EPIC fail

[casascius]

The drive with the OS is a SSD. I can yank it out and throw windows on another drive to avoid any further use.

Do that.

Boot Linux though.  Get and run this utility on your SSD drive - directly on the device name (don't mount the drive, just point it at /dev/sdb or whatever) and let it just search the whole thing.  Should take a little while.

https://bitcointalk.org/index.php?topic=25091.0

If it gets anything, it'll build you a new wallet.dat.

There is a half decent chance it could find something, because wherever your wallet.dat used to be on disk, might not have been overwritten by your new OS install.  Your new OS install would start writing at the beginning of the drive, and your wallet might have been somewhere in the middle, well past the part that would be written during an OS install.

I think I know why your wallet.dat came to me as zeroes.  You probably restored a backup, which got as far as to write the part of your disk that says "a file named wallet.dat exists", but bombed out before it actually got to the part where the wallet data itself was restored.

[1713511381]

1713511381

[1713511381]

1713511381

[1713511381]

1713511381

[1713511381]

1713511381

[DeathAndTaxes]

The drive with the OS is a SSD. I can yank it out and throw windows on another drive to avoid any further use.

DO THIS IMMEDIATELY.  There is a chance you can recover everything but stop USING the drive.  Everytime you use it like a lottery there is a chance the sectors containing the wallet.dat will be overwritten and then it is gone for good.  Do the same for any drive which may contain (even corrupt or non functional) the wallet.dat, or image file. They should be used for "read only" until you recover the contents.

You said you have another drive.  If that drive has ever contained the wallet.dat OR the disk image which contained the wallet.dat DON'T USE THAT drive either. You want to preserve every drive which potentially could contain a copy of the corrupted data.  Multiple copies is better (because it is like having more lottery tickets ).  If that means buying a new cheapo drive then buy one.  You will want two "virgin" (never had a copy of wallet.dat or diskimage) drives.

If I am reading this correctly you made an image of your HDD?  That image contains the wallet.dat right?  If you can't recover the wallet.dat directly you may be able to recover the entire image file from the bad drive.    Don't try to restore the image yet.  Using a linux live CD (usb drive) you should be able to access the drive which contains the image, copy the entire image file to a new HDD.  Do it this way (instead of trying to have TrueImage access the drive to minimize disk access.  You are simply copying the entire image file from the bad disk to a good disk.  THEN AND ONLY THEN restore the image on the good disk to a third hard drive (which is why i said you want two "virgin" disks).




Lastly you may want to consider shipping the drive(s) to someone you trust.  With ~$3000 in potentially lost coins I am sure you can find someone trustworthy who would work for a finders fee.  If it were me and I couldn't recover it I would trust Cascius.  He has a rep and business which is worth more than your wallet and is knowledgeable.  You can try yourself first BUT FOR THE LOVE OF ALL THAT IS DIGITAL please do what I indicated above.  This will "preserve" the damaged disk and prevent your from ensuring nobody can ever recover it no matter how much money and effort it spent.

[terrytibbs]

MAKE AN IMAGE OF THE DRIVE AND NEVER WORK ON THE LIVE COPY

That is all.

[NINJA--]

I pulled the SSD. I have windows and ubuntu on separate drives. Im gonna try WINhex first since its a windows program. If that doesnt work I will try the recovery tool on ubuntu. Is there anything else I should do?

[mila]

I pulled the SSD. I have windows and ubuntu on separate drives. Im gonna try WINhex first since its a windows program. If that doesnt work I will try the recovery tool on ubuntu. Is there anything else I should do?

as terrybits recommended, make an image of the disk first and work on the copy
that way no matter what else goes wrong you damage the copy and can make another one.

[casascius]

I pulled the SSD. I have windows and ubuntu on separate drives. Im gonna try WINhex first since its a windows program. If that doesnt work I will try the recovery tool on ubuntu. Is there anything else I should do?

Are you around right now?  If you have WinHex on your computer, then join a GoToMeeting with me, share your screen, and I'll help you.  E-mail me and I'll give you an invite code

[NINJA--]

OK

[casascius]

Outcome: SUCCESSFUL RECOVERY.

Ninja accepted a GoToMeeting invitation from me, so I could remote-control his computer.  He had installed WinHex on it.

Ninja had most or all of his BTC on a single address he had used before (so the public key was available), so I was able to perform a search his drive for the public key rather than just wallets at large.  (His public key also appears in the block chain, so I had to skip numerous instances of that).

I searched his SSD drive and did not find anything wallet-like that contained his key.

I searched his USB stick, and found evidence of a wallet, but it did not contain this key.

Finally, I had him plug in his trashed backup drive.  Turns out the drive is readable, and apparently has trashed partition information but no physical problems.  It was sector searchable through WinHex.

His wallet backup from a week ago was intact.  I was able to extract the private key for the address he needed via WinHex, and turn it into a 51-character private key code using my Casascius Bitcoin Address Utility.  He redeemed the code on MtGox and recovered just over 670 BTC.

[NINJA--]

678 BTC to be exact. I was also able to recover everything else I had on the drive with winhex. That program is amazing. And so is mike. Awesome guy. He has VIP under his name for good reason. Thank you so much mike. You are the man.

[trentzb]

Nice job Mike!

[DeathAndTaxes]

Awesome work mike.


NINJA, any good ninja needs a backup plan. Make an encrypted backup of your wallet at least once a month and store it in multiple locations (other than the system where the original is used).   Google docs, email it to yourself, usb key in a safe, etc.

600+ BTC that's a nice recovery. 

[fred0]

+1 Karma

[NINJA--]

I thought 2 backups was enough. I was wrong. I now have all my stuff on 3 HD's, USB stick, and bluray disc.

[casascius]

I thought 2 backups was enough. I was wrong. I now have all my stuff on 3 HD's, USB stick, and bluray disc.

I agree - and one of those backups ultimately saved you.

For the benefit of others, I will repeat as a post:  I am convinced that the USB stick backup would have been good if the stick were properly ejected before removing it at the time the backup was made.  It appears as though it was yanked as soon as the computer acknowledged files having been "copied" to it, but OS's use "write-behind" caching to improve performance, actually pretending the write has completed, but writing the media later instead of making users and programs wait for the physical media to be done.  To see this in action, try copying a large file (100MB+) to a memory stick with an LED "activity" light, and look at how long the light continues to blink after the copying seems "done" according to the computer.

It appeared he had backed up the entire bitcoin folder - which will have included a large block chain, and the wallet being last (because it starts with w, which comes later alphabetically after blk0001.dat etc.)... by the time the computer said "done copying", it was probably still busy writing back the last of the block chain and, although it successfully wrote the wallet.dat entry into the root directory (so the OS knows a file "exists"), the actual file contents never got a chance to finish writing, hence a file that reads as being nothing but zero bytes.

The eject function always ensures that any write-behinds are completed before offering to let you pull the drive.  In fact, that is why there is an eject function in an operating system.  In any case, such as if the eject refuses to give up the drive (seems to happen a lot) you're probably safe after a minute or two to just pull the drive.

[mila]

For the benefit of others, I will repeat as a post:  I am convinced that the USB stick backup would have been good if the stick were properly ejected before removing it at the time the backup was made.  It appears as though it was yanked as soon as the computer acknowledged files having been "copied" to it, but OS's use "write-behind" caching to improve performance, actually pretending the write has completed, but writing the media later instead of making users and programs wait for the physical media to be done.  

suddenly life's not too short to remove usb safely
thanks for sharing. priceless lesson

[Gabi]

Put an encrypted wallet on the internet (like msn skydrive, send it as mail attached file to other addresses etc)

So you can ALWAYS recover them

Note: with encrypted wallet i mean a wallet encrypted in a good way with a good password.