Bitcoin Forum>Bitcoin>Bitcoin Technical Support
Pages:
Author

Topic: Seek help to get back my private key... 7500$ reward. (Read 923 times)

Igor76200
member
Activity: 102
Merit: 10
Seek help to get back my private key... 7500$ reward.
January 31, 2022, 01:56:04 PM
#46
Quote from: dymon on August 12, 2021, 11:17:08 AM
I found one encrypted address

   "mkey": {
        "encrypted_key": "1665e0b9375c20a720c77799a7386eba77149b97bd34ebce42ee962882da8a3abfe566040b7aae4 5e941880972dc7a8b",
        "nDerivationIterations": 62166,
        "nDerivationMethod": 0,
        "nID": 1,
        "otherParams": "",
        "salt": "96d596871f9a2dcc"
    },


you can check password on this encrypted_key
here is guide
https://bitcointalksearch.org/topic/m.7690647
if your password works this will be your wallet with bitcoin Smiley

It's been a while since I last checked this thread.
I will try ! But there is little chance it's the winning wallet. There was many encrypted wallets on this disk.
dymon
newbie
Activity: 8
Merit: 0
Re: Seek help to get back my private key... 7500$ reward.
August 12, 2021, 11:17:08 AM
#45
I found one encrypted address

   "mkey": {
        "encrypted_key": "1665e0b9375c20a720c77799a7386eba77149b97bd34ebce42ee962882da8a3abfe566040b7aae4 5e941880972dc7a8b",
        "nDerivationIterations": 62166,
        "nDerivationMethod": 0,
        "nID": 1,
        "otherParams": "",
        "salt": "96d596871f9a2dcc"
    },


you can check password on this encrypted_key
here is guide
https://bitcointalksearch.org/topic/m.7690647
if your password works this will be your wallet with bitcoin Smiley
NotATether
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Re: Seek help to get back my private key... 7500$ reward.
March 11, 2021, 12:45:44 PM
#44
Quote from: Igor76200 on March 08, 2021, 08:16:46 PM
That mean I put the wallet in the first bin. 100%
If I understand correctly, I need to look for lost partitions and locate the first bin ?

...

I didn't deleted those file... you can try to download the demo version of Wondershare recovery. They are still there.


So the files you are looking for weren't permanently deleted but just tossed in the Recycle Bin? If that's the case then it shouldn't be hard to find. Search in the first bin, and then the names of each file and folder in there is going to be a long string of letters and numbers. These are IDs the Recycle Bin renames deleted files to, and it has these IDs in a database somewhere along with the old names which is used when you restore a file. So, the file name does not have to match ballet.dat or similar, it could be any .dat file except with a very long name on it.

Check the other .dat files, especially if they are only several KBs large - those could actually be the wallets you're looking for.
Igor76200
member
Activity: 102
Merit: 10
Re: Seek help to get back my private key... 7500$ reward.
March 08, 2021, 08:16:46 PM
#43
Quote from: BASE16 on March 08, 2021, 05:09:10 AM
I realized that I had made a mistake.

The previous recycler was created at 15 November 2013 and lived up to 1 February 2014 and the last modification was at 29 January 2014.
On 1 February 2014 the second recycler was created which still is the current bin and it was last modified at 25 February 2021.
So that is not too long ago and I would tend to conclude that OP overwrote his own wallet less then two weeks ago.
Why would you write onto a drive that you are trying to recover ?



I'm just re reading your message. I need to recapitulate.

- If the first bin was created nov 15 2013 : that was the old owner. Before I bought the Laptop.

- On January 7th 2014 I created my Bitcoin wallets. Including the wallet we are searching now.
   I deleted this wallet immediately. It was on the computer probably only a few hours.

- Second bin was created February 1st 2014.


That mean I put the wallet in the first bin. 100%
If I understand correctly, I need to look for lost partitions and locate the first bin ?


@escobol I scanned C (the current vhd file is C) and then recovered the files on D. The program suggested to send those files on a different drive in order to avoid data loss.

