Topic: Is it possible to recover overwritten wallet files? (Read 249 times)

• Only select text file types for output. This will filter out any non-text files and make the results easier to search through.
• Use the aggressive recovery option. This will have PhotoRec search more thoroughly for file fragments, increasing the chance of recovering partial or fragmented wallet files.
• Reduce the block size PhotoRec searches. A smaller block size means PhotoRec has to search more blocks to recover a file, but it is more likely to find small fragments. For fragmented wallet files, this can help in recovering more of the data.
• Grep the results for keywords like "stored_height" or "mpk" or "xpub", maybe use grep with regular expresions for addresses/pi. This can help filter the results to only show files potentially containing wallet data.
• Recover the files multiple times with different options. Different options may yield different results, so multiple recoveries can help recover more wallet data.
• Search for lower size files and file fragments. Wallet keys and seeds are typically short pieces of text, so searching for smaller file sizes and fragments may yield more relevant results.
• Be prepared for partial and fragmented results. When recovering deleted data, full files are not always recovered. But even recovering parts of wallet files, keys, or seeds can help in restoring access to funds.

The key is experimenting with different recovery options and thoroughly searching the results. With patience and persistence, there is a chance of recovering at least some Electrum wallet data using PhotoRec. Please let me know if you have any other questions!

https://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step


== How PhotoRec works ==
FAT, NTFS, ext2/ext3/ext4 file systems store files in data blocks (also called clusters under Windows). The cluster or block size remains at a constant number of sectors after being initialized during the formatting of the file system. In general, most operating systems try to store the data in a contiguous way so as to minimize data fragmentation. The seek time of mechanical drives is significant for writing and reading data to/from a hard disk, so that's why it's important to keep the fragmentation to a minimum level.

When a file is deleted, the meta-information about this file (file name, date/time, size, location of the first data block/cluster, etc.) is lost; for example, in an ext3/ext4 file system, the names of deleted files are still present, but the location of the first data block is removed. This means the data is still present on the file system, but only until some or all of it is overwritten by new file data.

To recover these lost files, PhotoRec first tries to find the data block (or cluster) size. If the file system is not corrupted, this value can be read from the superblock (ext2/ext3/ext4) or volume boot record (FAT, NTFS). Otherwise, PhotoRec reads the media, sector by sector, searching for the first ten files, from which it calculates the block/cluster size from their locations. Once this block size is known, PhotoRec reads the media block by block (or cluster by cluster). Each block is checked against a signature database which comes with the program and has grown in the type of files it can recover ever since PhotoRec's first version came out.

For example, PhotoRec identifies a JPEG file when a block begins with:

* 0xff, 0xd8, 0xff, 0xe0
* 0xff, 0xd8, 0xff, 0xe1
* or 0xff, 0xd8, 0xff, 0xfe

If PhotoRec has already started to recover a file, it stops its recovery, checks the consistency of the file when possible and starts to save the new file (which it determined from the signature it found).

If the data is not fragmented, the recovered file should be either identical to or larger than the original file in size. In some cases, PhotoRec can learn the original file size from the file header, so the recovered file is truncated to the correct size. If, however, the recovered file ends up being smaller than its header specifies, it is discarded. Some files, such as *.MP3 types, are data streams. In this case, PhotoRec parses the recovered data, then stops the recovery when the stream ends.

When a file is recovered successfully, PhotoRec checks the previous data blocks to see if a file signature was found but the file wasn't able to be successfully recovered (that is, the file was too small), and it tries again. This way, some fragmented files can be successfully recovered.


Enable Keep corrupted files

on https://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step go to https://www.cgsecurity.org/mw/images/PhotoRec_options.png

If you accidently delete important files or data you should cut power of the device as quickly as possible. It's likely less harmful than a normal shutdown because you want to prevent as much as possible any new writes to the filesystem.

Do _not_ restart the computer before you create a forensic (full sector-by-sector, bit-identical) copy of your storage device. This forensic copy should be kept as a read-only copy of the original state of your filesystem for any further data recovery attempt. You could limit the forensic copy to the partition of the filesystem where the deletion happened. But only if you know exactly what you're doing. A full disk forensic copy takes likely longer and needs more storage space on a separate storage device, but you don't have to think much about it to backup all you need for further recovery.

After you have secured your forensic copy, you can proceed to try to recover your data with different recovery tools. If one tool fails, you replay the last original state from your forensic copy and start over from that with some other recovery tool.

Most people fail to create the important forensic copy that allows you to replay your recovery attempts as often as needed.

I also lost a wallet file due to carelessness in the past and attempted to recover it. I used Recuva, and supposedly the file was recoverable and hadn't suffered any data loss. However, the wallet was most likely corrupted, even though Recuva said otherwise, because it was unrecognizable when I tried to recover it through the Electrum wallet. I never found any solution, but ultimately, it's corrupt beyond repair and probably a lost cause.

If it's a freshly deleted file, then you have a greater chance of successfully recovering your wallet without it being corrupted. My case was quite different, though, because it was an old file. You might be luckier.

It depends if your overwritten files are on HDD or SSD, and how many times they got overwritten, but there is still a chance you can still recover them unless data was secure deleted with some software or bios.
Few years ago I accidently deleted and written over some files on my HDD and I managed to recover them but not 100%, because some files are harder to recover.
Lesson earned for future, always keep physical backup on paper for important stuff like seed words.

Boot up kali linux and run photorec. Look for txt files and enable expert mode with keeping corrupt files. You should see many versions of the wallet file appear at different heights if lucky. Run scan on the whole disk.


If you need help using photorec, search online

Yes, it is possible to recover files overwritten from filesystem move - provided it was on an HDD - since it merely changes the disk address of the file content, inside the file "inode"/metadata struct. So the overwritten content is on the same sector.


Windows Backup is quite frankly a brittle program that will break if it notices the slightest oddity with your backup set (oh that one large folder that never copied completely... Oh wait my file extension wasn't even enabled for backup in the first place). Recuva has a much better chance of recovering the wallet file without making all that write churn that hurts your chances of getting it recovered.

@BitMaxz @hosseinimr93

Tried the method you've mentioned



It seems like my "previous version" on Windows was disabled or due to my storage being almost full (22gb free space).
Thanks for helping, very much appreciated. I also tried to check with the current folder where it was overwritten to no avail.

Based on my research according to Microsoft the space size that they can handle for the restore point is around 3% to 5% of disk space depending on the hard disk total size.
Since the wallet file is not eating so much data space it should still have a restore point unless if the hard disk drive is totally full.

Thanks for the information. While it's better than no backup, another problem is "Previous Version" use low percentage of partition space. If the partition space is really small and user frequently write files, it's possible Electrum wallet files won't be or less frequently backed up.

By default, it's enabled for the drive you have installed windows on.
As electrum wallet files are stored on the same drive as windows is installed, previous versions should be automatically saved for them.
The problem is that restore points aren't created every time you make change to a file.

The following image has been taken from "Properties" window of the folder my electrum wallets files are stored in.
As you see, three restore points have been created in the past 30 days.

Actually, I do not know but I didn't change any settings on my PC so I think DireWolfM14 is right it's enabled by default.

Well not just for Microsoft files but it's also working on folders and other files I already have experience on overwritten files including wallet files which work well. The only problem is if the above problem is beyond 30 days.

Yes and no.  Previous Version is enabled by default, and doesn't require Windows Backup to be enabled but it won't save previous versions for very long (30 days max, I think.)  I've noticed it works well enough with files created by Microsoft apps (Word, Excel, etc.,) but may not work at all with other types of files.  If you have Windows Backup enabled, you can restore any file type.  The age of the backup will largely depend on how much diskspace you have allocated to Windows Backup.

If you believe that it was overwritten would you mind trying this suggestion below.

Look for the wallet file yours is new_wallet even it's new or old let us try if we can revert it back to the original file just right-click the file then go to properties.
There are 4 tabs just go to Previous versions and let's hope that there is one previous version in case you found one just click it and restore. 

I'm thinking about it too, if it is worth the hassle since it contains funds (partial funds) for some of my current projects (though it is dispensable). I'll update if I can somehow trace or even a glimpse of the overwritten wallet. Thanks for the help. @jackg

Is the wallet worth attempting to recover?

If your drive is not full and you've got an extra computer you should be able to produce a disk image of your drive and attempt to find the wallet file that way - you should also stop using the computer with the deleted wallet file on it as much as possible (and shut it down using the power button or plug). You'll probably have to run ubuntu or something to be able to easily take a disk image and have a separate drive so it's not a simple task but also not too hard to do.

Edit: got distracted and forgot this was to do with electrum, autopsy can scan for electrum wallet files directly though apparently.

Apparently there's a fingerprint from the db you can search for, referenced here: https://bitcoin.stackexchange.com/questions/41447/filesystem-is-corrupt-how-to-find-wallet-dat or it might be possible to import the disk image into forensics software like autopsy to get the info you need.

(after doing all this, there's a chance you still won't be able to get your wallet back though).

@Charles-Tim

edited* I was pertaining to private key not public key still a bit hazy due to my infuriating rookie mistake.

There is nothing master public key can do, it can not be of help than using it as a watch-only wallet or to track your total coin, it can not be used for spending. Master private key can be of help but I believe you did not backup the master private key which is not even needed if you have your seed phrase.

The easiest you should have done even if you have the wallet file is to backup your seed phrase. If you have replaced the wallet file with another file, nothing can be done, it does not contain the information needed if the back is something else other than your wallet file backup. Either get the original wallet file or the seed phrase needed.

I was migrating my files from a different pc to another one since my old system is barely keeping up. While I was transferring I've pasted both wallet files namely "new_wallet" (didn't bother to change the name) on the same folder. The prompter ask if I would replace old files but due to carelessness I pressed Okay and continued. Unfortunately, I've only have stored 1 seed phrase of the wallets while the other one was a "new" new_wallet for newer transactions hence the name mix up. Trying my hardest to remember if I've written the seed phrase somewhere for the "new" new_wallet. Also, I haven't stored any public private key for both wallets didn't plan but oh well.

Any leads will be much appreciated.

Sincerely,
Clairvoyance