Seek help to get back my private key... 7500$ reward.

ben.cabe2022

brand new

Activity: 0

Merit: 0

Quote from: Igor76200 on March 05, 2021, 12:35:08 PM

I lost a .dat wallet with 1.54BTC.

I found the file by scanning the original laptop used to create the wallet in 2014. Unfortunately the file seem to be highly damaged. Someone tried to extract the keys using Pywallet but it failed.

I am looking for a deep disk partition research, in order to find the key. Unfortunately I am not capable of doing this.

I am willing to give 10% to the person able to succeed. If that's even possible. Which is around ~7500$ now.

I created an image of the disk here :
https://mega.nz/file/ux4WQLDB#cc_OHpVKRNszxDrnl5Y4A1GwzfszlNNpVJwi43vtXJY

Alternative download link :
https://bitcointalksearch.org/topic/m.56502435

Address : 1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq
https://www.blockchain.com/btc/address/1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq

Wallet have a strong password. I'm ready to visit that person, or the other way around, preferably in the EU due to travel restrictions. In order to make the transaction as safe as possible.

Hello, may I inquire if you still possess your key phrase? Having it would significantly facilitate the recovery process.

More infos

It's an old netbook from 2010 or even older. I bought it second hand just to create the wallets. I very rarely use it because it's very old and slow. I can't remember what I did with this laptop... I think I messed with windows in May 2020 (reinstall, recover...) I'm not sure.

I created about 20 altcoin wallets and 5 bitcoin wallets with that computer. So there might be other keys around.

Crossing fingers. Thanks for your help.

[08.03.21] Current state of search :

Quote

Found 22 altcoin wallets and 38 other wallets, while scanning .db files : Berkeley DB (Btree, version 9, native byte-order)

17 wallets with a size of 9 bytes which is impossible to recover
21 wallets of 29 bytes many of these can not be dumped because encrypted.

Now have to check the ones that are encrypted and their files size this will show if it can be done and be used as an indicator for the amount of effort it will take to try.

We know the wallet is encrypted so it all does make sense at this point in time. Will require further investigation likely examination on the bit level.

A wallet has a specific structure, for example like a start header and end header. Positions of the elements in between is fixed so we know what should be where after a certain start header and before a certain end header.

This means you drag a partial overlay over the remaining data and when it slides over a old damaged wallet, and there are still elements present then the overlay will match and ID the underlaying data and we make a snapshot of that for further examination.

If there are enough bits left on the drive then you would be able to recover the coins.

The 9 bytes wallets mentioned earlier are the standard that gets written in case of failure. Those look like this:

main
\00\00\00\02
DATA=END

It is empty, but it can be empty for many reasons that is why you have to compare those nine bytes to the original file. If the original file is larger then it means that there is more then those nine bytes.

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: Cricktor on August 04, 2024, 03:58:53 PM

Not even sure if LoyceV kept his copy of the file where he posted download links.

I couldn't find it anymore. It was before moving to a different server.

Cricktor

hero member

Activity: 714

Merit: 1010

Crypto Swap Exchange

Quote from: shoulderme on August 02, 2024, 05:47:41 AM

The thread started almost three years ago and the last post is about 2.5 years ago when you necro-bumped it.

The OP was last active in February 2022. Do you really expect any answers from him? Not even sure if LoyceV kept his copy of the file where he posted download links. Have you tried those or asked him?

shoulderme

newbie

Activity: 1

Merit: 0

The link is invalid. Can you give me a file so that I can try it out? I have rich experience in the past

Igor76200

member

Activity: 102

Merit: 10

Quote from: dymon on August 12, 2021, 10:17:08 AM

I found one encrypted address

   "mkey": {
   "encrypted_key": "1665e0b9375c20a720c77799a7386eba77149b97bd34ebce42ee962882da8a3abfe566040b7aae4 5e941880972dc7a8b",
   "nDerivationIterations": 62166,
   "nDerivationMethod": 0,
   "nID": 1,
   "otherParams": "",
   "salt": "96d596871f9a2dcc"
   },

you can check password on this encrypted_key
here is guide
https://bitcointalksearch.org/topic/m.7690647
if your password works this will be your wallet with bitcoin

It's been a while since I last checked this thread.
I will try ! But there is little chance it's the winning wallet. There was many encrypted wallets on this disk.

dymon

newbie

Activity: 8

Merit: 0

I found one encrypted address

   "mkey": {
   "encrypted_key": "1665e0b9375c20a720c77799a7386eba77149b97bd34ebce42ee962882da8a3abfe566040b7aae4 5e941880972dc7a8b",
   "nDerivationIterations": 62166,
   "nDerivationMethod": 0,
   "nID": 1,
   "otherParams": "",
   "salt": "96d596871f9a2dcc"
   },

you can check password on this encrypted_key
here is guide
https://bitcointalksearch.org/topic/m.7690647
if your password works this will be your wallet with bitcoin

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: Igor76200 on March 08, 2021, 07:16:46 PM

That mean I put the wallet in the first bin. 100%
If I understand correctly, I need to look for lost partitions and locate the first bin ?

...

I didn't deleted those file... you can try to download the demo version of Wondershare recovery. They are still there.

So the files you are looking for weren't permanently deleted but just tossed in the Recycle Bin? If that's the case then it shouldn't be hard to find. Search in the first bin, and then the names of each file and folder in there is going to be a long string of letters and numbers. These are IDs the Recycle Bin renames deleted files to, and it has these IDs in a database somewhere along with the old names which is used when you restore a file. So, the file name does not have to match ballet.dat or similar, it could be any .dat file except with a very long name on it.

Check the other .dat files, especially if they are only several KBs large - those could actually be the wallets you're looking for.

Igor76200

member

Activity: 102

Merit: 10

Quote from: BASE16 on March 08, 2021, 04:09:10 AM

I realized that I had made a mistake.

The previous recycler was created at 15 November 2013 and lived up to 1 February 2014 and the last modification was at 29 January 2014.
On 1 February 2014 the second recycler was created which still is the current bin and it was last modified at 25 February 2021.
So that is not too long ago and I would tend to conclude that OP overwrote his own wallet less then two weeks ago.
Why would you write onto a drive that you are trying to recover ?

I'm just re reading your message. I need to recapitulate.

- If the first bin was created nov 15 2013 : that was the old owner. Before I bought the Laptop.

- On January 7th 2014 I created my Bitcoin wallets. Including the wallet we are searching now.
I deleted this wallet immediately. It was on the computer probably only a few hours.

- Second bin was created February 1st 2014.

That mean I put the wallet in the first bin. 100%
If I understand correctly, I need to look for lost partitions and locate the first bin ?

@escobol I scanned C (the current vhd file is C) and then recovered the files on D. The program suggested to send those files on a different drive in order to avoid data loss.

I didn't deleted those file... you can try to download the demo version of Wondershare recovery. They are still there.

escobol

member

Activity: 158

Merit: 39

The disk you scanned/recovered was D: right?

Igor76200

member

Activity: 102

Merit: 10

Quote from: BASE16 on March 08, 2021, 08:41:08 AM

He overwrote it himself a few days ago and he knows it.

I didn't overwrite anything. If you do a search with Wondershare recovery those two ballet.dat files are still visible. About the other recovery programs, they never were able to find these files.

Other recovery programs found lots of .dat files but not the « ballet.dat ». I have no idea why.

I explained this on the previous page already.

BASE16

member

Activity: 180

Merit: 38

Quote from: escobol on March 08, 2021, 07:41:38 AM

On 25 february 2021 OP recovered this 2 dat files (you can search for the ballet.lnk), in my opinion after that he copied this 2 files and deleted them from hdd (maybe with use of some software that deleted and overwrote them? - why ithink so - because there is no sign of this two dat files in any recovery software)

I agree.
He overwrote it himself a few days ago and he knows it.

And now he upload the entire disk in the hopes that someone can magically get it back/

Quote from: Igor76200 on March 08, 2021, 08:39:47 AM

Sorry I forgot to answer about that point... in February I scanned the C drive with the recovery software, then pasted the recovered files on the D drive (I did not added the vhd of D I don't think it's there).

With recovery software that you installed on the same disk you was trying to rescue thereby destroying the thing you were looking for.

Igor76200

member

Activity: 102

Merit: 10

@escobol In February 2021 I scanned the C drive with the recovery software, then pasted the recovered files on the D drive (I did not added the vhd of D I don't think it's there). If you scan C with Wondershare Recoverit you should still be able to see it.

I ran 4 brands of recovery programs, only one could find the ballet.dat
If I understand correctly I should not have done any scan before mounting the disk or create an image.

@Base16 I will try to check in lost partitions Bin. That may sound very stupid for computer programmers but I had no idea about how file deletion worked until a few weeks ago. Just presumed it was immediately overwritten.

Now,

I think the original bitcoin addresses I created in January 2014 could still be found in those encrypted .db files
I created 5 bitcoin adresses around January 7 2014. And the very first one is the winning one (starting 1FH...)

Will scan lost partition and check the bin. But I'm not sure I will be able to properly read the content.

escobol

member

Activity: 158

Merit: 39

Quote from: BASE16 on March 08, 2021, 04:09:10 AM

I realized that I had made a mistake.

The previous recycler was created at 15 November 2013 and lived up to 1 February 2014 and the last modification was at 29 January 2014.
On 1 February 2014 the second recycler was created which still is the current bin and it was last modified at 25 February 2021.
So that is not too long ago and I would tend to conclude that OP overwrote his own wallet less then two weeks ago.
Why would you write onto a drive that you are trying to recover ?
That is the biggest mistake you can make.

READ ONLY !

On 25 february 2021 OP recovered this 2 dat files (you can search for the ballet.lnk), in my opinion after that he copied this 2 files and deleted them from hdd (maybe with use of some software that deleted and overwrote them? - why ithink so - because there is no sign of this two dat files in any recovery software)

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: BASE16 on March 07, 2021, 04:19:34 PM

Maybe i have a virus.

A virus can't manipulate the output of the pywallet scan to list wallets different from the ones in the VHD file. So I'm leaning towards the VHD having nothing interesting inside (the wallet file itself was deleted a while ago anyway, so it had plenty of time to get overwritten).

Keyhunter did not return anything against the VHD either, yes I did remember to unzip it.

BASE16

member

Activity: 180

Merit: 38

I realized that I had made a mistake.

The previous recycler was created at 15 November 2013 and lived up to 1 February 2014 and the last modification was at 29 January 2014.
On 1 February 2014 the second recycler was created which still is the current bin and it was last modified at 25 February 2021.
So that is not too long ago and I would tend to conclude that OP overwrote his own wallet less then two weeks ago.
Why would you write onto a drive that you are trying to recover ?
That is the biggest mistake you can make.

READ ONLY !

Igor76200

member

Activity: 102

Merit: 10

Current state of search :

Quote

Found 22 altcoin wallets and 38 other wallets, while scanning .db files : Berkeley DB (Btree, version 9, native byte-order)

17 wallets with a size of 9 bytes which is impossible to recover
21 wallets of 29 bytes many of these can not be dumped because encrypted.

Now have to check the ones that are encrypted and their files size this will show if it can be done and be used as an indicator for the amount of effort it will take to try.

We know the wallet is encrypted so it all does make sense at this point in time. Will require further investigation likely examination on the bit level.

A wallet has a specific structure, for example like a start header and end header. Positions of the elements in between is fixed so we know what should be where after a certain start header and before a certain end header.

This means you drag a partial overlay over the remaining data and when it slides over a old damaged wallet, and there are still elements present then the overlay will match and ID the underlaying data and we make a snapshot of that for further examination.

If there are enough bits left on the drive then you would be able to recover the coins.

The 9 bytes wallets mentioned earlier are the standard that gets written in case of failure. Those look like this:

main
\00\00\00\02
DATA=END

It is empty, but it can be empty for many reasons that is why you have to compare those nine bytes to the original file. If the original file is larger then it means that there is more then those nine bytes.

COBRAS

member

Activity: 873

Merit: 22

$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk

Quote from: Igor76200 on March 05, 2021, 12:35:08 PM

I lost a .dat wallet with 1.54BTC.

I found the file by scanning the original laptop used to create the wallet in 2014. Unfortunately the file seem to be highly damaged. Someone tried to extract the keys using Pywallet but it failed.

I am looking for a deep disk partition research, in order to find the key. Unfortunately I am not capable of doing this.

I am willing to give 10% to the person able to succeed. If that's even possible. Which is around ~7500$ now.

I created an image of the disk here :
https://mega.nz/file/ux4WQLDB#cc_OHpVKRNszxDrnl5Y4A1GwzfszlNNpVJwi43vtXJY

Alternative download link here :
https://bitcointalksearch.org/topic/m.56502435

Address : 1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq
https://www.blockchain.com/btc/address/1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq

Wallet have a strong password. I'm ready to visit that person, or the other way around, preferably in the EU due to travel restrictions. In order to make the transaction as safe as possible.

More infos

It's an old netbook from 2010 or even older. I bought it second hand just to create the wallets. I rarely use it because it's very old and slow. 60% of the disk is free. I can't remember what I did with this laptop... maybe I reinstalled windows at some point. I'm not sure.

I created about 20 altcoin wallets and 5 bitcoin wallets with that computer. So there might be other keys around.

If it fail, my last option would be to submit the disk to a forensic data recovery lab. Maybe they will be able to find something.

Crossing fingers. Thanks for your help.

Dave give 20%, dont waste your time, wait his answer, Inthin he will solve your problem... Br.

P.s. try send him message in this forum...

BASE16

member

Activity: 180

Merit: 38

Quote from: HCP on March 07, 2021, 03:23:41 PM

Quote from: BASE16 on March 07, 2021, 10:17:53 AM

we found exactly 44 wallets.

From the OP's vhd image? Huh

And were these confirmed wallets... or just BDB files? As, all wallet.dat's are BDB files, but not all BDB files are necessarily wallet.dats Wink

No they were fake wallets that just happen to be there.
They also had a fake address inside.
I don't know what happened.
Maybe i have a virus.

HCP

legendary

Activity: 2086

Merit: 4361

Quote from: LoyceV on March 06, 2021, 05:39:38 AM

Pywallet n00b here: It gave me 39 possible wallets, 11764 possible encrypted keys and 105 possible unencrypted keys, followed by a segmentation fault. I don't think it wrote any of the keys to the output wallet file.
I used this:

Code:

./pywallet.py --recover --recover_size 33Gio --recov_device ~/d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd --recov_outputdir recovered_wallets --dumpwallet

Can you share the command you used?

I used Windows... and the "old" Python2 version of pywallet... not the latest version.

Code:

c:\Python27\python.exe e:\pytest\pywallet.py --recover --recov_size=32Gio --recov_device=E:\d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd --recov_outputdir=E:\wallet_search

Note: you shouldn't use --dumpwallet and --recover together... you do one or the other. Wink

Quote from: BASE16 on March 07, 2021, 10:17:53 AM

we found exactly 44 wallets.

From the OP's vhd image? Huh

And were these confirmed wallets... or just BDB files? As, all wallet.dat's are BDB files, but not all BDB files are necessarily wallet.dats Wink

morbius55

full member

Activity: 217

Merit: 109

Quote from: Igor76200 on March 07, 2021, 10:07:04 AM

The recovery software found these files. I used Recuva, Puran, EaseUS... they could not find it. Only Recoverit from Wondershare was able to dig it. However it seem to be unusable.

Don't bother with those, use pywallet to scan a copy of the the whole drive and use the passphrase. Don't share the results with anyone.

Topic: Seek help to get back my private key... 7500$ reward. (Read 1191 times)