Generally it would be kinda easy to recover most of your files. But since you mentioned everything was stored on SSD's thats a completely different situation.
The first steps to start working on a hard drive in a forensic mean is to make a forensic correct backup.
On a HDD you would have simply to plug it into a linux machine and run the dd command to create such a forensic backup, or better: 2 (https://en.wikipedia.org/wiki/Dd_(Unix)).
Afterwards you should only work on the 2nd copy and let the original disk stay unused (every single action could "destroy" the information on the memorycell containing your private keys).
If you have stored large amounts of BTC i would recommend a write-blocker, to be on the safe side (http://www.forensicswiki.org/wiki/Write_Blockers).
If you indeed have large amounts stored and don't want to mess up, i would advise you to look for someone in your local are who is a specialist at forensics.
Topic: Computer Stolen, Hard drive reformatted. Computer Rescued! where my BTC at? - page 2. (Read 1274 times)
December 06, 2017, 03:09:45 AM
December 06, 2017, 03:07:00 AM
You may want to find a more appropriate forum for this. That being said:
The first question which comes to mind is, did the drives have TRIM run over them? (Sometimes when this is done to the whole drive at once, it is called “Secure Erase”.) Or were they only formatted? Some OS may do this on install. I know nothing about Microsoft’s recent offerings.
Of course, you don’t yet know the answer to these questions. I suggest they are questions for which you need an answer.
Before anything else, if I were you, I would image the drives; then, work off the image. I don’t have many immediate recommendations, other than that. But if there was a sufficient amount of money involved that you may potentially send this to a data recovery lab, see the caveat below about wear-levelling.
If the drives were TRIMmed, I do not think there is any way you can recover anything with any tools you likely have available to you. (Perhaps a real hardware hacker would know better.) If it comes to the point of bypassing the drives’ firmware, or bypassing their electronics altogether, then it may be important to consider the effect of wear-levelling. SSDs can move blocks around anytime when powered on, even when idle; that means potentially overwriting a block with your wallet data which got TRIMmed, but which may perhaps otherwise still be pulled off the flash chip. I do not know if or how much that could be important to you; but right now, you really want to keep the drives as close as possible to the state they were in when you got them back. That is another reason to not work directly off the drives.
Do you mean some kind of software “sticky note”? Oh, I see. At first I thought, “No problem, he has the seed mnemonic written on a (physical) sticky note on his (physical) desk!”
Computer was stolen, sold at a local market, and I tracked it to an address an hour outside of the city using microsoft live - my devices - locate. Showed up at that address, promised no problems, offered large reward. Now I have my computer again with the original drives still in it. Zero new programs were installed, just a fresh OS. Computer was being used by a 6 year old girl to watch bollywood movies, lol.
OS was being ran off a 128gb M2 SSD drive. This is where the new OS is currently installed as well. I took out this M2 drive and put it in my newly purchased computer. Runs fine, fresh OS.
Also has a 240gb 2.5" SSD in the stolen computer, which now doesn't show up under my computer. Disk management does recognize the 2.5" drive, yet it says file system "raw", status "healthy, % Free "100%". I'm assuming they formatted this drive as well. Electrum, desktop files, and probably sticky notes are on the M2 drive along with the OS. Downloads folder and possibly electrum are on the 2.5" drive.
OS was being ran off a 128gb M2 SSD drive. This is where the new OS is currently installed as well. I took out this M2 drive and put it in my newly purchased computer. Runs fine, fresh OS.
Also has a 240gb 2.5" SSD in the stolen computer, which now doesn't show up under my computer. Disk management does recognize the 2.5" drive, yet it says file system "raw", status "healthy, % Free "100%". I'm assuming they formatted this drive as well. Electrum, desktop files, and probably sticky notes are on the M2 drive along with the OS. Downloads folder and possibly electrum are on the 2.5" drive.
The first question which comes to mind is, did the drives have TRIM run over them? (Sometimes when this is done to the whole drive at once, it is called “Secure Erase”.) Or were they only formatted? Some OS may do this on install. I know nothing about Microsoft’s recent offerings.
Of course, you don’t yet know the answer to these questions. I suggest they are questions for which you need an answer.
Before anything else, if I were you, I would image the drives; then, work off the image. I don’t have many immediate recommendations, other than that. But if there was a sufficient amount of money involved that you may potentially send this to a data recovery lab, see the caveat below about wear-levelling.
If the drives were TRIMmed, I do not think there is any way you can recover anything with any tools you likely have available to you. (Perhaps a real hardware hacker would know better.) If it comes to the point of bypassing the drives’ firmware, or bypassing their electronics altogether, then it may be important to consider the effect of wear-levelling. SSDs can move blocks around anytime when powered on, even when idle; that means potentially overwriting a block with your wallet data which got TRIMmed, but which may perhaps otherwise still be pulled off the flash chip. I do not know if or how much that could be important to you; but right now, you really want to keep the drives as close as possible to the state they were in when you got them back. That is another reason to not work directly off the drives.
Seed written on stickynote on desktop
Do you mean some kind of software “sticky note”? Oh, I see. At first I thought, “No problem, he has the seed mnemonic written on a (physical) sticky note on his (physical) desk!”
December 06, 2017, 02:28:41 AM
First of all, I'm an idiot.
Had everything properly backed up before I had to switch wallets to claim BCH. Made new electrum wallet and had wallet info saved in the following locations:
Seed written on stickynote on desktop
encrypted notepad file with various crypto data
electrum wallet.dat file (encrypted within electrum, but I still have password to unlock this).
Computer was stolen, sold at a local market, and I tracked it to an address an hour outside of the city using microsoft live - my devices - locate. Showed up at that address, promised no problems, offered large reward. Now I have my computer again with the original drives still in it. Zero new programs were installed, just a fresh OS. Computer was being used by a 6 year old girl to watch bollywood movies, lol.
OS was being ran off a 128gb M2 SSD drive. This is where the new OS is currently installed as well. I took out this M2 drive and put it in my newly purchased computer. Runs fine, fresh OS.
Also has a 240gb 2.5" SSD in the stolen computer, which now doesn't show up under my computer. Disk management does recognize the 2.5" drive, yet it says file system "raw", status "healthy, % Free "100%". I'm assuming they formatted this drive as well. Electrum, desktop files, and probably sticky notes are on the M2 drive along with the OS. Downloads folder and possibly electrum are on the 2.5" drive.
I've read through 10+ threads, all with various suggestions. I don't want to risk overwriting the drive any more than necessary. M2 drive has fresh OS, 2.5" drive seems to have been wiped and only shows up under disk management.
Suggestions on where to begin? I am still in touch with the family that purchased the stolen computer. They seem willing to help as I generously compensated them for their honestly/responsiveness and work in IT themselves. Plans today were to purchase a USB to SATA cable in order to mount the 2.5" drive, and hopefully locate an M.2 SATA External SSD Enclosure - USB 3.0. Then I can begin with some home data recovery systems. Recommendations appreciated.
Had everything properly backed up before I had to switch wallets to claim BCH. Made new electrum wallet and had wallet info saved in the following locations:
Seed written on stickynote on desktop
encrypted notepad file with various crypto data
electrum wallet.dat file (encrypted within electrum, but I still have password to unlock this).
Computer was stolen, sold at a local market, and I tracked it to an address an hour outside of the city using microsoft live - my devices - locate. Showed up at that address, promised no problems, offered large reward. Now I have my computer again with the original drives still in it. Zero new programs were installed, just a fresh OS. Computer was being used by a 6 year old girl to watch bollywood movies, lol.
OS was being ran off a 128gb M2 SSD drive. This is where the new OS is currently installed as well. I took out this M2 drive and put it in my newly purchased computer. Runs fine, fresh OS.
Also has a 240gb 2.5" SSD in the stolen computer, which now doesn't show up under my computer. Disk management does recognize the 2.5" drive, yet it says file system "raw", status "healthy, % Free "100%". I'm assuming they formatted this drive as well. Electrum, desktop files, and probably sticky notes are on the M2 drive along with the OS. Downloads folder and possibly electrum are on the 2.5" drive.
I've read through 10+ threads, all with various suggestions. I don't want to risk overwriting the drive any more than necessary. M2 drive has fresh OS, 2.5" drive seems to have been wiped and only shows up under disk management.
Suggestions on where to begin? I am still in touch with the family that purchased the stolen computer. They seem willing to help as I generously compensated them for their honestly/responsiveness and work in IT themselves. Plans today were to purchase a USB to SATA cable in order to mount the 2.5" drive, and hopefully locate an M.2 SATA External SSD Enclosure - USB 3.0. Then I can begin with some home data recovery systems. Recommendations appreciated.
Jump to: