Topic: Damaged .dat file... Am I screwed ? (Read 338 times)

I've never used pywallet myself, but from what I understand, you need to enter the password when you let pywallet search your entire partition. I don't think it can find private keys from an encrypted wallet.dat without the password.

I made a brand new thread for this... is that alright mods 
-> https://bitcointalksearch.org/topic/m.56497491

Will reply there

Yes you can't crack the password. I'm ready to visit that person, or the other way around, preferably in the EU due to travel restrictions. In order to make the transaction safer. I guess that's the safest way to do it.

This is how you lose your coins. What makes you think anyone who finds your 1.54 BTC is going to give back 90%? Did you set a very strong password on your wallet.dat?

---

---

That's the worst file sharing site I've encountered so far, it doesn't just offer me a file to save, but tries to store it inside the browser or something, which obviously fails.

That's very interesting thank you.



It's great you found your key. Unfortunately I just tried, and it wasn't able to locate the file.

So far only wondershare recoverit found it. I opened the wallet.dat with the windows notepad. It's true the content looked really damaged, I couldn't even find the address in text format.

For some reason Recoverit was still able to compile all the things into a .dat file.


Now...


I will try to send it to a « forensic data recovery laboratory » able to operate physically on the disk.

I feel some of these companies look shady and maybe not what they pretend to be. It's hard to find any picture of a laboratory actually.

Any opinion about a good recovery company or about the process itself ?

Is it possible to find fragments of that private key ? If so, I guess those automated programs such as Pywallet would skip those fragments ?

I could isolate the fragments and try to complete them, using bruteforce type programs ? If there is only a few characters missing there could be a chance.


About the laptop,

It's an old netbook from 2010 or even older. I bought it just to create the wallets. I rarely use it because it's so old. 60% of the disk is free.

I can't remember what I did with this laptop... maybe I reinstalled windows at some point but I'm not sure.

I isolated 1.5BTC on a SD card for a sibling in 2014. I even forgot about it and so did he. Of course he lost it. Now all I have is this laptop.

By the way I created about 20 altcoin wallets and 5 bitcoin wallets with that computer. So there might be other keys around.



JOB OFFER...

I anyone can help me to recover this. I can give 10% or currently around 7500$

I created an image of the disk. Here. (virus free) https://mega.nz/file/ux4WQLDB#cc_OHpVKRNszxDrnl5Y4A1GwzfszlNNpVJwi43vtXJY

Address : 1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq
https://www.blockchain.com/btc/address/1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq

I'm not good with computers. I tried Pywallet I could not even properly install it.

Now crossing fingers.

Thanks for your help.

Private Key generation in the older versions was completely random... none of the private keys were "linked" in any way. There is 0% chance of being able to regenerate the key. This is one of the reasons why Bitcoin Core moved to "Hierarchical Deterministic" (aka "HD") wallets.

The newer "HD" versions of Bitcoin Core use a "seed"... They are able to recreate all generated keys from the seed. However, the seed is not shown to the end user and cannot be easily extracted. The method to backup is still maintaining backup copies of wallet.dat... the HD functionality just means that you don't need necessarily need to make new backups when new keys are generated (ie. when the keypool is exhausted and refreshed).

Alright.

Just curious about something... I have the exact bitcoin core program (0.8.6) I used to create the wallets. Program installed on January 7th 2014, same day I created that lost wallet.dat

How does the address generation works ? Can't this wallet help me to regenerate the key  
Probably a stupid question but this is making me crazy.

Well, given the recovered files were corrupted... then I guess the OP got unlucky. 

Something was obviously written to disk over the old (deleted) wallet.dat data... regardless of whether or not it was the Service Pack... the point was that the computer was obviously being used and data was being written to disk. That increases the risk of data corruption.

Like I said, there is a chance that they might be able to find an intact key by doing a raw byte search on the disk... but I wouldn't be terribly confident of a successful outcome. No harm in trying. As Jet Cash said tho... make an image of the drive first and search the image.

Not really. [Windows 7] Service packs are only around one or two gigabytes large, so unless OP was extremely low on disk space, the chance of the service pack temporary files being the one that overwrote the wallet file is very slim.

Even having 50GB free means there was only up to 4% chance the wallet file was overwritten if it was already deleted at the time the service pack was installed.

See [GUIDE] Recover your deleted keys: you can use Pywallet to search the entire partition.

In the early days, it would have been one private key for each address you used. Later, a "pool" of 100 keys was created before using them (to make backups easier), and even later it was increased to 1000 keys. For your 2014-wallet, I guess it would be in the 100-range.

The first thing you should do before attempting any recovery of exploration is to mirror the drive.

Thank you for your explanations.

I was wondering, if my wallet .dat is corrupt and pywallet can't extract anything from it, is there still a chance to find the private key on the HDD, or is that the confirmation that there's nothing to see ?

Also sorry if my question is stupid but how many private keys per .dat file is there ? One I guess ? Just want to be sure. I have a few .dat files from other coins. So if I'm finding a bunch of keys, I will have to test them one by one.

A lot of the time, files are not written sequentially onto a disk... the data can be a little bit fragmented/scattered... so looking for hex markers may not yield results either (although it is more likely to as you're looking for a much smaller contiguous data block that an entire file)

When you "delete" a file, often the OS just marks that space as "available" without removing/wiping/overwriting the data that is currently there. However, if you've been writing to the disk, then literally any of the "available" space might have been used to store that data... overwriting your old wallet data

Service Pack updates can be quite large... requiring significant amounts of disk space to unpack the temporary install files etc.

It might be worth trying to make a raw image of the drive and then searching the disk image bytes for the hex markers... you might get lucky and find a private key... but honestly, I don't fancy your chances

Oops indeed, sorry for the confusion.
So I just contacted Dave.

I've been doing some crazy detective job to find this wallet... and finally it's unreadable. So frustrating.

That laptop was rarely used over the last 7 years. I just did some windows service pack updates in order to make some software compatibles. However it seems the file is not readable.

I used Recuva, easeUS, and Puran recovery, they all failed to detect it. Only wondershare recoverit found it. I guess because the file was in such bad shape ?

I really wonder about the disk partition hexa research. But if Pywallet wasn't able to find the private key, I guess I can't find it on the disk anywhere.

This is so frustrating. That money could change everything for me. I just divorced and need to start a new life. Damn...

I know there is one David who does the same job, but as far as I know only Dave has a reputation as a person who can be completely trusted when it comes to such sensitive things.

Pretty much... what has happened to the drive you "recovered" the files from since 2014? If it has been used, written to, formatted etc... the odds of a "good" recovery are usually quite poor.


Are you sure? because in your post in the other thread you mentioned "David" from "walletrecovery.info"... and not "Dave" from "walletrecoveryservices.com"

They are two different services/people...

Yes that's the person I contacted.

If it's Dave, I trust his professional opinion. I don't know a David in this business.

I used a file recovery software in order to recover a lost .dat wallet from 2014.

I'm confident I found the right wallet. And there was even two of it (original+copy). But unfortunately the files are corrupt. 

I submitted the files to a professional wallet recovery service (for those who know, a guy named David), he used Pywallet but could not extract anything. He said the files are « completely overwritten »...

Am I screwed ?

I don't have much computer knowledge. I found these threads about doing a hdd partition research using hex editor.

https://bitcointalksearch.org/topic/walletdat-recovery-recover-your-own-lost-bitcoins-22697
https://bitcoin.stackexchange.com/questions/41447/filesystem-is-corrupt-how-to-find-wallet-dat

If it's « completely overwritten » then I have little hope the keys survived.

Any expert opinion ?

1.54 BTC on it.

Thanks.