Pages:
Author

Topic: Seek help to get back my private key... 7500$ reward. - page 2. (Read 1204 times)

member
Activity: 180
Merit: 38
This is most likely coming from an old file table that was found on the drive, in such case it found the file entry and there will also be a point that tells you where to find the data.
You need that point to go see if there is anything left of that old data, when you use this type of recovery method.

You can also do a RAW scan without using partition and file tables.
In a recovery from RAW data this file will not show up as wallet.dat or ballet.dat because it's raw data, it does not have a filename anymore.
But it does have a header so in such case the file will pop up as ******.db because the recovery application picked up on it's database header.
You can test the file in bash with $ file and it will tell you the exact type.

Code:
$ file ******.db

******.db Berkeley DB (Btree, version 9, native byte-order)

It can also show something else but in case of a wallet it will show Berkeley DB.

So if you found a wallet.dat then this does not mean that you found the actual wallet, it could be only a reference point.

But if you found a .db then you can be sure it's a database file and i have found several but they were already emptied.

We found exactly 44 wallets.

Quote

f4204024.db: Berkeley DB (Btree, version 9, native byte-order)
f35048320.db: Berkeley DB (Btree, version 9, native byte-order)
f61344210.db: Berkeley DB (Btree, version 9, native byte-order)
f58211446.db: Berkeley DB (Btree, version 9, native byte-order)
f33779786.db: Berkeley DB (Btree, version 9, native byte-order)
f0208040.db: Berkeley DB (Btree, version 9, native byte-order)
f4673642.db: Berkeley DB (Btree, version 9, native byte-order)
f61399680.db: Berkeley DB (Btree, version 9, native byte-order)
f4673674.db: Berkeley DB (Btree, version 9, native byte-order)
f18790112.db: Berkeley DB (Btree, version 9, native byte-order)
f4294446.db: Berkeley DB (Btree, version 9, native byte-order)
f33779818.db: Berkeley DB (Btree, version 9, native byte-order)
f4294478.db: Berkeley DB (Btree, version 9, native byte-order)
f17315832.db: Berkeley DB (Btree, version 9, native byte-order)
f61408994.db: Berkeley DB (Btree, version 9, native byte-order)
f58252320.db: Berkeley DB (Btree, version 9, native byte-order)
f46519344.db: Berkeley DB (Btree, version 9, native byte-order)
f3442350.db: Berkeley DB (Btree, version 9, native byte-order)
f18790080.db: Berkeley DB (Btree, version 9, native byte-order)
f36736740.db: Berkeley DB (Btree, version 9, native byte-order)
f46519312.db: Berkeley DB (Btree, version 9, native byte-order)
f0208008.db: Berkeley DB (Btree, version 9, native byte-order)
f21199420.db: Berkeley DB (Btree, version 9, native byte-order)
f61344242.db: Berkeley DB (Btree, version 9, native byte-order)
f4205656.db: Berkeley DB (Btree, version 9, native byte-order)
f4203992.db: Berkeley DB (Btree, version 9, native byte-order)
f3380142.db: Berkeley DB (Btree, version 9, native byte-order)
f61349908.db: Berkeley DB (Btree, version 9, native byte-order)
f61408962.db: Berkeley DB (Btree, version 9, native byte-order)
f21199404.db: Berkeley DB (Btree, version 9, native byte-order)
f58252288.db: Berkeley DB (Btree, version 9, native byte-order)
f35048288.db: Berkeley DB (Btree, version 9, native byte-order)
f61090356.db: Berkeley DB (Btree, version 9, native byte-order)
f61340690.db: Berkeley DB (Btree, version 9, native byte-order)
f61090324.db: Berkeley DB (Btree, version 9, native byte-order)
f3380174.db: Berkeley DB (Btree, version 9, native byte-order)
f51770738.db: Berkeley DB (Btree, version 9, native byte-order)
f4205688.db: Berkeley DB (Btree, version 9, native byte-order)
f17315864.db: Berkeley DB (Btree, version 9, native byte-order)
f58211414.db: Berkeley DB (Btree, version 9, native byte-order)
f61349876.db: Berkeley DB (Btree, version 9, native byte-order)
f61414436.db: Berkeley DB (Btree, version 9, native byte-order)
f36736772.db: Berkeley DB (Btree, version 9, native byte-order)
f61399648.db: Berkeley DB (Btree, version 9, native byte-order)


Dumped them with db-utils to see which ones were intact and which ones were corrupted or encrypted.

member
Activity: 102
Merit: 10
The recovery software found these files. I used Recuva, Puran, EaseUS... they could not find it. Only Recoverit from Wondershare was able to dig it. However it seem to be unusable.
member
Activity: 406
Merit: 47
file wallet.dat and wallet_1.dat

two file it is normal copy file from bitcoin folder

or wallet.dat this is recovery file from delete file

I think this is   recovery file right

because check wallet.dat , look like blank file, it is no data store inside

other file clone drive, I think clone drive not copy data all bits from drive, they copy only work file
so, file part have data is only on hard drive on laptop
member
Activity: 102
Merit: 10
Some infos that might be useful.

Computer is a ASUS netbook Eee PC 1001PX
Disk is WDC WD2500BEVT-80A23T0

I bought this laptop second hand on EBay in January 2014.
I created my bitcoin wallets January 7th 2014, including the one we are searching.
In total about 20 altcoins wallets and 5-6 Bitcoin wallets.

That particular bitcoin wallet I'm looking for was created on this laptop, I immediately made a copy on a SD card then deleted the original file. I think it was on this computer only for a few hours.

Does this have any importance ?

I rarely used that laptop since because it's old stuff.
I probably messed with windows at some point, because I can see there is an unverified version of windows running. I really can't remember what I did...

File should be named « ballet.dat » and « ballet_1.dat » (original + copy)
Address : 1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq
member
Activity: 180
Merit: 38
Someone suggested to make a iso 1:1 copy instead of .vhd
I'll do that too just in case.

Not necessarily a ISO you can also IMG
But in any case a copy that includes all the RAW data from the drive regardless of partitions and file tables.
There is a lot of data on the vhd file, i did a scan and it recovered 159080 files.
Further examination is needed to look for the specific file contents, but given the amount of data this will take an awful lot of time.

member
Activity: 102
Merit: 10
Someone suggested to make a iso 1:1 copy instead of .vhd
I'll do that too just in case.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Oh wait... could someone confirm it's actually useless to make a raw disk search for encrypted wallets ?

No it's not. Instead of private keys you will just get hashes of private keys instead.

There is a Python 2 script in Github called keyhunter, which searches for base58 legacy private keys, and I used it to do a disk search on your wallet.dat and wallet_1.dat files, but it did not return any hits.

Pywallet would not even open those files, it generated something like a "BDB error" which means it doesn't even think the file is a Berkeley database (the file format of wallet.dat).

I am downloading the VHD file right now and when that's done I'll keyhunter that too. I think VHD stores the host filesystem directly in the file without any manipulation or compression or other weird hiding.
full member
Activity: 217
Merit: 109
I see... I ignored that. Is there any possible workaround ?
Except if we can meet in person I'm afraid I can't reasonably send you my passphrase.
If you have the passphrase why don't you run pywallet yourself and reveal those encrypted keys? With the very kind help of HCP i managed to get it running. Check out this thread. https://bitcointalksearch.org/topic/pywallet-install-help-2398504
member
Activity: 102
Merit: 10
I don't know about the hex search but opening them with the notepad you can see a lot of nonsense (windows media script...). So yes they seem highly damaged.

I can confirm they are the correct files. Because of their creation date. They were created the right day and hour... no mistake possible.
member
Activity: 158
Merit: 39
this two *.dat files are not remains of wallet.dat (check hex)
member
Activity: 102
Merit: 10
Oh wait... could someone confirm it's actually useless to make a raw disk search for encrypted wallets ?

Related to this I found
https://bitcoin.stackexchange.com/questions/48070/format-of-mkey-field-in-encrypted-wallet-dat-file

That's what Pywallet is doing... Is there another, deeper method that Pywallet don't support ?

This thing is so frustrating because there is just too many things I don't understand. I will post this announcement on bitcoin stack as well. Hopefully some coding genius with 150IQ will be able to try something.

I don't have high hopes at this point but must try...


3. Forensic data recovery lab. But I don't even know what to tell them. They probably don't know so much about private keys and stuff

I think my best shot would be to ask them to search for the ballet.dat file itself. Hoping they will be able to recover a better version of it.

Then try to extract the content with Pywallet.

 Huh
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
There seem to be two recovery businesses operating
David from https://walletrecovery.info/
Dave from https://walletrecoveryservices.com/
The second one has been around for years. Don't make a typo though, you might end up on a phishing site.
The first one you mentioned looks like an imposter: both the guy's name and the site's name seem to be created to make you think it's the real deal.

Quote
I contacted David but got no answer from Dave so far. Not sure what happened.
You keep confusing who's who too.

Quote
If you open the .dat files with windows notepad, both seem completely unreadable.
It's not supposed to be clear text.

Quote
1. Rescan with Pywallet + passphrase
That's a good start Smiley

Quote
2. Raw partition search for keys or key fragments (I can't do that myself)
I have no idea how likely this is to find anything useful when keys are encrypted. And I don't think it's very likely to find a part of a key still intact, while the rest is overwritten.

Quote
3. Forensic data recovery lab. But I don't even know what to tell them. They probably don't know so much about private keys and stuff
Add the fact that you're not even sure if there's any value left on the disk, and you may end up with an expensive disappointment.

@HCP: out of the 11764 possible encrypted keys, how many of those are duplicates?
member
Activity: 102
Merit: 10
No I gave random names to differentiate between all my wallets.

There seem to be two recovery businesses operating

David from https://walletrecovery.info/
Dave from https://walletrecoveryservices.com/

I contacted David but got no answer from Dave so far. Not sure what happened.

If you open the .dat files with windows notepad, both seem completely unreadable. The data recovery software still managed to compile the « wastes » under the right name.

Right now I think I should do

1. Rescan with Pywallet + passphrase
2. Raw partition search for keys or key fragments (I can't do that myself)
3. Forensic data recovery lab. But I don't even know what to tell them. They probably don't know so much about private keys and stuff
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
The original title on disk was ballet.dat and ballet_1.dat
Just a guess: the first character ("w") of the filename was removed, and made up by the the recovery program?

You said Dave checked those files, in that case I trust there's nothing there. Have you considered disclosing the password with the entire partition to Dave? I think he charges 20%.
member
Activity: 102
Merit: 10
Thank you much appreciated.

Here is the links to the .dat files (original+copy)
The original title on disk was ballet.dat and ballet_1.dat

They are highly damaged. There is not much to see.
http://www.filedropper.com/wallet_5
http://www.filedropper.com/wallet1
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Some people complaining about the Mega link, could you suggest a good file sharing website ?
File is 30gb.
I've uploaded the file to blockdata.loyce.club/tmp/d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd.gz. I'll update this post when it's ready. Done!
Let me know when you want it removed.

I compressed the file to increase download speed. These are sha256sum checksums:
Code:
d253d04a9bfa6768dd8ed3276d78eb44b90bb8f00a97f07344e32f42a538907a d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd # 32GB
599ce3cdd36d8a5954258b7edea94b1a6055f90fb490575de96de0e1a61f5257 d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd.gz # 17 GB
member
Activity: 102
Merit: 10
Some people complaining about the Mega link, could you suggest a good file sharing website ?
File is 30gb.

Is www.idrive.com good ?
member
Activity: 102
Merit: 10
if want to try yourself
use python 2.7 from Miniconda2

Thanks I will try tonight.

In case there is missing bits in the key, I guess Pywallet will not report it ?
That's another thing to consider. A deep analysis is necessary to be really sure.


problem it is store on encrypted keys is very hard to crack

I have the password. 100%... No you can't crack it. It's as complex as the private key itself +special characters.

Long story short I put 1.5BTC on a SD card for a sibling in 2014. But he lost it. That laptop is all I have now.

I already submitted the .dat to someone and he told me it's completely overwritten. If there is no readable keys in the .dat file, is it still possible to find the keys somewhere else on the disk ? Seems difficult but I need to try.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
PyWallet read the image file... gave this summary:
Code:
Found 39 possible wallets
Found 11764 possible encrypted keys
Found 171 possible unencrypted keys
Can't decrypt them as you didn't provide any passphrase.
The wallet is encrypted and the passphrase is correct
Pywallet n00b here: It gave me 39 possible wallets, 11764 possible encrypted keys and 105 possible unencrypted keys, followed by a segmentation fault. I don't think it wrote any of the keys to the output wallet file.
I used this:
Code:
./pywallet.py --recover --recover_size 33Gio --recov_device ~/d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd --recov_outputdir recovered_wallets --dumpwallet
Can you share the command you used?

https://www.walletrecoveryservices.com/

Contact them if you haven't!
He did, but only with "completely overwritten" wallet.dat files. A raw search on the entire disk can still produce other results.
member
Activity: 406
Merit: 47

if want to try yourself
use python 2.7 from Miniconda2

https://docs.conda.io/en/latest/miniconda.html
Python 2.7   Miniconda2 Windows 64-bit

install Miniconda2  done you got python 2.7 for run pywallet

and pywallet from github
https://github.com/jackjack-jj/pywallet
https://github.com/joric/pywallet

create folder name
C:\pywallet

command pywallet
python pywallet.py --dumpwallet  --datadir=C:\pywallet --passphrase=PASSWORD > dump.txt
or
python pywallet.py --dumpwallet  --datadir=DATADIR --wallet=WALLETFILE --passphrase=PASSPHRASE

try you password unlimited wallet.dat now lock file

ask command line from thread
https://bitcointalksearch.org/topic/pywallet-22-manage-your-wallet-update-required-34028
Pages:
Jump to: