How I managed to recover 0.13 BTC from an old hard drive

[VanillaH]

I bought Bitcoin well over a decade ago, when it was worth a fraction of what it is today, and I still had my old hard drive from back then. Thinking there might be some coins left on it, I decided to investigate.

This isn't really a step-by-step guide, since your recovery process will likely differ from mine. I'm also a programmer, which gives me some background knowledge others may not have. Still, I'll try to be as clear as possible.

First of all, I wasn't sure how healthy my old hard drive still was. It had also been reformatted in the past, and I didn't want to risk overwriting any data. So I used Disk Drill to make a byte-to-byte clone of the drive, then restored that image onto a newer, healthy drive so I could work from a safe copy.

Afterwards, I searched the drive for common terms like wallet.dat, multibit, and other Bitcoin-related keywords. Nothing turned up.

That's when I started looking for specialized tools. I found FindBTC, which is designed to locate traces of wallet.dat files. Scanning my drive on Windows didn't work. Apparently it's a known issue and the software was tested more thoroughly on Linux. Since it hadn't been updated in nine years, I was a bit stuck. Fortunately, after digging into the code, I realized I could scan my byte-to-byte backup instead. That worked, and FindBTC found something:

Code:

[main] Found possible wallet trace:
  Found 'bestblock' at G:\backup.dd in 4kB block at byte offset 32212320256
[main] Found possible wallet trace:
  Found 'defaultkey' at G:\backup.dd in 4kB block at byte offset 32212320256
[main] Found possible wallet trace:
  Found 'addrIncoming' at G:\backup.dd in 4kB block at byte offset 32212324352
[COMPLETE]

Unfortunately, FindBTC didn't offer any way to extract the wallet file from the backup.

I opened the backup file in a hex editor at the byte offsets where the traces were found. After some research, I learned that my wallet file was unencrypted and that the 32-byte raw private keys were stored in it, each prefixed with the bytes 0001D63081D30201010420. So, I wrote a script to scan for this pattern and extract the 32 bytes that followed each match.

This gave me a list of hexadecimal keys. I deduplicated the list and used bitcoin-tool to convert them into WIF keys. I had to run dos2unix for the input file to be accepted by bitcoin-tool. Here are the commands I ran:

Code:

dos2unix input.txt
bitcoin-tool --batch --input-type private-key --input-format hex --input-file input.txt --output-type private-key-wif --output-format base58check --public-key-compression compressed --network bitcoin > output.txt
bitcoin-tool --batch --input-type private-key --input-format hex --input-file input.txt --output-type private-key-wif --output-format base58check --public-key-compression uncompressed --network bitcoin >> output.txt

The WIF keys were then imported into Electrum. I was able to recover 0.08 BTC this way.

As happy as I was, FindBTC only handled wallet.dat files, and I was sure I'd used other wallet software back then.

I tried another tool called Treasure Hunter. This time I couldn't run it against my byte-to-byte backup, but it worked fine on the drive itself. It flagged a file called Screenshot_2019-01-02-08-44-45.png and identified it as an Electrum wallet. I tried to open it, but Windows complained, "It looks like we don't support this file format."

I opened it in a hex editor and found out that it wasn't a PNG file at all, but a mix of different things. The file was corrupt. The beginning was a Python script. Here are the first few lines:

Code:

import weakref

from .lock import allocate_lock
from .error import CDefError, VerificationError, VerificationMissing

# type qualifiers
Q_CONST    = 0x01
Q_RESTRICT = 0x02
Q_VOLATILE = 0x04

def qualify(quals, replace_with):

I assumed this was a false positive and was ready to move on, but then I noticed something else on the very first line of the file: a very, very long string. I won't paste the whole thing here, but it looked something like this:

Code:

QklFMQIkB0eHIcrdrMw1gwhsi...haZr1WueqYDeA==import types

This was a base64-encoded string followed by the start of the Python script. After some research, I realized this base64 string was actually an Electrum wallet. I extracted it into a separate file and tried to load it into Electrum, which prompted me for a password. After 20 minutes of guessing, I was starting to think I'd have to use BTCRecover, but I finally got in, and found 0.05 BTC sitting inside.

All in all, I recovered about 0.13 BTC. Considering I bought it for pennies way back then, I'm definitely not complaining!!

I'm no expert, but if you have any questions, I'll try to answer them as best as I can.

[arzuo]

The topic is instructive and I had some questions!

# How did you clone the hard drive without preparing the drive directly? Was your disk fully functional?

# Do you personally remember what kind of information you had to enter into the device?

# How did you recover data from a previously REformatted disk?

[VanillaH]

The topic is instructive and I had some questions!

# How did you clone the hard drive without preparing the drive directly? Was your disk fully functional?

ANSWER: My drive was fully functional, though I wasn't sure how healthy it was. I plugged it into my main computer and created a byte-to-byte backup. If your disk isn't functional, or if you really don't want to screw it up, it may be better to have a professional handle the imaging process instead.

# Do you personally remember what kind of information you had to enter into the device?

ANSWER: I'm not fully sure what you mean.

# How did you recover data from a previously REformatted disk?

ANSWER: I used Disk Drill to create and restore the image for my byte-to-byte backup. I assume most data recovery software will do the job. Technically, you can run the data recovery software directly on the drive, but I feared that might damage it, which is why I created a byte-to-byte backup and worked from that instead.

My answers are above!

[arzuo]

# Do you personally remember what kind of information you had to enter into the device?

Question 2 :I would like to know, do you remember anything that helped you recover it?

For example: wallet username, email address, a guessed password, or a guessed seed word.

(And if not, anyone can recover it in the same way as you, they just need to know that the hard drive has the potential to contain Bitcoin! And if so, many people will collect old hard drives and try!)

[VanillaH]

# Do you personally remember what kind of information you had to enter into the device?

Question 2 :I would like to know, do you remember anything that helped you recover it?

For example: wallet username, email address, a guessed password, or a guessed seed word.

(And if not, anyone can recover it in the same way as you, they just need to know that the hard drive has the potential to contain Bitcoin! And if so, many people will collect old hard drives and try!)

I knew I had used Electrum and Bitcoin Core. I also more-or-less remembered the passwords I had used back then.

[Lucius]

There's no doubt that it's a good feeling to find buried treasure - especially if you did it without anyone's help. Your name seemed familiar, and when I looked at your post history I saw that we had exchanged a few posts about crypto ATMs - are you still in the business or has Canada banned such devices?

[VanillaH]

There's no doubt that it's a good feeling to find buried treasure - especially if you did it without anyone's help. Your name seemed familiar, and when I looked at your post history I saw that we had exchanged a few posts about crypto ATMs - are you still in the business or has Canada banned such devices?

I left the business a long time ago. Way too many scams. Canada hasn't banned crypto ATMs yet, but I think they're heading in that direction. I'm not sure whether it's still just talk, or if the decision is already set in stone.