I didn't deleted those file... you can try to download the demo version of Wondershare recovery. They are still there.
escobol
member
Activity: 154
Merit: 39
Re: Seek help to get back my private key... 7500$ reward.
March 08, 2021, 01:36:16 PM
#42
The disk you scanned/recovered was D: right?
Igor76200
member
Activity: 102
Merit: 10
Re: Seek help to get back my private key... 7500$ reward.
March 08, 2021, 10:30:56 AM
#41
Quote from: BASE16 on March 08, 2021, 09:41:08 AM
He overwrote it himself a few days ago and he knows it.

I didn't overwrite anything. If you do a search with Wondershare recovery those two ballet.dat files are still visible. About the other recovery programs, they never were able to find these files.

Other recovery programs found lots of .dat files but not the « ballet.dat ». I have no idea why.

I explained this on the previous page already.
BASE16
member
Activity: 180
Merit: 38
Re: Seek help to get back my private key... 7500$ reward.
March 08, 2021, 09:41:08 AM
#40
Quote from: escobol on March 08, 2021, 08:41:38 AM

On 25 february 2021 OP recovered this 2 dat files (you can search for the ballet.lnk), in my opinion after that he copied this 2 files and deleted them from hdd (maybe with use of some software that deleted and overwrote them? - why ithink so - because there is no sign of this two dat files in any recovery software)

I agree.
He overwrote it himself a few days ago and he knows it.



And now he upload the entire disk in the hopes that someone can magically get it back/
 
Quote from: Igor76200 on March 08, 2021, 09:39:47 AM
Sorry I forgot to answer about that point... in February I scanned the C drive with the recovery software, then pasted the recovered files on the D drive (I did not added the vhd of D I don't think it's there).


With recovery software that you installed on the same disk you was trying to rescue thereby destroying the thing you were looking for.
Igor76200
member
Activity: 102
Merit: 10
Re: Seek help to get back my private key... 7500$ reward.
March 08, 2021, 09:39:47 AM
#39
@escobol In February 2021 I scanned the C drive with the recovery software, then pasted the recovered files on the D drive (I did not added the vhd of D I don't think it's there). If you scan C with Wondershare Recoverit you should still be able to see it.

I ran 4 brands of recovery programs, only one could find the ballet.dat
If I understand correctly I should not have done any scan before mounting the disk or create an image.

@Base16 I will try to check in lost partitions Bin. That may sound very stupid for computer programmers but I had no idea about how file deletion worked until a few weeks ago. Just presumed it was immediately overwritten.

Now,

I think the original bitcoin addresses I created in January 2014 could still be found in those encrypted .db files
I created 5 bitcoin adresses around January 7 2014. And the very first one is the winning one (starting 1FH...)

Will scan lost partition and check the bin. But I'm not sure I will be able to properly read the content.
escobol
member
Activity: 154
Merit: 39
Re: Seek help to get back my private key... 7500$ reward.
March 08, 2021, 08:41:38 AM
#38
Quote from: BASE16 on March 08, 2021, 05:09:10 AM
I realized that I had made a mistake.

The previous recycler was created at 15 November 2013 and lived up to 1 February 2014 and the last modification was at 29 January 2014.
On 1 February 2014 the second recycler was created which still is the current bin and it was last modified at 25 February 2021.
So that is not too long ago and I would tend to conclude that OP overwrote his own wallet less then two weeks ago.
Why would you write onto a drive that you are trying to recover ?
That is the biggest mistake you can make.

READ ONLY !



On 25 february 2021 OP recovered this 2 dat files (you can search for the ballet.lnk), in my opinion after that he copied this 2 files and deleted them from hdd (maybe with use of some software that deleted and overwrote them? - why ithink so - because there is no sign of this two dat files in any recovery software)
NotATether
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Re: Seek help to get back my private key... 7500$ reward.
March 08, 2021, 07:49:10 AM
#37
Quote from: BASE16 on March 07, 2021, 05:19:34 PM
Maybe i have a virus.

A virus can't manipulate the output of the pywallet scan to list wallets different from the ones in the VHD file. So I'm leaning towards the VHD having nothing interesting inside (the wallet file itself was deleted a while ago anyway, so it had plenty of time to get overwritten).

Keyhunter did not return anything against the VHD either, yes I did remember to unzip it.
BASE16
member
Activity: 180
Merit: 38
Re: Seek help to get back my private key... 7500$ reward.
March 08, 2021, 05:09:10 AM
#36
I realized that I had made a mistake.

The previous recycler was created at 15 November 2013 and lived up to 1 February 2014 and the last modification was at 29 January 2014.
On 1 February 2014 the second recycler was created which still is the current bin and it was last modified at 25 February 2021.
So that is not too long ago and I would tend to conclude that OP overwrote his own wallet less then two weeks ago.
Why would you write onto a drive that you are trying to recover ?
That is the biggest mistake you can make.

READ ONLY !

Igor76200
member
Activity: 102
Merit: 10
Re: Seek help to get back my private key... 7500$ reward.
March 08, 2021, 01:05:59 AM
#35
Current state of search :

Quote

Found 22 altcoin wallets and 38 other wallets, while scanning .db files : Berkeley DB (Btree, version 9, native byte-order)

17 wallets with a size of 9 bytes which is impossible to recover
21 wallets of 29 bytes many of these can not be dumped because encrypted.

Now have to check the ones that are encrypted and their files size this will show if it can be done and be used as an indicator for the amount of effort it will take to try.

We know the wallet is encrypted so it all does make sense at this point in time. Will require further investigation likely examination on the bit level.

A wallet has a specific structure, for example like a start header and end header. Positions of the elements in between is fixed so we know what should be where after a certain start header and before a certain end header.

This means you drag a partial overlay over the remaining data and when it slides over a old damaged wallet, and there are still elements present then the overlay will match and ID the underlaying data and we make a snapshot of that for further examination.

If there are enough bits left on the drive then you would be able to recover the coins.

The 9 bytes wallets mentioned earlier are the standard that gets written in case of failure. Those look like this:

main
 \00\00\00\02
DATA=END

It is empty, but it can be empty for many reasons that is why you have to compare those nine bytes to the original file. If the original file is larger then it means that there is more then those nine bytes.

COBRAS
member
Activity: 814
Merit: 20
$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk
Re: Seek help to get back my private key... 7500$ reward.
March 07, 2021, 05:45:01 PM
#34
Quote from: Igor76200 on March 05, 2021, 01:35:08 PM
I lost a .dat wallet with 1.54BTC.

I found the file by scanning the original laptop used to create the wallet in 2014. Unfortunately the file seem to be highly damaged. Someone tried to extract the keys using Pywallet but it failed.

I am looking for a deep disk partition research, in order to find the key. Unfortunately I am not capable of doing this.

I am willing to give 10% to the person able to succeed. If that's even possible. Which is around ~7500$ now.

I created an image of the disk here :
https://mega.nz/file/ux4WQLDB#cc_OHpVKRNszxDrnl5Y4A1GwzfszlNNpVJwi43vtXJY

Alternative download link here :
https://bitcointalksearch.org/topic/m.56502435

Address : 1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq
https://www.blockchain.com/btc/address/1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq

Wallet have a strong password. I'm ready to visit that person, or the other way around, preferably in the EU due to travel restrictions. In order to make the transaction as safe as possible.


More infos

It's an old netbook from 2010 or even older. I bought it second hand just to create the wallets. I rarely use it because it's very old and slow. 60% of the disk is free. I can't remember what I did with this laptop... maybe I reinstalled windows at some point. I'm not sure.

I created about 20 altcoin wallets and 5 bitcoin wallets with that computer. So there might be other keys around.

If it fail, my last option would be to submit the disk to a forensic data recovery lab. Maybe they will be able to find something.

Crossing fingers. Thanks for your help.

Dave give 20%, dont waste your  time, wait his answer, Inthin he will solve your problem... Br.

P.s. try send him message in this forum...
BASE16
member
Activity: 180
Merit: 38
Re: Seek help to get back my private key... 7500$ reward.
March 07, 2021, 05:19:34 PM
#33
Quote from: HCP on March 07, 2021, 04:23:41 PM

Quote from: BASE16 on March 07, 2021, 11:17:53 AM
we found exactly 44 wallets.
From the OP's vhd image? Huh And were these confirmed wallets... or just BDB files? As, all wallet.dat's are BDB files, but not all BDB files are necessarily wallet.dats Wink

No they were fake wallets that just happen to be there.
They also had a fake address inside.
I don't know what happened.
Maybe i have a virus.
HCP
legendary
Activity: 2086
Merit: 4314
Re: Seek help to get back my private key... 7500$ reward.
March 07, 2021, 04:23:41 PM
#32
Quote from: LoyceV on March 06, 2021, 06:39:38 AM
Pywallet n00b here: It gave me 39 possible wallets, 11764 possible encrypted keys and 105 possible unencrypted keys, followed by a segmentation fault. I don't think it wrote any of the keys to the output wallet file.
I used this:
Code:
./pywallet.py --recover --recover_size 33Gio --recov_device ~/d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd --recov_outputdir recovered_wallets --dumpwallet
Can you share the command you used?

I used Windows... and the "old" Python2 version of pywallet... not the latest version.
Code:
c:\Python27\python.exe e:\pytest\pywallet.py --recover --recov_size=32Gio --recov_device=E:\d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd --recov_outputdir=E:\wallet_search

Note: you shouldn't use --dumpwallet and --recover together... you do one or the other. Wink


Quote from: BASE16 on March 07, 2021, 11:17:53 AM
we found exactly 44 wallets.
From the OP's vhd image? Huh And were these confirmed wallets... or just BDB files? As, all wallet.dat's are BDB files, but not all BDB files are necessarily wallet.dats Wink
morbius55
full member
Activity: 217
Merit: 109
Re: Seek help to get back my private key... 7500$ reward.
March 07, 2021, 12:11:02 PM
#31
Quote from: Igor76200 on March 07, 2021, 11:07:04 AM
The recovery software found these files. I used Recuva, Puran, EaseUS... they could not find it. Only Recoverit from Wondershare was able to dig it. However it seem to be unusable.
Don't bother with those, use pywallet to scan a copy of the the whole drive and use the passphrase. Don't share the results with anyone.
BASE16
member
Activity: 180
Merit: 38
Re: Seek help to get back my private key... 7500$ reward.
March 07, 2021, 11:17:53 AM
#30
This is most likely coming from an old file table that was found on the drive, in such case it found the file entry and there will also be a point that tells you where to find the data.
You need that point to go see if there is anything left of that old data, when you use this type of recovery method.

You can also do a RAW scan without using partition and file tables.
In a recovery from RAW data this file will not show up as wallet.dat or ballet.dat because it's raw data, it does not have a filename anymore.
But it does have a header so in such case the file will pop up as ******.db because the recovery application picked up on it's database header.
You can test the file in bash with $ file and it will tell you the exact type.

Code:
$ file ******.db

******.db Berkeley DB (Btree, version 9, native byte-order)

It can also show something else but in case of a wallet it will show Berkeley DB.

So if you found a wallet.dat then this does not mean that you found the actual wallet, it could be only a reference point.

But if you found a .db then you can be sure it's a database file and i have found several but they were already emptied.

We found exactly 44 wallets.

Quote

f4204024.db: Berkeley DB (Btree, version 9, native byte-order)
f35048320.db: Berkeley DB (Btree, version 9, native byte-order)
f61344210.db: Berkeley DB (Btree, version 9, native byte-order)
f58211446.db: Berkeley DB (Btree, version 9, native byte-order)
f33779786.db: Berkeley DB (Btree, version 9, native byte-order)
f0208040.db: Berkeley DB (Btree, version 9, native byte-order)
f4673642.db: Berkeley DB (Btree, version 9, native byte-order)
f61399680.db: Berkeley DB (Btree, version 9, native byte-order)
f4673674.db: Berkeley DB (Btree, version 9, native byte-order)
f18790112.db: Berkeley DB (Btree, version 9, native byte-order)
f4294446.db: Berkeley DB (Btree, version 9, native byte-order)
f33779818.db: Berkeley DB (Btree, version 9, native byte-order)
f4294478.db: Berkeley DB (Btree, version 9, native byte-order)
f17315832.db: Berkeley DB (Btree, version 9, native byte-order)
f61408994.db: Berkeley DB (Btree, version 9, native byte-order)
f58252320.db: Berkeley DB (Btree, version 9, native byte-order)
f46519344.db: Berkeley DB (Btree, version 9, native byte-order)
f3442350.db: Berkeley DB (Btree, version 9, native byte-order)
f18790080.db: Berkeley DB (Btree, version 9, native byte-order)
f36736740.db: Berkeley DB (Btree, version 9, native byte-order)
f46519312.db: Berkeley DB (Btree, version 9, native byte-order)
f0208008.db: Berkeley DB (Btree, version 9, native byte-order)
f21199420.db: Berkeley DB (Btree, version 9, native byte-order)
f61344242.db: Berkeley DB (Btree, version 9, native byte-order)
f4205656.db: Berkeley DB (Btree, version 9, native byte-order)
f4203992.db: Berkeley DB (Btree, version 9, native byte-order)
f3380142.db: Berkeley DB (Btree, version 9, native byte-order)
f61349908.db: Berkeley DB (Btree, version 9, native byte-order)
f61408962.db: Berkeley DB (Btree, version 9, native byte-order)
f21199404.db: Berkeley DB (Btree, version 9, native byte-order)
f58252288.db: Berkeley DB (Btree, version 9, native byte-order)
f35048288.db: Berkeley DB (Btree, version 9, native byte-order)
f61090356.db: Berkeley DB (Btree, version 9, native byte-order)
f61340690.db: Berkeley DB (Btree, version 9, native byte-order)
f61090324.db: Berkeley DB (Btree, version 9, native byte-order)
f3380174.db: Berkeley DB (Btree, version 9, native byte-order)
f51770738.db: Berkeley DB (Btree, version 9, native byte-order)
f4205688.db: Berkeley DB (Btree, version 9, native byte-order)
f17315864.db: Berkeley DB (Btree, version 9, native byte-order)
f58211414.db: Berkeley DB (Btree, version 9, native byte-order)
f61349876.db: Berkeley DB (Btree, version 9, native byte-order)
f61414436.db: Berkeley DB (Btree, version 9, native byte-order)
f36736772.db: Berkeley DB (Btree, version 9, native byte-order)
f61399648.db: Berkeley DB (Btree, version 9, native byte-order)


Dumped them with db-utils to see which ones were intact and which ones were corrupted or encrypted.

Igor76200
member
Activity: 102
Merit: 10
Re: Seek help to get back my private key... 7500$ reward.
March 07, 2021, 11:07:04 AM
#29
The recovery software found these files. I used Recuva, Puran, EaseUS... they could not find it. Only Recoverit from Wondershare was able to dig it. However it seem to be unusable.
fxsniper
member
Activity: 406
Merit: 45
Re: Seek help to get back my private key... 7500$ reward.
March 07, 2021, 11:03:11 AM
#28
file wallet.dat and wallet_1.dat

two file it is normal copy file from bitcoin folder

or wallet.dat this is recovery file from delete file

I think this is   recovery file right

because check wallet.dat , look like blank file, it is no data store inside

other file clone drive, I think clone drive not copy data all bits from drive, they copy only work file
so, file part have data is only on hard drive on laptop
Igor76200
member
Activity: 102
Merit: 10
Re: Seek help to get back my private key... 7500$ reward.
March 07, 2021, 09:49:17 AM
#27
Some infos that might be useful.

Computer is a ASUS netbook Eee PC 1001PX
Disk is WDC WD2500BEVT-80A23T0

I bought this laptop second hand on EBay in January 2014.
I created my bitcoin wallets January 7th 2014, including the one we are searching.
In total about 20 altcoins wallets and 5-6 Bitcoin wallets.

That particular bitcoin wallet I'm looking for was created on this laptop, I immediately made a copy on a SD card then deleted the original file. I think it was on this computer only for a few hours.

Does this have any importance ?

I rarely used that laptop since because it's old stuff.
I probably messed with windows at some point, because I can see there is an unverified version of windows running. I really can't remember what I did...

File should be named « ballet.dat » and « ballet_1.dat » (original + copy)
Address : 1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq
Pages:
Bitcoin Forum>Bitcoin>Bitcoin Technical Support
Jump to: