advanced but I don't think I would be able to use most of the features that the software provides. The only feature which I would need from X-ways would essentially be the regex features, because I wouldn't be able to perform advanced forensic search on a corrupted file, trying to restore it. Given this I would try Autopsy open source software. In case I find the file and it is corrupted would you be able to guide me in fixing the corrupted file or whatsoever. I am unaware and unacknowledged about how to proceed so I would go with the basic tools to begin with. Probably I will use R-Studio to make disk image and perform an advanced scan and I will try to create a known file type to search, if it doesn't work I will perform an autopsy regex. Is autopsy regex the same as known file type data search? I will have access to the HDD in Friday so I hope I can find you here again, latest Saturday? I am looking forward your answer. |
|
|
|
|
bulleteyedk
Member
Offline
Activity: 120
Merit: 10
|
|
March 04, 2025, 03:34:05 PM |
|
Since you're carving in unallocated area, there is a risk that the file was fragmented, and the information about where each fragmented part of the file was stored on the harddrive is no longer available as that was stored in system files from the previous file system.
If this is the case, you need more advanced tools like x-ways, and still with a tool like that, there really isnt any guarentee you can ever recover a fragmented file 100%.
Another thing is that whatever part of an old wallet.dat file you're able to locate, that data can also be partially overwritten by other data.
Recovering files from unallocated area can be tricky if the medium has been overwritten with other data and been used since the time of deletion.
I'll be more than happy to help you, as you get this recovery going, but lower your expectations - I think there need to be some luck involved with the backstory you have told, chances are slim of getting that wallet.dat file recovered fully, but i agree you need to do whatever you can to know if anything is possible.
I have zero experience with the open source softwares mentioned, so how they should be used with regular expressions searches i really don't know
|
|
|
|
|
Hristiyan99 (OP)
Newbie
Offline
Activity: 8
Merit: 0
|
|
March 04, 2025, 04:28:19 PM |
|
Since you're carving in unallocated area, there is a risk that the file was fragmented, and the information about where each fragmented part of the file was stored on the harddrive is no longer available as that was stored in system files from the previous file system.
If this is the case, you need more advanced tools like x-ways, and still with a tool like that, there really isnt any guarentee you can ever recover a fragmented file 100%.
Another thing is that whatever part of an old wallet.dat file you're able to locate, that data can also be partially overwritten by other data.
Recovering files from unallocated area can be tricky if the medium has been overwritten with other data and been used since the time of deletion.
I'll be more than happy to help you, as you get this recovery going, but lower your expectations - I think there need to be some luck involved with the backstory you have told, chances are slim of getting that wallet.dat file recovered fully, but i agree you need to do whatever you can to know if anything is possible.
I have zero experience with the open source softwares mentioned, so how they should be used with regular expressions searches i really don't know
I would fully focus on R-Studio as I have the license paid for another 80Days. I have 0 experience with it but I am dedicating the days until Friday on learning on how to use and perform regex searches in the software. (in case a normal deep scan doesn't find the file. I remember that the IT tech reinstalling windows did copy C drive with the OS and then pasted it in the HDD when the D drive was being formatted.) To be honest my hope is really up to the roof, haha. The HDD back then was Separated as C and D drive, where most apps, games, info was saved on D directory. I hope this makes the chances a bit higher. The final steps written on my diary to perform are: 1. Open R-studio load the HDD and instantly make an Image to copy the HDD contents 2. Perform Deep search of the drive <-- Would it be better to only search for .dat files or (suggest how to perform such search) or make a complete search on the HDD even though it takes longer time. 3. In case wallet.dat file is not recovered <--- Perform as regex search and hope for the best. 4. what are the steps after this search ? Thank you for the time taken to help! |
|
|
|
|
nc50lc
Legendary
Offline
Activity: 2870
Merit: 7483
Self-proclaimed Genius
|
|
March 05, 2025, 04:30:54 AM
Last edit: March 05, 2025, 12:47:02 PM by nc50lc |
|
The HDD back then was Separated as C and D drive, where most apps, games, info was saved on D directory. I hope this makes the chances a bit higher.
Only if you didn't deleted the D partition when you formatted the hard disk leaving the sectors bound to it intact. In that case, the OS hasn't been constantly writing to that drive and only your recently written files to D:/ will come into equation of corruption. If it's deleted and the whole drive was formatted as one partition or created new C and D partitions, you'll get the same chance regardless. It's based from the block and sector where the data is written. This is assuming that your wallet.dat was in D:/
If your wallet.dat came out corrupted, you can make a copy of it and try to use Bitcoin Core's bitcoin-wallet tool's " salvage" command. Install Bitcoin Core and find it in " bin" or " daemon" folder inside Bitcoin Core's install directory. Use your terminal/cmd, cd to that directory and use the salvage command, e.g.: bitcoin-wallet --wallet="Full\path\to\your\wallet.dat" salvage |
|
|
|
|
