Author

Topic: MAKOMK's Wallet Recover 0.3 Question - Viable Wallet??? (Read 175 times)

legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
I will check out GNOME for a byte for byte copy, can you recommend any Linux live that comes with drive recovery/forensics?

I usually just use Ubuntu/Debian live disc and install tools i need to use. But i've used Knoppix (http://www.knopper.net/knoppix/index-en.html) in few cases.

and are these programmes any better than Recuva, Steller, Get data back etc.

I never make comparison since i usually use Linux OS.
HCP
legendary
Activity: 2086
Merit: 4361
I would like to get PyWallet working in Linux but I am having a hard time I am wondering if it is because I am using the newest Jack Jack but on python 2.7.
That is exactly the reason you are likely having issues... JackJack was updating PyWallet to be Python3 compatible... it probably broke things as there are a number of changes in Python3 that make it generally incompatible with Python2.


Quote
I will likely get the Core just to be sure, however as the wallet-recovery I was using seems to spit out 0000's I am wondering if HCP is correct and these magic numbers are actually a cause of the wallet recovery rebuild... that said what did it pick up in the first place could it be a false positive or an encrypted wallet hence 000's? maybe there is a reason to use PyWallet against this drive, perhaps it might be better extracting the key?
It may have been a false positive... and it found a "random" byte sequence that matched the private key marker, but was just filled with either garbage or zeros and so that is what it printed out... as far as I can tell looking at MAKOMK's tool, it *should* have printed the full HEX key details... the fact that it printed 0000's likely means that the actual extraction of the key data was unsuccessful.

But I'm unsure if that is related to the wallet being encrypted or not.
newbie
Activity: 7
Merit: 1
Hello,

Thanks EFT & HCP.

I will check out GNOME for a byte for byte copy, can you recommend any Linux live that comes with drive recovery/forensics? and are these programmes any better than Recuva, Steller, Get data back etc.

Ref KingZee wallet finder and PyWallet, do they both look for deleted files and/or parts of files if semi over written? I would like to get PyWallet working in Linux but I am having a hard time I am wondering if it is because I am using the newest Jack Jack but on python 2.7.

Quote
The tool is simply trying to find the "key" markers by searching your entire drive... then it attempts to extract the raw bytes at this points and then puts them into a new "wallet.dat" (ie. the recovered-wallet.dat file) as the private key...

As such, the markers you are seeing (magic bytes and bestblock etc) are likely the ones placed there by the recovery tool when it created the recovered-wallet.dat Undecided

I will likely get the Core just to be sure, however as the wallet-recovery I was using seems to spit out 0000's I am wondering if HCP is correct and these magic numbers are actually a cause of the wallet recovery rebuild... that said what did it pick up in the first place could it be a false positive or an encrypted wallet hence 000's? maybe there is a reason to use PyWallet against this drive, perhaps it might be better extracting the key?

As always thanks for your help.

Dan
HCP
legendary
Activity: 2086
Merit: 4361
2. I have WinHexed that recovered .dat and it does have a marker for magic bytes 62 31 05 00 09 00 00 00 & bestblock 010962657374626C6F636B. Is a wallet found with 1 key in MAKOMK wallet-recover-0.3 a viable wallet? or are these markers added in when a recovered-wallet.dat is created?
The tool is simply trying to find the "key" markers by searching your entire drive... then it attempts to extract the raw bytes at this points and then puts them into a new "wallet.dat" (ie. the recovered-wallet.dat file) as the private key...

As such, the markers you are seeing (magic bytes and bestblock etc) are likely the ones placed there by the recovery tool when it created the recovered-wallet.dat Undecided

newbie
Activity: 7
Merit: 1
Hi EFTbitcoin,

Thanks for coming back to me.

Quote
KingZee tools also can on windows (but not Windows 10 due to permission problem)

I have Windows 7 on that PC but it is the one that the recovered wallet.dat file was found on so I am trying not to install or write more stuff on it, it had been used quite heavily last year when I was backing all my stuff up to a small home server lots of write action  Embarrassed , I am using a Linux live environment where possible now just in case.

Quote
I don't know, because
1. I never hear tool called " MAKOMK's Wallet Recover". It would be great if you tell us where you find/download the tool, so other people who have similar problem could find this thread on future.

Here https://bitcointalksearch.org/topic/bitcoin-private-keywalletdat-data-recovery-tool-25091

I only used this because I believe the wallet that I am searching for to be that old (2009-2011) and hopefully unencrypted, it was hard to grasp Linux but I got there with this tool. I am struggling using PyWallet (JackJack's) on Linux I have 2 possible Linux environments I can boot to Xfce live recovery and the lastest Ubuntu live disc and I will happily attempt the KingZee tool, however will need some guidance on the Linux side, the environment's and commands are different and I am getting confused with the get repository commands in terminal.

As for Bitcoin Core this is still an option as far as I understand the core back then was far smaller, so I should not need to do a full sync just up to the end of 2012 for safety, any idea the rough size back then? I have a new SSD I had earmarked for a laptop but can stick the core on there for now, again don't want to be using the Windows 7 PC which had the data.

Thanks for all the help.

Dan
newbie
Activity: 7
Merit: 1
Thank you for your reply EFTBitcoin  Smiley

In all honesty it is most likely very lost or deleted, I can find no trace of Bitcoin qt or %AppData% in any drives of XP, Vista or 7 from that time period and I recall quite clearly having that sw. I remember taking a backup to a flash drive but most of those have since had some quick formats possibly a full format.

1. As I said originally the MAKOMK wallet-recover-0.3 search found what it believes to be 1 key but its all 0000's since then that main pc HD has been taken offline and is being interrogated using Linux live cd with the potential to try some other scanning tools, I am not great with Linux but learning  Cheesy. Is the KingZee tool a better scanner?

2. I have WinHexed that recovered .dat and it does have a marker for magic bytes 62 31 05 00 09 00 00 00 & bestblock 010962657374626C6F636B. Is a wallet found with 1 key in MAKOMK wallet-recover-0.3 a viable wallet? or are these markers added in when a recovered-wallet.dat is created?

Thanks

Dan
newbie
Activity: 7
Merit: 1
Hello,

After some more research I am considering a run of WinHex looking for the 64 char string after the 40 20 combo is this a viable route or am I better running a different wallet finder on this HDD? open to recommendations it was an old wallet pre 2012 hence using older code in wallet recover 0.3, the wallet may or may not have be encrypted.

I also have a USB I was damn sure had an offline backup of wallet.dat but it has been through some formats (quick formats from memory) between FAT and NTFS and had some moderate use as a driver disk for a server build its only small at 1gig - any chance it could work? as no key was found on this drive using wallet finder 0.3 but I am so sure it was at one stage on that drive.   

Thanks for any input.

Dan

newbie
Activity: 7
Merit: 1
Hello,
 
After many years of trying to track down a Wallet.Dat that I knew I had but deleted/misplaced, I have a glimmer of success and need a little advice.

I have managed to spend some time in the current climate scanning all of my old drives using Aidan's wallet recover 0.3 and have found what looks to be a remnant or at least a marker of an old wallet circa 2010-2012 most likely from BitCoin Core. I do have vague memories of using it and also an early mining pool but all traces of software are gone across all my hardware.

Out of all my drives this is the only trace in hundreds of hours searching and it fits the time frame, I wont bore you with my many failings (backups, formats of media and hot wallet issues) that lead me to this point and simply want to know if this is expected output or not.

Output of the search provides a key has been found, however it is only 1 key not the 100's normally mentioned..... the output of the operation is showing as all 000's for both the Pub and Priv keys. Is this an encrypted or corrupt wallet? or simply masked for security? it also states fail 8832 dups! after the xxxx xxxx xxxx HD block searched, can anyone explain what that means?

I have since downloaded Jack Jacks PyWallet and the python environment + dependencies but something is not quite right, so I am still working that out.

Wallet is backed up a few times over so I can do some work on it and I am looking into further options, should I consider any other tools for the scan? could it even be viable? to add to this I have a vague recollection of writing down 12 words when I was living at my parents house 10 years ago, so there could be a missing piece of the puzzle.

Any help greatly appreciated.

Dan

 
Jump to: