Bitcoin Forum>Bitcoin>Bitcoin Technical Support
Pages:
Author

Topic: Seek help to get back my private key... 7500$ reward. - page 2. (Read 923 times)

BASE16
member
Activity: 180
Merit: 38
Re: Seek help to get back my private key... 7500$ reward.
March 07, 2021, 08:15:54 AM
#26
Quote from: Igor76200 on March 07, 2021, 08:01:12 AM
Someone suggested to make a iso 1:1 copy instead of .vhd
I'll do that too just in case.

Not necessarily a ISO you can also IMG
But in any case a copy that includes all the RAW data from the drive regardless of partitions and file tables.
There is a lot of data on the vhd file, i did a scan and it recovered 159080 files.
Further examination is needed to look for the specific file contents, but given the amount of data this will take an awful lot of time.

Igor76200
member
Activity: 102
Merit: 10
Re: Seek help to get back my private key... 7500$ reward.
March 07, 2021, 08:01:12 AM
#25
Someone suggested to make a iso 1:1 copy instead of .vhd
I'll do that too just in case.
NotATether
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Re: Seek help to get back my private key... 7500$ reward.
March 07, 2021, 07:23:49 AM
#24
Quote from: Igor76200 on March 06, 2021, 11:34:45 AM
Oh wait... could someone confirm it's actually useless to make a raw disk search for encrypted wallets ?

No it's not. Instead of private keys you will just get hashes of private keys instead.

There is a Python 2 script in Github called keyhunter, which searches for base58 legacy private keys, and I used it to do a disk search on your wallet.dat and wallet_1.dat files, but it did not return any hits.

Pywallet would not even open those files, it generated something like a "BDB error" which means it doesn't even think the file is a Berkeley database (the file format of wallet.dat).

I am downloading the VHD file right now and when that's done I'll keyhunter that too. I think VHD stores the host filesystem directly in the file without any manipulation or compression or other weird hiding.
morbius55
full member
Activity: 217
Merit: 109
Re: Seek help to get back my private key... 7500$ reward.
March 07, 2021, 06:55:25 AM
#23
Quote from: Igor76200 on March 05, 2021, 09:40:14 PM
I see... I ignored that. Is there any possible workaround ?
Except if we can meet in person I'm afraid I can't reasonably send you my passphrase.
If you have the passphrase why don't you run pywallet yourself and reveal those encrypted keys? With the very kind help of HCP i managed to get it running. Check out this thread. https://bitcointalksearch.org/topic/pywallet-install-help-2398504
Igor76200
member
Activity: 102
Merit: 10
Re: Seek help to get back my private key... 7500$ reward.
March 06, 2021, 12:59:28 PM
#22
I don't know about the hex search but opening them with the notepad you can see a lot of nonsense (windows media script...). So yes they seem highly damaged.

I can confirm they are the correct files. Because of their creation date. They were created the right day and hour... no mistake possible.
escobol
member
Activity: 154
Merit: 39
Re: Seek help to get back my private key... 7500$ reward.
March 06, 2021, 12:34:53 PM
#21
this two *.dat files are not remains of wallet.dat (check hex)
Igor76200
member
Activity: 102
Merit: 10
Re: Seek help to get back my private key... 7500$ reward.
March 06, 2021, 11:34:45 AM
#20
Oh wait... could someone confirm it's actually useless to make a raw disk search for encrypted wallets ?

Related to this I found
https://bitcoin.stackexchange.com/questions/48070/format-of-mkey-field-in-encrypted-wallet-dat-file

That's what Pywallet is doing... Is there another, deeper method that Pywallet don't support ?

This thing is so frustrating because there is just too many things I don't understand. I will post this announcement on bitcoin stack as well. Hopefully some coding genius with 150IQ will be able to try something.

I don't have high hopes at this point but must try...


Quote from: LoyceV on March 06, 2021, 10:29:17 AM
3. Forensic data recovery lab. But I don't even know what to tell them. They probably don't know so much about private keys and stuff

I think my best shot would be to ask them to search for the ballet.dat file itself. Hoping they will be able to recover a better version of it.

Then try to extract the content with Pywallet.

 Huh
LoyceV
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Re: Seek help to get back my private key... 7500$ reward.
March 06, 2021, 10:29:17 AM
#19
Quote from: Igor76200 on March 06, 2021, 09:52:37 AM
There seem to be two recovery businesses operating
David from https://walletrecovery.info/
Dave from https://walletrecoveryservices.com/
The second one has been around for years. Don't make a typo though, you might end up on a phishing site.
The first one you mentioned looks like an imposter: both the guy's name and the site's name seem to be created to make you think it's the real deal.

Quote
I contacted David but got no answer from Dave so far. Not sure what happened.
You keep confusing who's who too.

Quote
If you open the .dat files with windows notepad, both seem completely unreadable.
It's not supposed to be clear text.

Quote
1. Rescan with Pywallet + passphrase
That's a good start Smiley

Quote
2. Raw partition search for keys or key fragments (I can't do that myself)
I have no idea how likely this is to find anything useful when keys are encrypted. And I don't think it's very likely to find a part of a key still intact, while the rest is overwritten.

Quote
3. Forensic data recovery lab. But I don't even know what to tell them. They probably don't know so much about private keys and stuff
Add the fact that you're not even sure if there's any value left on the disk, and you may end up with an expensive disappointment.

@HCP: out of the 11764 possible encrypted keys, how many of those are duplicates?
Igor76200
member
Activity: 102
Merit: 10
Re: Seek help to get back my private key... 7500$ reward.
March 06, 2021, 09:52:37 AM
#18
No I gave random names to differentiate between all my wallets.

There seem to be two recovery businesses operating

David from https://walletrecovery.info/
Dave from https://walletrecoveryservices.com/

I contacted David but got no answer from Dave so far. Not sure what happened.

If you open the .dat files with windows notepad, both seem completely unreadable. The data recovery software still managed to compile the « wastes » under the right name.

Right now I think I should do

1. Rescan with Pywallet + passphrase
2. Raw partition search for keys or key fragments (I can't do that myself)
3. Forensic data recovery lab. But I don't even know what to tell them. They probably don't know so much about private keys and stuff
LoyceV
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Re: Seek help to get back my private key... 7500$ reward.
March 06, 2021, 09:02:10 AM
#17
Quote from: Igor76200 on March 06, 2021, 08:56:40 AM
The original title on disk was ballet.dat and ballet_1.dat
Just a guess: the first character ("w") of the filename was removed, and made up by the the recovery program?

You said Dave checked those files, in that case I trust there's nothing there. Have you considered disclosing the password with the entire partition to Dave? I think he charges 20%.
Igor76200
member
Activity: 102
Merit: 10
Re: Seek help to get back my private key... 7500$ reward.
March 06, 2021, 08:56:40 AM
#16
Thank you much appreciated.

Here is the links to the .dat files (original+copy)
The original title on disk was ballet.dat and ballet_1.dat

They are highly damaged. There is not much to see.
http://www.filedropper.com/wallet_5
http://www.filedropper.com/wallet1
LoyceV
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Re: Seek help to get back my private key... 7500$ reward.
March 06, 2021, 08:09:21 AM
#15
Quote from: Igor76200 on March 06, 2021, 07:48:07 AM
Some people complaining about the Mega link, could you suggest a good file sharing website ?
File is 30gb.
I've uploaded the file to blockdata.loyce.club/tmp/d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd.gz. I'll update this post when it's ready. Done!
Let me know when you want it removed.

I compressed the file to increase download speed. These are sha256sum checksums:
Code:
d253d04a9bfa6768dd8ed3276d78eb44b90bb8f00a97f07344e32f42a538907a d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd # 32GB
599ce3cdd36d8a5954258b7edea94b1a6055f90fb490575de96de0e1a61f5257 d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd.gz # 17 GB
Igor76200
member
Activity: 102
Merit: 10
Re: Seek help to get back my private key... 7500$ reward.
March 06, 2021, 07:48:07 AM
#14
Some people complaining about the Mega link, could you suggest a good file sharing website ?
File is 30gb.

Is www.idrive.com good ?
Igor76200
member
Activity: 102
Merit: 10
Re: Seek help to get back my private key... 7500$ reward.
March 06, 2021, 07:24:00 AM
#13
Quote from: fxsniper on March 06, 2021, 05:58:14 AM
if want to try yourself
use python 2.7 from Miniconda2

Thanks I will try tonight.

In case there is missing bits in the key, I guess Pywallet will not report it ?
That's another thing to consider. A deep analysis is necessary to be really sure.


Quote from: fxsniper on March 06, 2021, 01:38:05 AM
problem it is store on encrypted keys is very hard to crack

I have the password. 100%... No you can't crack it. It's as complex as the private key itself +special characters.

Long story short I put 1.5BTC on a SD card for a sibling in 2014. But he lost it. That laptop is all I have now.

I already submitted the .dat to someone and he told me it's completely overwritten. If there is no readable keys in the .dat file, is it still possible to find the keys somewhere else on the disk ? Seems difficult but I need to try.
LoyceV
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Re: Seek help to get back my private key... 7500$ reward.
March 06, 2021, 06:39:38 AM
#12
Quote from: HCP on March 05, 2021, 09:22:31 PM
PyWallet read the image file... gave this summary:
Code:
Found 39 possible wallets
Found 11764 possible encrypted keys
Found 171 possible unencrypted keys
Can't decrypt them as you didn't provide any passphrase.
The wallet is encrypted and the passphrase is correct
Pywallet n00b here: It gave me 39 possible wallets, 11764 possible encrypted keys and 105 possible unencrypted keys, followed by a segmentation fault. I don't think it wrote any of the keys to the output wallet file.
I used this:
Code:
./pywallet.py --recover --recover_size 33Gio --recov_device ~/d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd --recov_outputdir recovered_wallets --dumpwallet
Can you share the command you used?

Quote from: Murat on March 05, 2021, 09:56:56 PM
https://www.walletrecoveryservices.com/

Contact them if you haven't!
He did, but only with "completely overwritten" wallet.dat files. A raw search on the entire disk can still produce other results.
fxsniper
member
Activity: 406
Merit: 45
Re: Seek help to get back my private key... 7500$ reward.
March 06, 2021, 05:58:14 AM
#11

if want to try yourself
use python 2.7 from Miniconda2

https://docs.conda.io/en/latest/miniconda.html
Python 2.7   Miniconda2 Windows 64-bit

install Miniconda2  done you got python 2.7 for run pywallet

and pywallet from github
https://github.com/jackjack-jj/pywallet
https://github.com/joric/pywallet

create folder name
C:\pywallet

command pywallet
python pywallet.py --dumpwallet  --datadir=C:\pywallet --passphrase=PASSWORD > dump.txt
or
python pywallet.py --dumpwallet  --datadir=DATADIR --wallet=WALLETFILE --passphrase=PASSPHRASE

try you password unlimited wallet.dat now lock file

ask command line from thread
https://bitcointalksearch.org/topic/pywallet-22-manage-your-wallet-update-required-34028
HCP
legendary
Activity: 2086
Merit: 4314
Re: Seek help to get back my private key... 7500$ reward.
March 06, 2021, 04:50:32 AM
#10
Quote from: Igor76200 on March 05, 2021, 09:40:14 PM
I see... I ignored that. Is there any possible workaround ?
Except if we can meet in person I'm afraid I can't reasonably send you my passphrase.
Given that I have an image of the drive... no. So, you'll probably need to get Python2.7 and "old" PyWallet working (or maybe Python3 + NewPyWallet), so that you can run PyWallet yourself and type in the possible passphrases for the encrypted wallets (assuming you actually think you know what the passphrases for those lost wallets might have been).
fxsniper
member
Activity: 406
Merit: 45
Re: Seek help to get back my private key... 7500$ reward.
March 06, 2021, 01:38:05 AM
#9

problem it is store on encrypted keys is very hard to crack

I think using service recover i better way. it need high power GPU calculate

What wallet client use on notebook?
possible can not remember password  I am can not remember my password often using at 10 year ago.

try write password 10 possible
Murat
hero member
Activity: 2156
Merit: 711
Telegram @tokensfund
Re: Seek help to get back my private key... 7500$ reward.
March 05, 2021, 09:56:56 PM
#8
https://www.walletrecoveryservices.com/

Contact them if you haven't!
Igor76200
member
Activity: 102
Merit: 10
Re: Seek help to get back my private key... 7500$ reward.
March 05, 2021, 09:40:14 PM
#7
I see... I ignored that. Is there any possible workaround ?
Except if we can meet in person I'm afraid I can't reasonably send you my passphrase.
Pages:
Bitcoin Forum>Bitcoin>Bitcoin Technical Support
Jump to: