Pages:
Author

Topic: Computer Stolen, Hard drive reformatted. Computer Rescued! where my BTC at? (Read 1288 times)

newbie
Activity: 35
Merit: 0
If your computer is stolen, do not worry, the amount of bitcoin you will not lose but to get back you need a Private Key to regain the amount of bitcoin already lost.
newbie
Activity: 39
Merit: 0
I do DF for my profession. If you want to try and scratch at it again lmk. I may be able to help
jr. member
Activity: 56
Merit: 4
Sorry to say this but with SSDs - its futile even trying- you can easily Google reasons why (pertain to the architecture).
Been there - done that - tried everything possible...only to find that it is impossible. Forget the data recovery tools on the market..not even forensic grade tools will help here.
full member
Activity: 253
Merit: 100
Maybe the sticky notes cannot be found again because it is volatile.. but the saved file like notepads and text files can be recovered using a software called EASE.US data recovery.. you can download it freely or craccked it down to use full version .. with that browse the location where your keys and lost important files then recover it.. it take a lot of time but surely your lost file can be recover again
legendary
Activity: 1624
Merit: 2481
Please can anyone tell me if i can use my office PC and home PC to keep my same coins??

Bitcoins are not stored on your PC.
The ledger (blockchain) keeps track of every transaction and therefore keeps tracks of the UTXO (unspent outputs = 'available coins').
You could say the coins are 'stored on the blockchain' (That might be true in a logical sense, but is still not completely true on a technical level).

Now to awnser your question:
You need a private key, corresponding to the address 'which has funds on'.
Usually private keys are managed within a wallet (wallet = piece of software which manages private/public keys, transactions, ...).
You can easily import the same private key into several different wallets (to be able to access them from different pc's).
Depending on the wallet you should also be able to copy the wallet file (this enables you to additionally also recieve funds to 'both pc's').
Some wallet may have sync problem when working with them in that way. This won't let you lose any funds, but might lead to some displaying issues.

Long answer short: Yes, you can.
newbie
Activity: 39
Merit: 0
 I do DFIR for a living.  Lmk if you need any help. 
newbie
Activity: 24
Merit: 0
Hello there,

Please can anyone tell me if i can use my office PC and home PC to keep my same coins??
legendary
Activity: 2478
Merit: 1360
Don't let others control your BTC -> self custody
If you can contact the family that had your computer you should ask them for the details of the transaction. Who and where did they get that computer from?
I'd at the same time try to track down the thief and sue him for damages.
As for the drive a friend had a similar thing happen to his drive, gave it to a lab and they managed to recover most of the files, although a large part of them was corrupt. The files were readable but some of the data was missing, meaning that he had images that were cut in half, audio tracks that were merged together, and so on. Chances of you getting the files back intact are slim. Good luck though, keep us informed.
newbie
Activity: 7
Merit: 0
PM

yeaaa, I won't be giving you anonymous access to the hard drives containing my private keys.  ty though
newbie
Activity: 46
Merit: 0
newbie
Activity: 7
Merit: 0
appreciate the responses nullius, been doing a lot of work on this the last few days.  responses in bold below, and I remember zero part of the seed.



But I had another disturbing thought:  Have you any way to verify that your coins have not moved?  Do you have any other record of your Bitcoin addresses with balances?  If at all possible, I would suggest you check them on the blockchain before you spend more effort and potentially much more money on data recovery.

I have the address and seeds have indeed not been touched.   I kept them all in the same single address and not change addresses.  I do have access to the last account the BTC were in, and which sent the full balance to the last account (had to switch wallets from the BCH airdrop)

If you did not have full disk encryption, and the seed was in a “sticky note” on your desktop, then you are gambling that either the thieves didn’t look at your files—or they were too abjectly stupid to realize what they had found.  I sincerely hope that they were idiots who just want to grab a computer, install a fresh OS, and flip it for a few fast rupees.  That seems likely, but uncertain.  Nowadays, would even the dumbest thief grab a computer and not even pause to snoop for info on Paypal, credit cards, banks, etc.?

My desktop had a password on it, the thief seemed to just immediately sell the laptop to another person who wasn't malicious, just saw a good deal and bought a computer - saw it was locked so reinstalled the OS to be able to use the computer.

As for you—have the drives made any contact with a clean computer, via USB-SATA adapters or otherwise?  If so, it may no longer be so clean.  Better be safe than sorry.

Yes they have, but this whole thing was a bit of an odd situation, my fault, and the timing/computer logins of everything completely point towards a poor person stealing a computer, then selling it to someone in their low rent hotel.  The person they sold it to seems nice, refugee from Pakistan and I met their whole family, he simply felt sorry and was very very happy to hand over the computer as I paid him 3x the price of what he paid for it

0. Temporarily disable my kernel’s drive-“tasting” functions, so that the kernel will not try to read partition information and filesystems.  (The forensics wonk will probably tell me to use a “live CD” system, too.)  Of course, my system does not have Autoplay; but even if it did, Autoplay would never start because the system would not reach the userland part of peeking at the drive.

1. Take an image of the drive with dd, a dead simple block copier with no imaginable attack surface via data passed blindly from the input file (drive) to the output file.

2. Try to interpret the image with carefully contained userland tools:  ntfsprogs for NTFS, mtools for msdosfs/FAT filesystem... or in your case, just something which searches a huge file for binary patterns which look like an Electrum wallet file, regular expressions for a seed phrase, etc.  The Forensics Wiki probably lists a good tool for that.  Any which way, the point here is that tools which try to interpret data stay trapped in ring3.  I would not mount the drive image.  No, not even through FUSE.

This is where I'm at now.  I made a clone of one of the drives that did not have the OS on it.  160gb of data was found by easeus software (recuva deep scan found nothing).  None of the files have filenames, so its impossible to search for .snt files, .dat files, electrum, or otherwise.  It feels like an overwhelming amount of data to sort through, half of it compressed.  I've spent hours going through it so far and absolutely nothing.
 



Any which way, good luck recovering your private keys.

So I have no hints about the seed, and am scared to clone my other M2 drive which has the OS and other data, some of which has surely been overwritten.  I don't want to mess anything up more.  I've contacted many, many firms around asia and nobody seems very helpful, not even telling me their methods used for attempted recovery.  I wanted to know if they use non-invasive methods, what types of hardware (PC3000),if they do binary code extraction, etc etc.  Their canned responses were always along the lines of 'we are professionals and have a clean room and good technology.'  Just don't feel comfortable with them besides one company in Singapore I might try.  Another option is USA, where I spoke with someone at length from DriveSavers who seem extremely professional and seems to think there is a decent chance of recovery.  They don't even charge unless the specific data I'm looking for is recovered.

So, that's my next step, trying to find a M2 USB to SATA cable here to clone my M2 drive, which I'm not as hopeful about since its been overwritten, and then either ship the drive off or start flying around the world in search of companies that have non-invasive methods of attempting to recover.  If not, save the drive in a secure location and maybe in 20 years new tech will be out that can recover everything.

Nice to hear that Kroll OnTrack worked decently for you, appreciate that comment.  they were the one firm in singapore that after explained in a chain of 5+ emails that 'we so professional and has clean room sir' is simply not good enough for me, she connected me with a higher up in the company who explained more of their procedures and they have some top technology that may be able to help me.  It's not a huge amount of coins, but obviously enough to dedicate my life to attempting recovery for quite some time.

The problem with easeus is that 80k files were found and none have file names.

https://gyazo.com/8b7b63f5bf5acafafdb0b39cf9d9bfb8

really do appreciate the responses.  Been working on this night and day
member
Activity: 98
Merit: 26
@OP:

I've used Recuva to recover an external hard-drive that was dropped while running. It worked like a charm. The drive could mount but could not be accessed, even by formatting tools, so I was impressed that Recuva was able to read the drive. It does not write to the drive. You probably don't need to use a write-blocker because write-blockers are really used for legal purposes (to convince the court that the data on the drive was not fabricated by the forensics).

If you have a large cash-value of Bitcoins stored on the drive (more than $10k), you need to get it done by a professional to be sure that all recoverable data is recovered. Given that the drive has been formatted and overwritten by a running OS and apps, there is no guarantee that your wallet still exists on that drive. Even just a few missing bytes will mean your wallet is gone for good. I once lost a hard drive on a work laptop (not dropped, just went dead) and my employer shipped the laptop to Kroll OnTrack. I think the total bill was around $3k and they recovered 100% of all data on the drive, as far as I could tell. I got 100% of my working files back, anyway. Because they handle high-value customers like major corporations, I think the probability of having your coins stolen during recovery is near zero. Besides your private keys are stored encrypted by your passphrase, so they'd have to hack the passphrase. Unless it's a huge amount, I wouldn't worry about it.

Hope you get your coins back!
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
(Noting penultimate thought up top before posting:  Do you remember any part of the seed, or any hints about it?  If yes, see below.  Not to get your hopes up:  An Electrum seed is quite secure, and you would need to narrow it down very substantially to make it feasible to bruteforce the rest.)

I will defer to bob123 on the forensics.  I do know enough about this subject to reliably sniff out when somebody else’s knowledge exceeds mine.  The advice thus far given by him is sound.

But I had another disturbing thought:  Have you any way to verify that your coins have not moved?  Do you have any other record of your Bitcoin addresses with balances?  If at all possible, I would suggest you check them on the blockchain before you spend more effort and potentially much more money on data recovery.

If you did not have full disk encryption, and the seed was in a “sticky note” on your desktop, then you are gambling that either the thieves didn’t look at your files—or they were too abjectly stupid to realize what they had found.  I sincerely hope that they were idiots who just want to grab a computer, install a fresh OS, and flip it for a few fast rupees.  That seems likely, but uncertain.  Nowadays, would even the dumbest thief grab a computer and not even pause to snoop for info on Paypal, credit cards, banks, etc.?

(Ask yourself, What other interesting data was unencrypted there?  As a presumptive worst-case scenario, you should treat your own privacy compromise as if the thieves made and retained images of your drives using such methods as here discussed.  It’s fast, it’s easy, and it would let the thieves examine your files at leisure.  Going forward, I suggest full disk encryption.)

How many thieves know how to install an OS, but have never even heard of Bitcoin?  I don’t know.  I do know that thieves who know about Bitcoin, are hot to steal it.  If Electrum was listed in your Start Menu (or whatever Microsoft now calls it), then that is a big hint—both to look for Bitcoin, and to interpret the random words in the sticky note.  If you have no other record of your public addresses, then wiping the disks would conveniently cover their tracks.

Thinking one step further—and not to ask you questions, but to suggest what you ought think about:  Who knew that you had Bitcoin, or how much you had?  For a targeted theft of a computer to get Bitcoin, it would make sense to fake it as simple theft of a computer—perhaps even to hire ordinary street thieves to grab it from you.  Then after the Bitcoin is taken, the hard drives are wiped and the useless computer can be dumped/fenced/sold anywhere.  Or perhaps then the computer could even be given to an associate, for their kid to watch movies—so they can get a report on whether you track down the computer, and what your reactions are.  (I am not trying to indict that family as such; they probably did buy it off the street.  But as you understand, a detective should be reasonably suspicious of everybody involved, and objectively scrutinize each party.)

I don’t know (and I don’t ask) what evidence you have, or anything whatsoever about your circumstance.  It is for you to think about the likelihood.

Another thought, and I’m surprised it didn’t occur to me before:  Criminals who know how to install an OS, probably also knew enough to helpfully infect it with malware.  Neither is an elite hacker job; there exist point-and-click malware kits, you know.  If that family’s “light browsing” included any bank logins, etc., then I think they should change their passwords (and be more careful about where they buy computers).  As for you—have the drives made any contact with a clean computer, via USB-SATA adapters or otherwise?  If so, it may no longer be so clean.  Better be safe than sorry.

If I absolutely must access a questionable drive, the following is a deliberately rough sketch of my procedure:

0. Temporarily disable my kernel’s drive-“tasting” functions, so that the kernel will not try to read partition information and filesystems.  (The forensics wonk will probably tell me to use a “live CD” system, too.)  Of course, my system does not have Autoplay; but even if it did, Autoplay would never start because the system would not reach the userland part of peeking at the drive.

