Topic: Lost wallet with virtual machine, have BTC address, can I recover coin? (Read 2312 times)

Did you ever recover the bitcoin from the VM? If not I'd be willing to possibly help. I'm a full stack developer with a background in reverse engineering...

Thanks much, I will take a crack at it.

HowlingMad:  armoryengine part of Armory.  You can't just run it in a vacuum.  You have to build the Armory project from source to get it.  Luckily, Armory is super easy to build from source:

http://bitcoinarmory.com/download/building-armory-from-source/

It's 4 lines on the terminal to get it running.  At that point, you should be able to start python in that directory and get access to it.  But there's still no shortage of complexity to get what you need out of the wallet file.  Explaining it here would be the start of developer documentation on how to use armoryengine. 

On the other hand, all the code you need to open the wallet and extract&decrypt the root private key and chaincode are part of the PyBtcWallet module.  You could probably dig through there and pick out what you need.  There's a header to read, which will also read a root address.  Then you read root private key and the KDF parameters (kdfRomix), and then apply the KDF with the passphrase to decrypt the key.

I don't have time to get into the details until aftter this release.  Though, if you're exceptionally anxious and have programming experience you might be able to figure it out just from looking at how Armory reads and decrypts the private keys.

Sorry guys, no headway.  I am running Debian with Python 2.6.6

For pywallet error is: root@debian:/home/bob# ./pywallet.py --web
./pywallet.py: line 1: syntax error near unexpected token `newline'
./pywallet.py: line 1: `'
I cut/pasted the install line from the docs so I have all of the packages.

etotheipi
I started python and entered the command given, and the error within python is "no module named armoryengine"

It's all documented here:

http://bitcoinarmory.com/developers/armory-wallet-files/

If it's encrypted, you'll need a little bit of python magic to apply the decryption (it's complicated).  But if you are in Linux (or can get there) it's trivial to get the python environment setup:  just run the four commands to build the project and then start python and "from armoryengine import *".  Windows is considerably more complicated.

In the future we hope to have a tool that will just apply all these steps for you.

Thanks I purchased Hex Editor Neo and it seems to work great.  I have found a number of files with the correct header 'baWALLET' but not the wallet I was looking for.  I will try the wallet you recommended and let you know my results.

This thread has been brought to my attention

Two remarks:
 - I HIGHLY recommend wxHexEditor, I love it
 - Pywallet recovers private keys from bitcoin-qt deleted wallets, using key headers. So if armory private keys do have headers (etotheipi?), it can easily recover them. I don't know about encryption and such, but once you have all the data you're kinda saved anyway

The answer is quite obvious....... Can you recover the key with the address in my signature?

Cool!  Just don't forget to PM with addresses so I can pay you guys for your efforts.

You're not going to be able to open it in a regular editor... it's a multi-gigabyte file.  vim should work, but it's a bear to use unless you know what you're doing.  Really though, we'll get a script for you that will do it automatically.  Just hold tight   (and pester me if you don't hear back)

Any recommended hex editor for Windows?  I tried using Hex Editor Neo but it crashes when looking at snapshot files.

Sorry, what I meant was:  we open the disk files as raw binary files and search them for unique strings that only appear in Armory wallets.  If the wallet still exists anywhere on the VM (even as a deleted file), a raw binary search will find it.

6.59159344 BTC involved.  Yes, I am using Windows 7 64-bit and am using Virtualbox.  Each of the 'disks' is a single file and Virtualbox sees them as SATA drives. 

I believe Python is already installed, if not, no big deal.  I can either install python or boot the computer with a LiveCD, I think I have Ubuntu 10.4 laying around here. 

Sorry I did not find any 'binary file above'.

Oh, that's probably even worse than deleting it, since you can usually forensically recover a deleted file.  I bet the restore is dramatically complicated.  However, I suppose it's possible to still recover something...

Turn off your virtual machine, and locate the directory that contains the hard disk.  We should probably just scan all related files, including the hard-disk file itself.  I will forward this to CircusPeanut who should be able to write a quick script that will search a directory, open all files in binary mode, and do a raw search for a bunch of magic strings that appear in wallet files.  With some luck, the virtual-disk interface works like a real HDD, where "deleted" files may not have been actually deleted but ignored, to be overwritten when something else needs the space.   A raw binary search should tell us right away if there's anything on that disk that even resembles a wallet.

Much more extreme would be a similar raw search of your host (physical) drive.  That's a bit more challenging and a bit more work.  I guess it depends how much BTC you had in there.  Wonder if the cost-to-benefit is there.

What OS are you in?  CircusPeanut should be able to write a dependency-less python script that will search for unique patterns that appear in Armory wallet files.  But if you're in Windows you'll have to install python for that to work.  For CircusPeanut or anyone else that would like to take a stab at raw binary searches for wallets, you can probably search for \xBAWALLET\x00 which will appear as the first eight bytes of any wallet file.  After that, you can look four bytes later for the network magic bytes \xF9\xBE\xB4\xD9.  Once you have that, you can use the binary map I linked above to figure out how much data to copy.

Yes, the VM was restored to a previous point.  Damn.  I do have the actual BTC address that was associated with the wallet. 

Can I generate new keys from this address?

You might be alright.  Just because the machine crashes doesn't mean that the virtual disk drive is lost.  Very frequently, you can still access that drive (i.e. make a new VM and add the VM disk of the old one to it).   As long as you didn't restore to before the wallet was made -- any version of the wallet is fine for recovering all the coins.  If you restored to before that point in time, you would probably be SoL. 

If you can get access to the wallet file in any way, then you can copy it out and import it into another instance of Armory.  Let me know how it goes.

I was using a virtual machine to run my Armory installation.  I created a new wallet, transferred funds, and then went back to an older image of the virtual machine.  The VM started crashing, etc.... I did not think the whole thing in advance.  

Of course, I printed a paper copy.  But it was to a PDF file which was guess where, on the virtual machine.

I have the bitcoin address of the wallet but not any keys.  Can I recover these funds and if so how?