Pages:
Author

Topic: How to recover btc after windows reinstall - page 4. (Read 6693 times)

HCP
legendary
Activity: 2086
Merit: 4363
Wallet.dat files only work with Bitcoin Core. As far as I know, no other wallet application works with this file format. There is also the pywallet script that supposedly works with wallet.dat files, but I've found that it is a little outdated and doesn't play nicely with newer versions of wallet.dat files from newer versions of Bitcoin Core.

As HITEC suggested, I'd make a few backup copies of what you have recovered... then, grab a copy of Bitcoin Core... depending on how old your copy of Core was... you can find all the history releases here: https://bitcoin.org/bin/

I'd probably start with 0.14.x and work backwards until you find a version that works with the wallet.dat you have. I think the newer versions will read and "upgrade" older versions, (hence why you might want to make multiple backup copies) but I'm not 100% on that.

Otherwise, check out Pywallet (https://bitcointalksearch.org/topic/pywallet-22-manage-your-wallet-update-required-34028) and see if that works with the wallet.dat
full member
Activity: 217
Merit: 109
Which Bitcoin wallet should I download? to give it a try. thanks.
full member
Activity: 217
Merit: 109
I ran a different recovery program and it found wallet.dat folder 96kb, a chainstate folder and  a blocks folder. When it had found these folders it classed them as in good condition yet the wallet dat folder is only 96kb? can that be right.
If someone else had accessed this file and removed any keys would that reduce it to 96kb. Thanks.

That sounds exactly right. I tested generating a wallet.dat with a very old version of Bitcoin core and it was 96KB. Make some backups of it then test it to find out if it's not corrupted.

Have you tried opening the wallet.dat from inside Bitcoin core yet? You don't need to sync Bitcoin core to find out if the wallet isn't corrupted.
I thought that a used wallet dat file would be larger than 96kb ie one with transactions. Thanks again for your reply.
full member
Activity: 217
Merit: 109
Searched using the sequence  0201010420 and didn't get any matches,  but i will try the other sequence when i get chance. I briefly searched the 0420 sequence but as i thought,  after 30 mins there were already some 40000 results.

Can i ask a really basic question?, if there were 32 bitcoins in the account, does that mean 32 private keys?. Thanks again.
legendary
Activity: 2772
Merit: 2846
I ran a different recovery program and it found wallet.dat folder 96kb, a chainstate folder and  a blocks folder. When it had found these folders it classed them as in good condition yet the wallet dat folder is only 96kb? can that be right.
If someone else had accessed this file and removed any keys would that reduce it to 96kb. Thanks.

That sounds exactly right. I tested generating a wallet.dat with a very old version of Bitcoin core and it was 96KB. Make some backups of it then test it to find out if it's not corrupted.

Have you tried opening the wallet.dat from inside Bitcoin core yet? You don't need to sync Bitcoin core to find out if the wallet isn't corrupted.
full member
Activity: 217
Merit: 109
I ran a different recovery program and it found wallet.dat folder 96kb, a chainstate folder and  a blocks folder. When it had found these folders it classed them as in good condition yet the wallet dat folder is only 96kb? can that be right.
If someone else had accessed this file and removed any keys would that reduce it to 96kb. Thanks.
sr. member
Activity: 322
Merit: 250
Can anyone point me to a guide on using pywallet or a recovery program to attempt getting my btc back from a hard drive that has had windows reinstalled. The drive was removed from the laptop and was used for less than a week after the stupid event. I have bought a hard drive caddy but want to know if i should use a recovery program or can i just use pywallet?. If anyone could point me to a guide that is useable by a computer novice, ie a step by step spoon feed type guide, i would be very grateful. Cheers guys.

Try using a recovery program, that might work. Try looking for the pywallet files in your windows.old folder. There should be one like that in your C:/ or D:/ drive.  Or an alternate way is to go into your "restore version" of windows and try to see if there are any restore points that you can choose. If yes, let it restore and copy all the necessary files, then undo the restore. If you cannot do this, try to see if you can get a restore program that will get back your old windows version and pywallet.
Visit this link, http://www.jihosoft.com/recover-data/data-recovery-after-windows-reinstall.html
Might work. I know that it is possible, although it may vary on how much you cleaned your drive. My father did it somehow, ill get back to you once I ask.
legendary
Activity: 2772
Merit: 2846
Searched using the sequence  0201010420 and didn't get any matches,  but i will try the other sequence when i get chance. I briefly searched the 0420 sequence but as i thought,  after 30 mins there were already some 40000 results.

Can i ask a really basic question?, if there were 32 bitcoins in the account, does that mean 32 private keys?. Thanks again.

No, it depends on how many Bitcoins were sent to each address. All 32 Bitcoins could have been sent to the same address, in which case claiming those coins would only require one private key.

If 16 Bitcoins were sent to one address and the other 16 were sent to a different address claiming those coins would only require two private keys.

Maybe using pywallet would give better results. It can scan for password protected wallets and earlier on you said you have the password.

However, pywallet's not easy to install as it's very old software.
full member
Activity: 217
Merit: 109

Sorry to bug you again but when i start hex editor, the drive letter doesn't appear, only drive D. Thanks.

Are you trying to scan an external drive or your internal one with your operating system running on it? It should already be able to see all your external hard drives.

By default it only scans external drives like the type you plug into a USB port. I only recommend running it inside a vmware or virtual box  virtual machine in case there is anything malicious hidden in it. I wouldn't ever risk searching for private keys in plain text while running it on my internet connected operating system.

If you can't see a particular external hard drive with it then you could try running it with administrative privileges in windows, or as root in linux. However if you risk doing that you must definitely run the hex editor inside a virtual machine for safety. If you give it administrative privileges or make it root then you are giving it control of your operating system, and that's a big security risk. Also, it will be able to open your drive running your operating system which will probably show as physicaldrive0. If you edit the hex on that drive you could crash your operating system.
Sussed it thanks, Administrator privileges required when running program. Listed as drive 1 and indicating around 9 hrs per search. Cheers.
legendary
Activity: 2772
Merit: 2846

Sorry to bug you again but when i start hex editor, the drive letter doesn't appear, only drive D. Thanks.

Are you trying to scan an external drive or your internal one with your operating system running on it? It should already be able to see all your external hard drives.

By default it only scans external drives like the type you plug into a USB port. I only recommend running it inside a vmware or virtual box  virtual machine in case there is anything malicious hidden in it. I wouldn't ever risk searching for private keys in plain text while running it on my internet connected operating system.

If you can't see a particular external hard drive with it then you could try running it with administrative privileges in windows, or as root in linux. However if you risk doing that you must definitely run the hex editor inside a virtual machine for safety. If you give it administrative privileges or make it root then you are giving it control of your operating system, and that's a big security risk. Also, it will be able to open your drive running your operating system which will probably show as physicaldrive0. If you edit the hex on that drive you could crash your operating system.
full member
Activity: 217
Merit: 109
Was the wallet encrypted (did it have a password)? If it wasn't encrypted then attempting salvaging the coins will be easier than if it was.

There is an alternative to using pywallet, but it requires more time and effort.

If it wasn't encrypted you could use a hex editor capable of searching a whole hard drive to search for this string of bytes 0201010420. The next the thirty-two bytes after that string could be a private key.

If you find one you can change it from raw hex to a normal format by pasting the thirty-two bytes into an offline copy of this webpage, which will also give you its associated address.

https://www.bitaddress.org/

This post explains how to use the webpage.

https://bitcointalksearch.org/topic/m.19522772

This hex editor is capable of searching a whole hard drive.

https[Suspicious link removed]ditor/

These screenshots explain how to open a disk, then search it for the hex string.

Click "devices", then "open disk device", then select the disk letter you want to search.



Click "edit", then "find".



This window should open. Paste the hex string into the the text box labelled "search", then click the button labelled "find all" and wait a very long time for it to search the whole drive.



If you try it run all software offline inside a virtual machine like virtualbox or vmware. Don't ever risk putting a private key on a computer that will ever be connected to the internet.

If you find any private keys you can install the electrum wallet and either import or sweep them into it using these instructions.

http://docs.electrum.org/en/latest/faq.html#can-i-import-private-keys-from-other-bitcoin-clients

http://docs.electrum.org/en/latest/faq.html#can-i-sweep-private-keys-from-other-bitcoin-clients

Electrum should sync almost immediately and give you fast access to your coins.

Don't ever boot from that hard drive again because doing so could wipe all traces of your coins.
Does that sequence always occur before every private key in your experience?. Thanks again.



Someone else did some testing and found that sequence before every key he tested. I also tested it and came to the same conclusion. However it might not always work.

Another sequence you can try searching for is 01036B65794104. If you find it and also find the sequence 0420 about 180 bytes later, then the next thirty-two bytes are probably a private key.

This quote explains it in more detail.


If you know how to use a hex editor you could try scanning your drive for this sequence of bytes: 01 03 6B 65 79 41 04.

That sequence often occurs in a wallet.dat file about 180 bytes before a private key. If you look forward 180 bytes and can find the byte sequence 04 20 then it's likely a private key is the next the thirty-two bytes.

If you find a private key you can change it to a common format by pasting the thirty-two bytes into an offline copy of this webpage.

https://www.bitaddress.org/

This is an example of the 32 bytes of a private key in botepad.

I have been doing some tinkering around, thinking about other people's wallet disasters, and believe I have come to the following conclusion...

If you have lost your wallet.dat for whatever reason (deleted it, formatted your drive, file corruption, etc.) it's possible that it may still be lurking on your computer.  If so, recovery is no longer purely theoretical.  With a little knowledge of what to search for, you can use a hex editor to potentially find usable remnants of your wallet.dat file and get back your bitcoins, even if the original file isn't fully recoverable.

So here goes...

If you can use a hex-editor to do a sector-by-sector search/edit on your entire hard drive, then search your entire hard drive for occurrences of the following byte sequence:

01 03 6B 65 79 41 04...........

the middle four of these bytes represent the string "keyA" in ASCII.

Each time this byte sequence occurs, a Bitcoin private key is probably stored nearby, about 180 bytes later.  The 32-byte private key is the only thing you need to recover your bitcoins!... as long as you find the right one(s).

Approximately 180 bytes after this sequence, you may find the byte sequence 04 20 (hex).  These two bytes seem to precede every private key (the 0x20 suggests a length of 32 bytes).  If you find this sequence, the thirty-two bytes that come after 04 20 are the private key representing a Bitcoin address and might be the private key that recovers some of your lost bitcoins!  Your wallet will have numerous private keys (at least one hundred, due to the pre-allocation of keys)... get as many as you can find.  Carefully search the sectors adjacent to any sector containing the "keyA" sequence above.  Then yell for help!  (But don't share the private keys in public, unless you want to give away your wallet.)

An example of a hex editor that can scan an entire disk volume for specific byte sequences for Windows is WinHex.  In WinHex, use Tools, Open Disk (F9), and choose the disk you want to scan.  Scanning a full disk can take hours.  WinHex must "run as administrator" to be able to scan a physical disk.  Someone please recommend a good way to do this in Linux, preferably with a known Live CD, if possible.  Also, any time you are scanning a disk for potentially lost data, you should NEVER boot the disk you're searching - always boot from another disk and install the target disk as secondary.
Sorry to bug you again but when i start hex editor, the drive letter doesn't appear, only drive D. Thanks.
legendary
Activity: 2772
Merit: 2846
Was the wallet encrypted (did it have a password)? If it wasn't encrypted then attempting salvaging the coins will be easier than if it was.

There is an alternative to using pywallet, but it requires more time and effort.

If it wasn't encrypted you could use a hex editor capable of searching a whole hard drive to search for this string of bytes 0201010420. The next the thirty-two bytes after that string could be a private key.

If you find one you can change it from raw hex to a normal format by pasting the thirty-two bytes into an offline copy of this webpage, which will also give you its associated address.

https://www.bitaddress.org/

This post explains how to use the webpage.

https://bitcointalksearch.org/topic/m.19522772

This hex editor is capable of searching a whole hard drive.

https://sourceforge.net/projects/wxhexeditor/

These screenshots explain how to open a disk, then search it for the hex string.

Click "devices", then "open disk device", then select the disk letter you want to search.



Click "edit", then "find".



This window should open. Paste the hex string into the the text box labelled "search", then click the button labelled "find all" and wait a very long time for it to search the whole drive.



If you try it run all software offline inside a virtual machine like virtualbox or vmware. Don't ever risk putting a private key on a computer that will ever be connected to the internet.

If you find any private keys you can install the electrum wallet and either import or sweep them into it using these instructions.

http://docs.electrum.org/en/latest/faq.html#can-i-import-private-keys-from-other-bitcoin-clients

http://docs.electrum.org/en/latest/faq.html#can-i-sweep-private-keys-from-other-bitcoin-clients

Electrum should sync almost immediately and give you fast access to your coins.

Don't ever boot from that hard drive again because doing so could wipe all traces of your coins.
Does that sequence always occur before every private key in your experience?. Thanks again.



Someone else did some testing and found that sequence before every key he tested. I also tested it and came to the same conclusion. However it might not always work.

Another sequence you can try searching for is 01036B65794104. If you find it and also find the sequence 0420 about 180 bytes later, then the next thirty-two bytes are probably a private key.

This quote explains it in more detail.


If you know how to use a hex editor you could try scanning your drive for this sequence of bytes: 01 03 6B 65 79 41 04.

That sequence often occurs in a wallet.dat file about 180 bytes before a private key. If you look forward 180 bytes and can find the byte sequence 04 20 then it's likely a private key is the next the thirty-two bytes.

If you find a private key you can change it to a common format by pasting the thirty-two bytes into an offline copy of this webpage.

https://www.bitaddress.org/

This is an example of the 32 bytes of a private key in notepad.

I have been doing some tinkering around, thinking about other people's wallet disasters, and believe I have come to the following conclusion...

If you have lost your wallet.dat for whatever reason (deleted it, formatted your drive, file corruption, etc.) it's possible that it may still be lurking on your computer.  If so, recovery is no longer purely theoretical.  With a little knowledge of what to search for, you can use a hex editor to potentially find usable remnants of your wallet.dat file and get back your bitcoins, even if the original file isn't fully recoverable.

So here goes...

If you can use a hex-editor to do a sector-by-sector search/edit on your entire hard drive, then search your entire hard drive for occurrences of the following byte sequence:

01 03 6B 65 79 41 04...........

the middle four of these bytes represent the string "keyA" in ASCII.

Each time this byte sequence occurs, a Bitcoin private key is probably stored nearby, about 180 bytes later.  The 32-byte private key is the only thing you need to recover your bitcoins!... as long as you find the right one(s).

Approximately 180 bytes after this sequence, you may find the byte sequence 04 20 (hex).  These two bytes seem to precede every private key (the 0x20 suggests a length of 32 bytes).  If you find this sequence, the thirty-two bytes that come after 04 20 are the private key representing a Bitcoin address and might be the private key that recovers some of your lost bitcoins!  Your wallet will have numerous private keys (at least one hundred, due to the pre-allocation of keys)... get as many as you can find.  Carefully search the sectors adjacent to any sector containing the "keyA" sequence above.  Then yell for help!  (But don't share the private keys in public, unless you want to give away your wallet.)

An example of a hex editor that can scan an entire disk volume for specific byte sequences for Windows is WinHex.  In WinHex, use Tools, Open Disk (F9), and choose the disk you want to scan.  Scanning a full disk can take hours.  WinHex must "run as administrator" to be able to scan a physical disk.  Someone please recommend a good way to do this in Linux, preferably with a known Live CD, if possible.  Also, any time you are scanning a disk for potentially lost data, you should NEVER boot the disk you're searching - always boot from another disk and install the target disk as secondary.
full member
Activity: 217
Merit: 109
Was the wallet encrypted (did it have a password)? If it wasn't encrypted then attempting salvaging the coins will be easier than if it was.

There is an alternative to using pywallet, but it requires more time and effort.

If it wasn't encrypted you could use a hex editor capable of searching a whole hard drive to search for this string of bytes 0201010420. The next the thirty-two bytes after that string could be a private key.

If you find one you can change it from raw hex to a normal format by pasting the thirty-two bytes into an offline copy of this webpage, which will also give you its associated address.

https://www.bitaddress.org/

This post explains how to use the webpage.

https://bitcointalksearch.org/topic/m.19522772

This hex editor is capable of searching a whole hard drive.

https[Suspicious link removed]ditor/

These screenshots explain how to open a disk, then search it for the hex string.

Click "devices", then "open disk device", then select the disk letter you want to search.



Click "edit", then "find".



This window should open. Paste the hex string into the the text box labelled "search", then click the button labelled "find all" and wait a very long time for it to search the whole drive.



If you try it run all software offline inside a virtual machine like virtualbox or vmware. Don't ever risk putting a private key on a computer that will ever be connected to the internet.

If you find any private keys you can install the electrum wallet and either import or sweep them into it using these instructions.

http://docs.electrum.org/en/latest/faq.html#can-i-import-private-keys-from-other-bitcoin-clients

http://docs.electrum.org/en/latest/faq.html#can-i-sweep-private-keys-from-other-bitcoin-clients

Electrum should sync almost immediately and give you fast access to your coins.

Don't ever boot from that hard drive again because doing so could wipe all traces of your coins.
Does that sequence always occur before every private key in your experience?. Thanks again.
[/quote]
newbie
Activity: 14
Merit: 0
In the passed, when i've installed windows it would leave your old files intact somewhere (unless you specified to nuke them by reformatting your drive). 
sr. member
Activity: 378
Merit: 250
I once read an article about this that you can recover your files in your HDD even though it is reformatted with a specific software to be use, until it has no bad secter or error. installing a new OS to your HDD can partition it and also wipe out it's data

or simply follow this guide, I hope this could help you

https://www.easeus.com/resource/recover-data-after-format.htm
hero member
Activity: 2352
Merit: 905
Metawin.com - Truly the best casino ever
What about to don't damage your hdd more and try to get help from professionals? 32 btc isn't joke and especially when price is so high. https://www.securedatarecovery.com/services
Can't see that this is so big problem despite the facts which you wrote. I had many moments when I repaired files what I needed. And recuva isn't your last chanse, try more serious services.
full member
Activity: 273
Merit: 100
Take this with a grain of salt, but consider contacting your local police department. Inform them you lost $100,000 worth of Bitcoins. If they have forensic experts able to recover it, you will donate $20,000 to the department for their services. It is worth a shot at least.

P.S. If it works, I wouldn't mind a small donation either. Smiley
legendary
Activity: 2772
Merit: 2846
Was the wallet encrypted (did it have a password)? If it wasn't encrypted then attempting salvaging the coins will be easier than if it was.

There is an alternative to using pywallet, but it requires more time and effort.

If it wasn't encrypted you could use a hex editor capable of searching a whole hard drive to search for this string of bytes 0201010420. The next the thirty-two bytes after that string could be a private key.

If you find one you can change it from raw hex to a normal format by pasting the thirty-two bytes into an offline copy of this webpage, which will also give you its associated address.

https://www.bitaddress.org/

This post explains how to use the webpage.

https://bitcointalksearch.org/topic/m.19522772

This hex editor is capable of searching a whole hard drive.

https[Suspicious link removed]ditor/

These screenshots explain how to open a disk, then search it for the hex string.

Click "devices", then "open disk device", then select the disk letter you want to search.



Click "edit", then "find".



This window should open. Paste the hex string into the the text box labelled "search", then click the button labelled "find all" and wait a very long time for it to search the whole drive.



If you try it run all software offline inside a virtual machine like virtualbox or vmware. Don't ever risk putting a private key on a computer that will ever be connected to the internet.

If you find any private keys you can install the electrum wallet and either import or sweep them into it using these instructions.

http://docs.electrum.org/en/latest/faq.html#can-i-import-private-keys-from-other-bitcoin-clients

http://docs.electrum.org/en/latest/faq.html#can-i-sweep-private-keys-from-other-bitcoin-clients

Electrum should sync almost immediately and give you fast access to your coins.

Don't ever boot from that hard drive again because doing so could wipe all traces of your coins.
Thanks, really appreciate this. Probably last chance saloon if my attempt with Recuva is anything to go by.
I do have the password, but don't know whether the wallet was locked the last time it was used. If this doesn't find anything then would pywallet be able to scan the whole drive?. Thanks again, and to anyone else that has given helpful comments. Smiley


Yes pywallet can scan a whole drive for a deleted wallet.dat. However, it's very old software and getting it working requires installing some very old versions of other software that can be difficult to find. I played around with it about half a year ago and had it working, but I can't remember all the steps I made. I'll have to test reinstalling it to work out some instructions.

Hopefully achow101's installation instructions from 2015 still work.

This is a screenshot of pywallet scanning a drive.

full member
Activity: 217
Merit: 109
Was the wallet encrypted (did it have a password)? If it wasn't encrypted then attempting salvaging the coins will be easier than if it was.

There is an alternative to using pywallet, but it requires more time and effort.

If it wasn't encrypted you could use a hex editor capable of searching a whole hard drive to search for this string of bytes 0201010420. The next the thirty-two bytes after that string could be a private key.

If you find one you can change it from raw hex to a normal format by pasting the thirty-two bytes into an offline copy of this webpage, which will also give you its associated address.

https://www.bitaddress.org/

This post explains how to use the webpage.

https://bitcointalksearch.org/topic/m.19522772

This hex editor is capable of searching a whole hard drive.

https[Suspicious link removed]ditor/

These screenshots explain how to open a disk, then search it for the hex string.

Click "devices", then "open disk device", then select the disk letter you want to search.



Click "edit", then "find".



This window should open. Paste the hex string into the the text box labelled "search", then click the button labelled "find all" and wait a very long time for it to search the whole drive.



If you try it run all software offline inside a virtual machine like virtualbox or vmware. Don't ever risk putting a private key on a computer that will ever be connected to the internet.

If you find any private keys you can install the electrum wallet and either import or sweep them into it using these instructions.

http://docs.electrum.org/en/latest/faq.html#can-i-import-private-keys-from-other-bitcoin-clients

http://docs.electrum.org/en/latest/faq.html#can-i-sweep-private-keys-from-other-bitcoin-clients

Electrum should sync almost immediately and give you fast access to your coins.

Don't ever boot from that hard drive again because doing so could wipe all traces of your coins.
Thanks, really appreciate this. Probably last chance saloon if my attempt with Recuva is anything to go by.
I do have the password, but don't know whether the wallet was locked the last time it was used. If this doesn't find anything then would pywallet be able to scan the whole drive?. Thanks again, and to anyone else that has given helpful comments. Smiley
member
Activity: 149
Merit: 22
🔴🔵 FoxMixer.com 🔵🔴
Wow, nice and detailed explanation HI-TEC99, thumbs up for this.
Pages:
Jump to: