Another recovery attempt | Bitcointalksearch.org

HCP

legendary

Activity: 2086

Merit: 4316

Quote from: Stillgotitye on November 17, 2021, 08:14:58 PM

Theory, recovered wallet.dat is only partial and corrupt. Possible bytes containing private key information might still linger on HDD.

Possibly, but if your memory about password protecting your wallet.dat file is correct, your chances of recovery them using a hex search are essentially zero. The hex searching is only really applicable to unencrypted wallet.dat files.

Based on the errors you were getting with the wallet.dat and common tools (Bitcoin Core, btcrecover etc), it honestly just seems like the wallet.dat files you have are corrupted Undecided

Best of luck with your continuing search tho!

Stillgotitye

newbie

Activity: 9

Merit: 11

Update.

Decided to throw a last hail mary and search whole drive using WinHex. Following these instructions:
https://bitcointalksearch.org/topic/m.19809022

Theory, recovered wallet.dat is only partial and corrupt. Possible bytes containing private key information might still linger on HDD.

Stillgotitye

newbie

Activity: 9

Merit: 11

Quote from: nc50lc on November 17, 2021, 08:18:35 AM

Quote from: Stillgotitye on November 17, 2021, 06:29:12 AM

I just notice another thing. In the transactions for the addresses checking https://www.blockchain.com/ i notice that the payouts from slushpool are dated 2011. While in slushpool(mining site) they are dated 2014. Weird. -snip-

You can check the "block height" where the transaction is included.
That way, you can get a close approximate of the txn's date based from the height even if blockexplorers' dates wont match;
In blockchain.com, it is labeled as "Included in Block".

Checked blockchair.com also. Date same as in blockchain.com. Also found emails from slushpool about payouts also dated 2011. So it's from 2011.

But knowing the date probably doesn't help recovering it anyhow. Probably gonna send it in to some third party service tomorrow to check if they have any luck.
Doesn't look like I will be able to make any progress with all the tests done so far.

nc50lc

legendary

Activity: 2394

Merit: 5531

Self-proclaimed Genius

Quote from: Stillgotitye on November 17, 2021, 06:29:12 AM

I just notice another thing. In the transactions for the addresses checking https://www.blockchain.com/ i notice that the payouts from slushpool are dated 2011. While in slushpool(mining site) they are dated 2014. Weird. -snip-

You can check the "block height" where the transaction is included.
That way, you can get a close approximate of the txn's date based from the height even if blockexplorers' dates wont match;
In blockchain.com, it is labeled as "Included in Block".

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: Stillgotitye on November 17, 2021, 06:29:12 AM

I assume https://www.blockchain.com/ info is the correct one.

Probably, but to be thorough, you can compare blockchair.com too.

Stillgotitye

newbie

Activity: 9

Merit: 11

Quote from: LoyceV on November 17, 2021, 06:17:01 AM

Quote from: Stillgotitye on November 17, 2021, 06:04:06 AM

Could it be something about them being written in different file system or older windows?
What happens with files that get moved between FAT and NTFS, in case it was at some point stored on a thumbdrive and I just copied over the files before wiping it for other use.
Maybe the hdd recovery messed something up in them?

HDD recovery can lead to incomplete files, but other than that, "untouched" files should remain just fine. However, I've seen far too many topics made by people complaining about corrupted old wallets, and I don't know what causes that. All my files from years ago are still accessible (unless the disk stops working), so I would expect wallet.dat files not to change "by themselves". I didn't join Bitcoin early enough to have files from before 2015, so I can't test if it's a compatibility problem.

Quote

Gonna try move them to a FAT formated thumbdrive, but I suspect I shouldn't make a difference.

Unless you're getting the file from "the original", moving the existing corrupted file won't matter.

I just notice another thing. In the transactions for the addresses checking https://www.blockchain.com/ i notice that the payouts from slushpool are dated 2011. While in slushpool(mining site) they are dated 2014. Weird. But the number of transactions and the btc amount in them matches. I assume https://www.blockchain.com/ info is the correct one. I guess slushpool was bitcoincz back in the days, maybe they just moved the transactions up in their own database when they "moved" to become Slushpool (https://en.bitcoin.it/wiki/Slush_Pool).

So this could be a wallet from 2011. If that changes anything? Doesn't explain the modified date of the file tho (2014). Maybe that's the when I formated the harddrive.

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: Stillgotitye on November 17, 2021, 06:04:06 AM

Could it be something about them being written in different file system or older windows?
What happens with files that get moved between FAT and NTFS, in case it was at some point stored on a thumbdrive and I just copied over the files before wiping it for other use.
Maybe the hdd recovery messed something up in them?

HDD recovery can lead to incomplete files, but other than that, "untouched" files should remain just fine. However, I've seen far too many topics made by people complaining about corrupted old wallets, and I don't know what causes that. All my files from years ago are still accessible (unless the disk stops working), so I would expect wallet.dat files not to change "by themselves". I didn't join Bitcoin early enough to have files from before 2015, so I can't test if it's a compatibility problem.

Quote

Gonna try move them to a FAT formated thumbdrive, but I suspect I shouldn't make a difference.

Unless you're getting the file from "the original", moving the existing corrupted file won't matter.

Stillgotitye

newbie

Activity: 9

Merit: 11

Quote from: LoyceV on November 17, 2021, 05:42:41 AM

Quote from: Stillgotitye on November 16, 2021, 05:55:04 PM

a wallet_backup.dat dated to 2017. ~ (1336 kb)

Have you tried loading this one into Bitcoin Core? The file size looks much more similar to my own backups, so don't dismiss it without trying.

Hi, yes, actually tested all the same things as on the other wallet.dat. Same errors from all tools and Bitcoin Core.

Don't know about size. I have found two public address that could possibly be contained inside them, very few transactions in total.
7 in the main one.
1 in the possible extra.

Could it be something about them being written in different file system or older windows?
What happens with files that get moved between FAT and NTFS, in case it was at some point stored on a thumbdrive and I just copied over the files before wiping it for other use.
Maybe the hdd recovery messed something up in them?

Gonna try move them to a FAT formated thumbdrive, but I suspect I shouldn't make a difference.

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: Stillgotitye on November 16, 2021, 05:55:04 PM

a wallet_backup.dat dated to 2017. ~ (1336 kb)

Have you tried loading this one into Bitcoin Core? The file size looks much more similar to my own backups, so don't dismiss it without trying.

Stillgotitye

newbie

Activity: 9

Merit: 11

Quote from: NotATether on November 17, 2021, 03:26:01 AM

Files such as peers.dat and mempool.dat etc. have nothing to do with your wallet so forget about them.

Quote from: Stillgotitye on November 16, 2021, 08:22:32 PM

Is it possible to somehow detect if the file as a whole file is actually encrypted? (Not just the normal passphrase).
Remember if there was any "security" tools for wallets around 2014 that ware popular?

I'm fairly certain it's a an actuall bitcoin wallet tho, the "Date modified" matches perfectly the dates of the payouts from the mining pool (same year, same month, +/- 1 day).

Bitcoin Core never encrypts the entire wallet.dat, just the parts that contain the private keys.

Do you remember if you password-protected the wallet.dat (using Core, not some encryption tool)? Can you even open the file in score anymore (at least get to the password prompt phase)?

If it's yes to both of these questions, you can try using Bitcoin2john to get the wallet hash and then brute force the password using Hashcat. Then you should be able to unlock the wallet normally from Core. We wrote all about it here: https://notatether.com/tutorials/what-is-the-bitcoin2john-script-and-how-do-you-use-it/

I'm 70% sure I did password protect it, and have a list of possible combinations.

Can't load wallet in Core tho, tried both of these approaches:
Replacing default wallet.dat and starting it up. Throws "error: wallet.dat: unexpected file type or format" and closes.
Adding "-datadir=....." to shortcut and then manually trying to load the wallet via Bitcoin Core terminal/console, "loadwallet wallet.dat". Gives:
"Wallet file verification failed. Failed to load database path 'x:\xxx\wallet.dat'. Data is not in recognized format. (code -18)"

So, I'm not getting prompted to actually enter any password yet.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Files such as peers.dat and mempool.dat etc. have nothing to do with your wallet so forget about them.

Quote from: Stillgotitye on November 16, 2021, 08:22:32 PM

Is it possible to somehow detect if the file as a whole file is actually encrypted? (Not just the normal passphrase).
Remember if there was any "security" tools for wallets around 2014 that ware popular?

I'm fairly certain it's a an actuall bitcoin wallet tho, the "Date modified" matches perfectly the dates of the payouts from the mining pool (same year, same month, +/- 1 day).

Bitcoin Core never encrypts the entire wallet.dat, just the parts that contain the private keys.

Do you remember if you password-protected the wallet.dat (using Core, not some encryption tool)? Can you even open the file in score anymore (at least get to the password prompt phase)?

If it's yes to both of these questions, you can try using Bitcoin2john to get the wallet hash and then brute force the password using Hashcat. Then you should be able to unlock the wallet normally from Core. We wrote all about it here: https://notatether.com/tutorials/what-is-the-bitcoin2john-script-and-how-do-you-use-it/

Stillgotitye

newbie

Activity: 9

Merit: 11

Quote from: BitMaxz on November 16, 2021, 07:19:31 PM

If you always get those errors related to the wallet file format then the wallet.dat file might be corrupted.
You tried almost all possible tools to recover that wallet but I'd like to suggest that better to get help from a professional recovery service.

You can try to contact them here http://walletrecoveryservices.com/
Or go to their official thread here https://bitcointalksearch.org/topic/bitcoin-wallet-recovery-services-for-forgotten-wallet-password-240779

Might try that as last resort. Thanks!

Stillgotitye

newbie

Activity: 9

Merit: 11

Quote from: jackg on November 16, 2021, 07:33:14 PM

Quote from: Stillgotitye on November 16, 2021, 06:29:29 PM

The general theme is that the file is either unreadable/not recognizeable or that it's not detected as a wallet.

Out of curiosity, would you have heard of steganography at the time of creating these files? I'm just wondering if you had a "favourite thing to do to files" at some point to hide them - examples are as simple as changing file names to obscure what they are.

And I don't think 6kb is too small if you only had a few keys in it.

I think there are ways to skip the heuristics that are normally run to chack the encoding of a wallet file but I assumed those would be inbuilt and it probably isn't a wallet file as I doubt Google drive would be likely to corrupt files and not make backups.

Now that you mention it, I have a vague memory of possibly using some sort of key chain tool to save the wallet info, but i'm not sure, and don't remember name. It is possible I did encrypt it somehow to make it "extra safe", just wish I knew what tool I possibly used, and I assume it would need a salt to decrypt Sad

Is it possible to somehow detect if the file as a whole file is actually encrypted? (Not just the normal passphrase).
Remember if there was any "security" tools for wallets around 2014 that ware popular?

I'm fairly certain it's a an actuall bitcoin wallet tho, the "Date modified" matches perfectly the dates of the payouts from the mining pool (same year, same month, +/- 1 day).

jackg

copper member

Activity: 2856

Merit: 3071

https://bit.ly/387FXHi lightning theory

Quote from: Stillgotitye on November 16, 2021, 06:29:29 PM

The general theme is that the file is either unreadable/not recognizeable or that it's not detected as a wallet.

Out of curiosity, would you have heard of steganography at the time of creating these files? I'm just wondering if you had a "favourite thing to do to files" at some point to hide them - examples are as simple as changing file names to obscure what they are.

And I don't think 6kb is too small if you only had a few keys in it.

I think there are ways to skip the heuristics that are normally run to chack the encoding of a wallet file but I assumed those would be inbuilt and it probably isn't a wallet file as I doubt Google drive would be likely to corrupt files and not make backups.

BitMaxz

legendary

Activity: 3304

Merit: 3037

BTC price road to $80k

If you always get those errors related to the wallet file format then the wallet.dat file might be corrupted.
You tried almost all possible tools to recover that wallet but I'd like to suggest that better to get help from a professional recovery service.

You can try to contact them here http://walletrecoveryservices.com/
Or go to their official thread here https://bitcointalksearch.org/topic/bitcoin-wallet-recovery-services-for-forgotten-wallet-password-240779

Stillgotitye

newbie

Activity: 9

Merit: 11

Quote from: jackg on November 16, 2021, 06:08:15 PM

Files encrypted with a password could look something like that too, it's not too much to go off to determine if it is irrecoverable.

Are the drive and hard drive files the same size? (they probably won't be but I'd be interested to know as that might tell you quite decisively if they're corrupted or not).

You did say you imported them into those recovery tools but didn't provide too much info of what they returned - was it just a standard output or did it give anything more (I'm not sure what they would return but you could share the labels on stuff just not private keys or anything that should be kept secret).

Hi, thanks taking your time and responding.

By "Drive" i mean Google Drive, and yes, they are same size, 6 kb. Seems a bit small?

The general theme is that the file is either unreadable/not recognizeable or that it's not detected as a wallet.

Pywallet:
Running command: python pywallet.py --wallet=recoveredFromHDD/wallet.dat --dumpwallet (tried this on the other one as well)
Using python3. Also tried printing out the some data but from breakpoints in code but conclusion was that bsddb module failed to load the file or did not understand the format.
"(22, 'Invalid argument -- BDB0210 recoveredFromHDD\\wallet.dat: metadata page checksum error')
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again."
Bitcoin was not running at this point, and system was restarted since last running Bitcoin.
It did generate some files tho, not sure if it's relevant: __db.001, __db.002 up until __db.006

Bitcoin wallet recovery tool:
Somehow loaded in the file, I assume it just converted every byte of the file to hex and then checked every possible combination of public and private key. No hits.

btcrecover:
Ran command: python btcrecover.py --tokenlist tokens.txt --wallet wallet.dat
Result:
Starting btcrecover 1.11.0-Cryptoguide on Python 3.9.6 64-bit, 21-bit unicodes, 64-bit ints
Error: unrecognized wallet format; heuristic parser(s) reported:
WalletPywallet: 'charmap' codec can't decode byte 0x9d in position 100: character maps to
WalletMultiBitHD: MultiBit HD wallet files must be named mbhd.wallet.aes
WalletBlockchain: 'charmap' codec can't decode byte 0x9d in position 100: character maps to

Got similar error as above when I tried to load it into Electrum as well, about some character at some position that was invalid.

Let me know if I missed some info.

jackg

copper member

Activity: 2856

Merit: 3071

https://bit.ly/387FXHi lightning theory

Files encrypted with a password could look something like that too, it's not too much to go off to determine if it is irrecoverable.

Are the drive and hard drive files the same size? (they probably won't be but I'd be interested to know as that might tell you quite decisively if they're corrupted or not).

You did say you imported them into those recovery tools but didn't provide too much info of what they returned - was it just a standard output or did it give anything more (I'm not sure what they would return but you could share the labels on stuff just not private keys or anything that should be kept secret).

Stillgotitye

newbie

Activity: 9

Merit: 11

Hello,

I've given up hope of solving this without checking in here.

Short story. Did some mining back in 2014. Got a few payouts, nothing major. Found a wallet.dat file dated back to 2014 in my online drive. Ran R-Studio and recovered a few more files from the drive that was used at that time, with another wallet.dat dated to 2014 (I assume is same) and a wallet_backup.dat dated to 2017. The hunt began.
Found login to my slush pool account that was used for the mining, saw the payouts and found my public adress. Coins still there, nice, not enough to quit the job but could still pay a decent vacation or gaming rig. Worth investigating. I've now spent every eveening of the last week trying to find the private key inside the files, to no avail. So posting here is my last resort. After that I'm giving up.

What's been tested:

Replacing wallet.dat in Bitcoin Core, error: wallet.dat: unexpected file type or format
Importing to Electrum
PyWallet (ofc) (https://github.com/jackjack-jj/pywallet)
Bitcoin wallet recovery tool (https://github.com/ameijer/bitcoin_wallet_recovery_tool) after checking source
btcrecover (https://github.com/3rdIteration/btcrecover)
Winhex and searching for common values as found here https://bitcointalksearch.org/topic/m.48043999
Googling a shit ton

What I have:

wallet.dat (dated 2014)(6kb) file found in Drive
wallet.dat (dated 2014)(6kb) file recovered from harddrive
wallet_backup.dat (dated 2017)(1336 kb)
A bunch of other files like peers.dat, fee_stimates.dat, mempool.dat dated to 2017

I suspect the files dated to 2017 are irrelevant, I think might have tried to load in the old wallet.dat once before but gave up instantly.

All recovered files seem to have som wierd encoding that I suspect are creating all these issue, opened in Notepad.

https://imgur.com/a/tyP3PuN

Anyone who has any idea on how to "decode" these files? Or is it an corruption?

Topic: Another recovery attempt (Read 262 times)