1. Take an image of the drive with dd, a dead simple block copier with no imaginable attack surface via data passed blindly from the input file (drive) to the output file.

2. Try to interpret the image with carefully contained userland tools:  ntfsprogs for NTFS, mtools for msdosfs/FAT filesystem... or in your case, just something which searches a huge file for binary patterns which look like an Electrum wallet file, regular expressions for a seed phrase, etc.  The Forensics Wiki probably lists a good tool for that.  Any which way, the point here is that tools which try to interpret data stay trapped in ring3.  I would not mount the drive image.  No, not even through FUSE.

Then my only concern would be trojaned firmware, a sophisticated attack which will not be planted by street thieves.  Well, give it a few years; easy exploit kits will eventually get that, too.

That’s roughly what I would do (have done before).  I am not a forensics expert, far from it—just a bit of a Unix curmudgeon with a taste for security.

As for the seed phrase:  Could you narrow it down, even by remembering the first letter of certain words, remembering words out of order, etc.?  It may be useful if you could remember about 7–8 words, or remember enough hints to give equivalent information for someone who understands these things.

Yes, I think you would need to narrow it by significantly more than half unless you could pay for cloud compute tantamount to a supercomputer.  Beyond that, how much you’d need to narrow it depends on how much Bitcoin is at stake.  The amount of raw cracking power worthwhile to throw at it depends whether you had 1000 BTC, 100 BTC, 10 BTC, 1 BTC, etc.  I’m only explaining; please wisely continue to give no indication of the amount publicly.

If you could give enough hints about the seed, I may be able to help you with this for a fee on terms discussed privately; though to be honest, I would be competing with people who do that as a business and have dedicated cracking rigs.  Some post on this forum.  I can’t recommend anybody in particular.  I do think that cracking an Electrum seed phrase based on a grab-bag of hints might be an interesting and rewarding little project.



The foregoing represents the simplified view of a thought process.  If you have crypto-money on a disk, and the disk disappears, and you get the disk back—well, then it’s easy to become too focused on one only objective, and only one means of achieving that objective.  I suggest instead a top-down approach for identifying objectives and risks, followed by seeking all feasible avenues for achieving each objective.  Should you wish to discuss that further, feel free to contact me privately.

Any which way, good luck recovering your private keys.
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
If you made a reliable copy/image of the drive onto another drive, then you should have no problem experimenting with any data recovery software.

I use a double docking station with offline imaging to make backups of my drives, but never recovered formatted data from the backup image.

How many bitcoins are we talking about? < If we saying 100 or more, then a trip to a first world country might be in order >
full member
Activity: 394
Merit: 101
I havent read it fully but in general, be it a PC or smartphone, I dont start transferring lot of money before I can at least backup and restore onto another device and make sure it can function on both device. The minimum number should be 2. Than I can say the backup/restore mechanism works.
newbie
Activity: 7
Merit: 0
hmm, thank you.  How do I go about finding the best of the best SSD data recovery company, location not an issue - but obviously discretion/confidentiality/likelihood of them not stealing my coins is a huge concern.  Singapore/Tokyo possibly the easiest for Asia?
legendary
Activity: 1624
Merit: 2481
I’ve heard that certain police forensics labs have had trouble with that; I don’t know what they do about it. 

This mostly depends on the amount of work which is put into extracting the data.
But the police forensics (here in my country), has special tools which extract data directly from the memory cells.
So the SSD is taken apart and those cells will directly get attached to their tools to read the data out, bypassing any controller.


The problem with flash is that it’s very difficult to intentionally destroy when you want it gone, but also difficult to prevent from destroying data you actually want.

This is so true.


I'd hope that a quick plugin to copy an image of each of the drives and looking for myself won't cause considerably more damage or overwriting? 

SSD's are bitches. You shouldn't do any further damage with just copying the HD, but there is still a risk.
If you have considerable money on this hard drive, i wouldn't mess with it. Professionals are the only ones which can help you in this case.


I've found the following software and planning to try:   recuva
ReclaiMe
Yodot Hard Drive Recovery
undeleteplus.com
easeus.com
testdisk

Never heard of any from this software. But this doesn't mean that its not good.
A forensics surveyor once recommended me ddrescue (https://en.wikipedia.org/wiki/ddrescue) for such cases.
newbie
Activity: 7
Merit: 0

The first question which comes to mind is, did the drives have TRIM run over them?  (Sometimes when this is done to the whole drive at once, it is called “Secure Erase”.)  Or were they only formatted?  Some OS may do this on install.  I know nothing about Microsoft’s recent offerings.

Before anything else, if I were you, I would image the drives; then, work off the image.  I don’t have many immediate recommendations, other than that.  But if there was a sufficient amount of money involved that you may potentially send this to a data recovery lab, see the caveat below about wear-levelling.

If the drives were TRIMmed, I do not think there is any way you can recover anything with any tools you likely have available to you.  (Perhaps a real hardware hacker would know better.)  .........  That is another reason to not work directly off the drives.

I've read this before, and do not know, although also saw this:  Windows 7 and above are set to automatically enable TRIM on solid-state drives.  I purchased a USB cable adapter for both drives, will make an image of both in order to work from.


Do you mean some kind of software “sticky note”?  Oh, I see.  At first I thought, “No problem, he has the seed mnemonic written on a (physical) sticky note on his (physical) desk!”
[/quote]

yep, digital stickynote, which may also be located in the appdata/microsoft folder it seems, although on my newest computer I cannot locate it.



Afterwards you should only work on the 2nd copy and let the original disk stay unused (every single action could "destroy" the information on the memorycell containing your private keys).
If you have stored large amounts of BTC i would recommend a write-blocker, to be on the safe side (http://www.forensicswiki.org/wiki/Write_Blockers).
If you indeed have large amounts stored and don't want to mess up, i would advise you to look for someone in your local are who is a specialist at forensics.

Will do, tyvm for the write blocker tip.  Seems like paying a specialist is going to be my only option, but I'll still make a quick image of each drive to run scans on with multiple softwares anyways.

The computer was used for weeks, but only for this guys daughter to watch movies.  No programs installed at all, just very light browsing, mostly youtube.  I'd hope that a quick plugin to copy an image of each of the drives and looking for myself won't cause considerably more damage or overwriting?  I'm obviously skeptical of sending the drives in to a company in a 3rd world country to look at for weeks, telling them to look for untraceable cryptocurrency and hoping they just hand it over if found.

I've found the following software and planning to try:   recuva
ReclaiMe
Yodot Hard Drive Recovery
undeleteplus.com
easeus.com
testdisk

It seems like my next step is both to research write-blockers and how to make an image copy of each drive. 

Mod please feel free to move to appropiate forum.  Thank you all for the suggestions thus far.

copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
If you have stored large amounts of BTC i would recommend a write-blocker, to be on the safe side (http://www.forensicswiki.org/wiki/Write_Blockers).

Good call on the write-blocker.  However, even that would not stop some flash drive firmwares which do wear-levelling re-arrangements over cells the firmware has marked free (such as with TRIM).  Even when not writing—even when idle—any time when powered.  I’ve heard that certain police forensics labs have had trouble with that; I don’t know what they do about it.  The problem with flash is that it’s very difficult to intentionally destroy when you want it gone, but also difficult to prevent from destroying data you actually want.

If you indeed have large amounts stored and don't want to mess up, i would advise you to look for someone in your local are who is a specialist at forensics.

Yes.  That.  Or more likely than a forensic specialist, a commercial data recovery service which has competency in dealing with SSDs.  That may perhaps be easier, as a practical matter.

They will charge a pretty penny satoshi.  But above a certain value threshold, it does make sense to not fool around.
member
Activity: 178
Merit: 10
Unless you tried hard, that other, blank drive is irrelevant for your search. You should not be doing anything on that computer, you were supposed to use another computer , and most definitely not a Mac because Macs write like crazy to disks they connect to, but hey, last time I had something like that happen I could not even recover 10% of my files.
Pages:
Jump to: