Author

Topic: Seek help to get back my private key... 7500$ reward. (Read 1204 times)

brand new
Activity: 0
Merit: 0
I lost a .dat wallet with 1.54BTC.

I found the file by scanning the original laptop used to create the wallet in 2014. Unfortunately the file seem to be highly damaged. Someone tried to extract the keys using Pywallet but it failed.

I am looking for a deep disk partition research, in order to find the key. Unfortunately I am not capable of doing this.

I am willing to give 10% to the person able to succeed. If that's even possible. Which is around ~7500$ now.

I created an image of the disk here :
https://mega.nz/file/ux4WQLDB#cc_OHpVKRNszxDrnl5Y4A1GwzfszlNNpVJwi43vtXJY

Alternative download link :
https://bitcointalksearch.org/topic/m.56502435

Address : 1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq
https://www.blockchain.com/btc/address/1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq

Wallet have a strong password. I'm ready to visit that person, or the other way around, preferably in the EU due to travel restrictions. In order to make the transaction as safe as possible.



Hello, may I inquire if you still possess your key phrase? Having it would significantly facilitate the recovery process.








More infos

It's an old netbook from 2010 or even older. I bought it second hand just to create the wallets. I very rarely use it because it's very old and slow. I can't remember what I did with this laptop... I think I messed with windows in May 2020 (reinstall, recover...) I'm not sure.

I created about 20 altcoin wallets and 5 bitcoin wallets with that computer. So there might be other keys around.

Crossing fingers. Thanks for your help.



[08.03.21] Current state of search :


Quote

Found 22 altcoin wallets and 38 other wallets, while scanning .db files : Berkeley DB (Btree, version 9, native byte-order)

17 wallets with a size of 9 bytes which is impossible to recover
21 wallets of 29 bytes many of these can not be dumped because encrypted.

Now have to check the ones that are encrypted and their files size this will show if it can be done and be used as an indicator for the amount of effort it will take to try.

We know the wallet is encrypted so it all does make sense at this point in time. Will require further investigation likely examination on the bit level.

A wallet has a specific structure, for example like a start header and end header. Positions of the elements in between is fixed so we know what should be where after a certain start header and before a certain end header.

This means you drag a partial overlay over the remaining data and when it slides over a old damaged wallet, and there are still elements present then the overlay will match and ID the underlaying data and we make a snapshot of that for further examination.

If there are enough bits left on the drive then you would be able to recover the coins.

The 9 bytes wallets mentioned earlier are the standard that gets written in case of failure. Those look like this:

main
 \00\00\00\02
DATA=END

It is empty, but it can be empty for many reasons that is why you have to compare those nine bytes to the original file. If the original file is larger then it means that there is more then those nine bytes.


legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Not even sure if LoyceV kept his copy of the file where he posted download links.
I couldn't find it anymore. It was before moving to a different server.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
The thread started almost three years ago and the last post is about 2.5 years ago when you necro-bumped it.

The OP was last active in February 2022. Do you really expect any answers from him? Not even sure if LoyceV kept his copy of the file where he posted download links. Have you tried those or asked him?
newbie
Activity: 1
Merit: 0
The link is invalid. Can you give me a file so that I can try it out? I have rich experience in the past
member
Activity: 102
Merit: 10
I found one encrypted address

   "mkey": {
        "encrypted_key": "1665e0b9375c20a720c77799a7386eba77149b97bd34ebce42ee962882da8a3abfe566040b7aae4 5e941880972dc7a8b",
        "nDerivationIterations": 62166,
        "nDerivationMethod": 0,
        "nID": 1,
        "otherParams": "",
        "salt": "96d596871f9a2dcc"
    },


you can check password on this encrypted_key
here is guide
https://bitcointalksearch.org/topic/m.7690647
if your password works this will be your wallet with bitcoin Smiley

It's been a while since I last checked this thread.
I will try ! But there is little chance it's the winning wallet. There was many encrypted wallets on this disk.
newbie
Activity: 8
Merit: 0
I found one encrypted address

   "mkey": {
        "encrypted_key": "1665e0b9375c20a720c77799a7386eba77149b97bd34ebce42ee962882da8a3abfe566040b7aae4 5e941880972dc7a8b",
        "nDerivationIterations": 62166,
        "nDerivationMethod": 0,
        "nID": 1,
        "otherParams": "",
        "salt": "96d596871f9a2dcc"
    },


you can check password on this encrypted_key
here is guide
https://bitcointalksearch.org/topic/m.7690647
if your password works this will be your wallet with bitcoin Smiley
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
That mean I put the wallet in the first bin. 100%
If I understand correctly, I need to look for lost partitions and locate the first bin ?

...

I didn't deleted those file... you can try to download the demo version of Wondershare recovery. They are still there.


So the files you are looking for weren't permanently deleted but just tossed in the Recycle Bin? If that's the case then it shouldn't be hard to find. Search in the first bin, and then the names of each file and folder in there is going to be a long string of letters and numbers. These are IDs the Recycle Bin renames deleted files to, and it has these IDs in a database somewhere along with the old names which is used when you restore a file. So, the file name does not have to match ballet.dat or similar, it could be any .dat file except with a very long name on it.

Check the other .dat files, especially if they are only several KBs large - those could actually be the wallets you're looking for.
member
Activity: 102
Merit: 10
I realized that I had made a mistake.

The previous recycler was created at 15 November 2013 and lived up to 1 February 2014 and the last modification was at 29 January 2014.
On 1 February 2014 the second recycler was created which still is the current bin and it was last modified at 25 February 2021.
So that is not too long ago and I would tend to conclude that OP overwrote his own wallet less then two weeks ago.
Why would you write onto a drive that you are trying to recover ?



I'm just re reading your message. I need to recapitulate.

- If the first bin was created nov 15 2013 : that was the old owner. Before I bought the Laptop.

- On January 7th 2014 I created my Bitcoin wallets. Including the wallet we are searching now.
   I deleted this wallet immediately. It was on the computer probably only a few hours.

- Second bin was created February 1st 2014.


That mean I put the wallet in the first bin. 100%
If I understand correctly, I need to look for lost partitions and locate the first bin ?


@escobol I scanned C (the current vhd file is C) and then recovered the files on D. The program suggested to send those files on a different drive in order to avoid data loss.

I didn't deleted those file... you can try to download the demo version of Wondershare recovery. They are still there.
member
Activity: 158
Merit: 39
The disk you scanned/recovered was D: right?
member
Activity: 102
Merit: 10
He overwrote it himself a few days ago and he knows it.

I didn't overwrite anything. If you do a search with Wondershare recovery those two ballet.dat files are still visible. About the other recovery programs, they never were able to find these files.

Other recovery programs found lots of .dat files but not the « ballet.dat ». I have no idea why.

I explained this on the previous page already.
member
Activity: 180
Merit: 38

On 25 february 2021 OP recovered this 2 dat files (you can search for the ballet.lnk), in my opinion after that he copied this 2 files and deleted them from hdd (maybe with use of some software that deleted and overwrote them? - why ithink so - because there is no sign of this two dat files in any recovery software)

I agree.
He overwrote it himself a few days ago and he knows it.



And now he upload the entire disk in the hopes that someone can magically get it back/
 
Sorry I forgot to answer about that point... in February I scanned the C drive with the recovery software, then pasted the recovered files on the D drive (I did not added the vhd of D I don't think it's there).


With recovery software that you installed on the same disk you was trying to rescue thereby destroying the thing you were looking for.
member
Activity: 102
Merit: 10
@escobol In February 2021 I scanned the C drive with the recovery software, then pasted the recovered files on the D drive (I did not added the vhd of D I don't think it's there). If you scan C with Wondershare Recoverit you should still be able to see it.

I ran 4 brands of recovery programs, only one could find the ballet.dat
If I understand correctly I should not have done any scan before mounting the disk or create an image.

@Base16 I will try to check in lost partitions Bin. That may sound very stupid for computer programmers but I had no idea about how file deletion worked until a few weeks ago. Just presumed it was immediately overwritten.

Now,

I think the original bitcoin addresses I created in January 2014 could still be found in those encrypted .db files
I created 5 bitcoin adresses around January 7 2014. And the very first one is the winning one (starting 1FH...)

Will scan lost partition and check the bin. But I'm not sure I will be able to properly read the content.
member
Activity: 158
Merit: 39
I realized that I had made a mistake.

The previous recycler was created at 15 November 2013 and lived up to 1 February 2014 and the last modification was at 29 January 2014.
On 1 February 2014 the second recycler was created which still is the current bin and it was last modified at 25 February 2021.
So that is not too long ago and I would tend to conclude that OP overwrote his own wallet less then two weeks ago.
Why would you write onto a drive that you are trying to recover ?
That is the biggest mistake you can make.

READ ONLY !



On 25 february 2021 OP recovered this 2 dat files (you can search for the ballet.lnk), in my opinion after that he copied this 2 files and deleted them from hdd (maybe with use of some software that deleted and overwrote them? - why ithink so - because there is no sign of this two dat files in any recovery software)
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Maybe i have a virus.

A virus can't manipulate the output of the pywallet scan to list wallets different from the ones in the VHD file. So I'm leaning towards the VHD having nothing interesting inside (the wallet file itself was deleted a while ago anyway, so it had plenty of time to get overwritten).

Keyhunter did not return anything against the VHD either, yes I did remember to unzip it.
member
Activity: 180
Merit: 38
I realized that I had made a mistake.

The previous recycler was created at 15 November 2013 and lived up to 1 February 2014 and the last modification was at 29 January 2014.
On 1 February 2014 the second recycler was created which still is the current bin and it was last modified at 25 February 2021.
So that is not too long ago and I would tend to conclude that OP overwrote his own wallet less then two weeks ago.
Why would you write onto a drive that you are trying to recover ?
That is the biggest mistake you can make.

READ ONLY !

member
Activity: 102
Merit: 10
Current state of search :

Quote

Found 22 altcoin wallets and 38 other wallets, while scanning .db files : Berkeley DB (Btree, version 9, native byte-order)

17 wallets with a size of 9 bytes which is impossible to recover
21 wallets of 29 bytes many of these can not be dumped because encrypted.

Now have to check the ones that are encrypted and their files size this will show if it can be done and be used as an indicator for the amount of effort it will take to try.

We know the wallet is encrypted so it all does make sense at this point in time. Will require further investigation likely examination on the bit level.

A wallet has a specific structure, for example like a start header and end header. Positions of the elements in between is fixed so we know what should be where after a certain start header and before a certain end header.

This means you drag a partial overlay over the remaining data and when it slides over a old damaged wallet, and there are still elements present then the overlay will match and ID the underlaying data and we make a snapshot of that for further examination.

If there are enough bits left on the drive then you would be able to recover the coins.

The 9 bytes wallets mentioned earlier are the standard that gets written in case of failure. Those look like this:

main
 \00\00\00\02
DATA=END

It is empty, but it can be empty for many reasons that is why you have to compare those nine bytes to the original file. If the original file is larger then it means that there is more then those nine bytes.

member
Activity: 873
Merit: 22
$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk
I lost a .dat wallet with 1.54BTC.

I found the file by scanning the original laptop used to create the wallet in 2014. Unfortunately the file seem to be highly damaged. Someone tried to extract the keys using Pywallet but it failed.

I am looking for a deep disk partition research, in order to find the key. Unfortunately I am not capable of doing this.

I am willing to give 10% to the person able to succeed. If that's even possible. Which is around ~7500$ now.

I created an image of the disk here :
https://mega.nz/file/ux4WQLDB#cc_OHpVKRNszxDrnl5Y4A1GwzfszlNNpVJwi43vtXJY

Alternative download link here :
https://bitcointalksearch.org/topic/m.56502435

Address : 1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq
https://www.blockchain.com/btc/address/1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq

Wallet have a strong password. I'm ready to visit that person, or the other way around, preferably in the EU due to travel restrictions. In order to make the transaction as safe as possible.


More infos

It's an old netbook from 2010 or even older. I bought it second hand just to create the wallets. I rarely use it because it's very old and slow. 60% of the disk is free. I can't remember what I did with this laptop... maybe I reinstalled windows at some point. I'm not sure.

I created about 20 altcoin wallets and 5 bitcoin wallets with that computer. So there might be other keys around.

If it fail, my last option would be to submit the disk to a forensic data recovery lab. Maybe they will be able to find something.

Crossing fingers. Thanks for your help.

Dave give 20%, dont waste your  time, wait his answer, Inthin he will solve your problem... Br.

P.s. try send him message in this forum...
member
Activity: 180
Merit: 38

we found exactly 44 wallets.
From the OP's vhd image? Huh And were these confirmed wallets... or just BDB files? As, all wallet.dat's are BDB files, but not all BDB files are necessarily wallet.dats Wink

No they were fake wallets that just happen to be there.
They also had a fake address inside.
I don't know what happened.
Maybe i have a virus.
HCP
legendary
Activity: 2086
Merit: 4363
Pywallet n00b here: It gave me 39 possible wallets, 11764 possible encrypted keys and 105 possible unencrypted keys, followed by a segmentation fault. I don't think it wrote any of the keys to the output wallet file.
I used this:
Code:
./pywallet.py --recover --recover_size 33Gio --recov_device ~/d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd --recov_outputdir recovered_wallets --dumpwallet
Can you share the command you used?

I used Windows... and the "old" Python2 version of pywallet... not the latest version.
Code:
c:\Python27\python.exe e:\pytest\pywallet.py --recover --recov_size=32Gio --recov_device=E:\d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd --recov_outputdir=E:\wallet_search

Note: you shouldn't use --dumpwallet and --recover together... you do one or the other. Wink



we found exactly 44 wallets.
From the OP's vhd image? Huh And were these confirmed wallets... or just BDB files? As, all wallet.dat's are BDB files, but not all BDB files are necessarily wallet.dats Wink
full member
Activity: 217
Merit: 109
The recovery software found these files. I used Recuva, Puran, EaseUS... they could not find it. Only Recoverit from Wondershare was able to dig it. However it seem to be unusable.
Don't bother with those, use pywallet to scan a copy of the the whole drive and use the passphrase. Don't share the results with anyone.
member
Activity: 180
Merit: 38
This is most likely coming from an old file table that was found on the drive, in such case it found the file entry and there will also be a point that tells you where to find the data.
You need that point to go see if there is anything left of that old data, when you use this type of recovery method.

You can also do a RAW scan without using partition and file tables.
In a recovery from RAW data this file will not show up as wallet.dat or ballet.dat because it's raw data, it does not have a filename anymore.
But it does have a header so in such case the file will pop up as ******.db because the recovery application picked up on it's database header.
You can test the file in bash with $ file and it will tell you the exact type.

Code:
$ file ******.db

******.db Berkeley DB (Btree, version 9, native byte-order)

It can also show something else but in case of a wallet it will show Berkeley DB.

So if you found a wallet.dat then this does not mean that you found the actual wallet, it could be only a reference point.

But if you found a .db then you can be sure it's a database file and i have found several but they were already emptied.

We found exactly 44 wallets.

Quote

f4204024.db: Berkeley DB (Btree, version 9, native byte-order)
f35048320.db: Berkeley DB (Btree, version 9, native byte-order)
f61344210.db: Berkeley DB (Btree, version 9, native byte-order)
f58211446.db: Berkeley DB (Btree, version 9, native byte-order)
f33779786.db: Berkeley DB (Btree, version 9, native byte-order)
f0208040.db: Berkeley DB (Btree, version 9, native byte-order)
f4673642.db: Berkeley DB (Btree, version 9, native byte-order)
f61399680.db: Berkeley DB (Btree, version 9, native byte-order)
f4673674.db: Berkeley DB (Btree, version 9, native byte-order)
f18790112.db: Berkeley DB (Btree, version 9, native byte-order)
f4294446.db: Berkeley DB (Btree, version 9, native byte-order)
f33779818.db: Berkeley DB (Btree, version 9, native byte-order)
f4294478.db: Berkeley DB (Btree, version 9, native byte-order)
f17315832.db: Berkeley DB (Btree, version 9, native byte-order)
f61408994.db: Berkeley DB (Btree, version 9, native byte-order)
f58252320.db: Berkeley DB (Btree, version 9, native byte-order)
f46519344.db: Berkeley DB (Btree, version 9, native byte-order)
f3442350.db: Berkeley DB (Btree, version 9, native byte-order)
f18790080.db: Berkeley DB (Btree, version 9, native byte-order)
f36736740.db: Berkeley DB (Btree, version 9, native byte-order)
f46519312.db: Berkeley DB (Btree, version 9, native byte-order)
f0208008.db: Berkeley DB (Btree, version 9, native byte-order)
f21199420.db: Berkeley DB (Btree, version 9, native byte-order)
f61344242.db: Berkeley DB (Btree, version 9, native byte-order)
f4205656.db: Berkeley DB (Btree, version 9, native byte-order)
f4203992.db: Berkeley DB (Btree, version 9, native byte-order)
f3380142.db: Berkeley DB (Btree, version 9, native byte-order)
f61349908.db: Berkeley DB (Btree, version 9, native byte-order)
f61408962.db: Berkeley DB (Btree, version 9, native byte-order)
f21199404.db: Berkeley DB (Btree, version 9, native byte-order)
f58252288.db: Berkeley DB (Btree, version 9, native byte-order)
f35048288.db: Berkeley DB (Btree, version 9, native byte-order)
f61090356.db: Berkeley DB (Btree, version 9, native byte-order)
f61340690.db: Berkeley DB (Btree, version 9, native byte-order)
f61090324.db: Berkeley DB (Btree, version 9, native byte-order)
f3380174.db: Berkeley DB (Btree, version 9, native byte-order)
f51770738.db: Berkeley DB (Btree, version 9, native byte-order)
f4205688.db: Berkeley DB (Btree, version 9, native byte-order)
f17315864.db: Berkeley DB (Btree, version 9, native byte-order)
f58211414.db: Berkeley DB (Btree, version 9, native byte-order)
f61349876.db: Berkeley DB (Btree, version 9, native byte-order)
f61414436.db: Berkeley DB (Btree, version 9, native byte-order)
f36736772.db: Berkeley DB (Btree, version 9, native byte-order)
f61399648.db: Berkeley DB (Btree, version 9, native byte-order)


Dumped them with db-utils to see which ones were intact and which ones were corrupted or encrypted.

member
Activity: 102
Merit: 10
The recovery software found these files. I used Recuva, Puran, EaseUS... they could not find it. Only Recoverit from Wondershare was able to dig it. However it seem to be unusable.
member
Activity: 406
Merit: 47
file wallet.dat and wallet_1.dat

two file it is normal copy file from bitcoin folder

or wallet.dat this is recovery file from delete file

I think this is   recovery file right

because check wallet.dat , look like blank file, it is no data store inside

other file clone drive, I think clone drive not copy data all bits from drive, they copy only work file
so, file part have data is only on hard drive on laptop
member
Activity: 102
Merit: 10
Some infos that might be useful.

Computer is a ASUS netbook Eee PC 1001PX
Disk is WDC WD2500BEVT-80A23T0

I bought this laptop second hand on EBay in January 2014.
I created my bitcoin wallets January 7th 2014, including the one we are searching.
In total about 20 altcoins wallets and 5-6 Bitcoin wallets.

That particular bitcoin wallet I'm looking for was created on this laptop, I immediately made a copy on a SD card then deleted the original file. I think it was on this computer only for a few hours.

Does this have any importance ?

I rarely used that laptop since because it's old stuff.
I probably messed with windows at some point, because I can see there is an unverified version of windows running. I really can't remember what I did...

File should be named « ballet.dat » and « ballet_1.dat » (original + copy)
Address : 1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq
member
Activity: 180
Merit: 38
Someone suggested to make a iso 1:1 copy instead of .vhd
I'll do that too just in case.

Not necessarily a ISO you can also IMG
But in any case a copy that includes all the RAW data from the drive regardless of partitions and file tables.
There is a lot of data on the vhd file, i did a scan and it recovered 159080 files.
Further examination is needed to look for the specific file contents, but given the amount of data this will take an awful lot of time.

member
Activity: 102
Merit: 10
Someone suggested to make a iso 1:1 copy instead of .vhd
I'll do that too just in case.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Oh wait... could someone confirm it's actually useless to make a raw disk search for encrypted wallets ?

No it's not. Instead of private keys you will just get hashes of private keys instead.

There is a Python 2 script in Github called keyhunter, which searches for base58 legacy private keys, and I used it to do a disk search on your wallet.dat and wallet_1.dat files, but it did not return any hits.

Pywallet would not even open those files, it generated something like a "BDB error" which means it doesn't even think the file is a Berkeley database (the file format of wallet.dat).

I am downloading the VHD file right now and when that's done I'll keyhunter that too. I think VHD stores the host filesystem directly in the file without any manipulation or compression or other weird hiding.
full member
Activity: 217
Merit: 109
I see... I ignored that. Is there any possible workaround ?
Except if we can meet in person I'm afraid I can't reasonably send you my passphrase.
If you have the passphrase why don't you run pywallet yourself and reveal those encrypted keys? With the very kind help of HCP i managed to get it running. Check out this thread. https://bitcointalksearch.org/topic/pywallet-install-help-2398504
member
Activity: 102
Merit: 10
I don't know about the hex search but opening them with the notepad you can see a lot of nonsense (windows media script...). So yes they seem highly damaged.

I can confirm they are the correct files. Because of their creation date. They were created the right day and hour... no mistake possible.
member
Activity: 158
Merit: 39
this two *.dat files are not remains of wallet.dat (check hex)
member
Activity: 102
Merit: 10
Oh wait... could someone confirm it's actually useless to make a raw disk search for encrypted wallets ?

Related to this I found
https://bitcoin.stackexchange.com/questions/48070/format-of-mkey-field-in-encrypted-wallet-dat-file

That's what Pywallet is doing... Is there another, deeper method that Pywallet don't support ?

This thing is so frustrating because there is just too many things I don't understand. I will post this announcement on bitcoin stack as well. Hopefully some coding genius with 150IQ will be able to try something.

I don't have high hopes at this point but must try...


3. Forensic data recovery lab. But I don't even know what to tell them. They probably don't know so much about private keys and stuff

I think my best shot would be to ask them to search for the ballet.dat file itself. Hoping they will be able to recover a better version of it.

Then try to extract the content with Pywallet.

 Huh
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
There seem to be two recovery businesses operating
David from https://walletrecovery.info/
Dave from https://walletrecoveryservices.com/
The second one has been around for years. Don't make a typo though, you might end up on a phishing site.
The first one you mentioned looks like an imposter: both the guy's name and the site's name seem to be created to make you think it's the real deal.

Quote
I contacted David but got no answer from Dave so far. Not sure what happened.
You keep confusing who's who too.

Quote
If you open the .dat files with windows notepad, both seem completely unreadable.
It's not supposed to be clear text.

Quote
1. Rescan with Pywallet + passphrase
That's a good start Smiley

Quote
2. Raw partition search for keys or key fragments (I can't do that myself)
I have no idea how likely this is to find anything useful when keys are encrypted. And I don't think it's very likely to find a part of a key still intact, while the rest is overwritten.

Quote
3. Forensic data recovery lab. But I don't even know what to tell them. They probably don't know so much about private keys and stuff
Add the fact that you're not even sure if there's any value left on the disk, and you may end up with an expensive disappointment.

@HCP: out of the 11764 possible encrypted keys, how many of those are duplicates?
member
Activity: 102
Merit: 10
No I gave random names to differentiate between all my wallets.

There seem to be two recovery businesses operating

David from https://walletrecovery.info/
Dave from https://walletrecoveryservices.com/

I contacted David but got no answer from Dave so far. Not sure what happened.

If you open the .dat files with windows notepad, both seem completely unreadable. The data recovery software still managed to compile the « wastes » under the right name.

Right now I think I should do

1. Rescan with Pywallet + passphrase
2. Raw partition search for keys or key fragments (I can't do that myself)
3. Forensic data recovery lab. But I don't even know what to tell them. They probably don't know so much about private keys and stuff
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
The original title on disk was ballet.dat and ballet_1.dat
Just a guess: the first character ("w") of the filename was removed, and made up by the the recovery program?

You said Dave checked those files, in that case I trust there's nothing there. Have you considered disclosing the password with the entire partition to Dave? I think he charges 20%.
member
Activity: 102
Merit: 10
Thank you much appreciated.

Here is the links to the .dat files (original+copy)
The original title on disk was ballet.dat and ballet_1.dat

They are highly damaged. There is not much to see.
http://www.filedropper.com/wallet_5
http://www.filedropper.com/wallet1
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Some people complaining about the Mega link, could you suggest a good file sharing website ?
File is 30gb.
I've uploaded the file to blockdata.loyce.club/tmp/d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd.gz. I'll update this post when it's ready. Done!
Let me know when you want it removed.

I compressed the file to increase download speed. These are sha256sum checksums:
Code:
d253d04a9bfa6768dd8ed3276d78eb44b90bb8f00a97f07344e32f42a538907a d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd # 32GB
599ce3cdd36d8a5954258b7edea94b1a6055f90fb490575de96de0e1a61f5257 d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd.gz # 17 GB
member
Activity: 102
Merit: 10
Some people complaining about the Mega link, could you suggest a good file sharing website ?
File is 30gb.

Is www.idrive.com good ?
member
Activity: 102
Merit: 10
if want to try yourself
use python 2.7 from Miniconda2

Thanks I will try tonight.

In case there is missing bits in the key, I guess Pywallet will not report it ?
That's another thing to consider. A deep analysis is necessary to be really sure.


problem it is store on encrypted keys is very hard to crack

I have the password. 100%... No you can't crack it. It's as complex as the private key itself +special characters.

Long story short I put 1.5BTC on a SD card for a sibling in 2014. But he lost it. That laptop is all I have now.

I already submitted the .dat to someone and he told me it's completely overwritten. If there is no readable keys in the .dat file, is it still possible to find the keys somewhere else on the disk ? Seems difficult but I need to try.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
PyWallet read the image file... gave this summary:
Code:
Found 39 possible wallets
Found 11764 possible encrypted keys
Found 171 possible unencrypted keys
Can't decrypt them as you didn't provide any passphrase.
The wallet is encrypted and the passphrase is correct
Pywallet n00b here: It gave me 39 possible wallets, 11764 possible encrypted keys and 105 possible unencrypted keys, followed by a segmentation fault. I don't think it wrote any of the keys to the output wallet file.
I used this:
Code:
./pywallet.py --recover --recover_size 33Gio --recov_device ~/d2630eda-4e56-11e3-99a1-806e6f6e6963.vhd --recov_outputdir recovered_wallets --dumpwallet
Can you share the command you used?

https://www.walletrecoveryservices.com/

Contact them if you haven't!
He did, but only with "completely overwritten" wallet.dat files. A raw search on the entire disk can still produce other results.
member
Activity: 406
Merit: 47

if want to try yourself
use python 2.7 from Miniconda2

https://docs.conda.io/en/latest/miniconda.html
Python 2.7   Miniconda2 Windows 64-bit

install Miniconda2  done you got python 2.7 for run pywallet

and pywallet from github
https://github.com/jackjack-jj/pywallet
https://github.com/joric/pywallet

create folder name
C:\pywallet

command pywallet
python pywallet.py --dumpwallet  --datadir=C:\pywallet --passphrase=PASSWORD > dump.txt
or
python pywallet.py --dumpwallet  --datadir=DATADIR --wallet=WALLETFILE --passphrase=PASSPHRASE

try you password unlimited wallet.dat now lock file

ask command line from thread
https://bitcointalksearch.org/topic/pywallet-22-manage-your-wallet-update-required-34028
HCP
legendary
Activity: 2086
Merit: 4363
I see... I ignored that. Is there any possible workaround ?
Except if we can meet in person I'm afraid I can't reasonably send you my passphrase.
Given that I have an image of the drive... no. So, you'll probably need to get Python2.7 and "old" PyWallet working (or maybe Python3 + NewPyWallet), so that you can run PyWallet yourself and type in the possible passphrases for the encrypted wallets (assuming you actually think you know what the passphrases for those lost wallets might have been).
member
Activity: 406
Merit: 47

problem it is store on encrypted keys is very hard to crack

I think using service recover i better way. it need high power GPU calculate

What wallet client use on notebook?
possible can not remember password  I am can not remember my password often using at 10 year ago.

try write password 10 possible
hero member
Activity: 2156
Merit: 711
Telegram @tokensfund
member
Activity: 102
Merit: 10
I see... I ignored that. Is there any possible workaround ?
Except if we can meet in person I'm afraid I can't reasonably send you my passphrase.
HCP
legendary
Activity: 2086
Merit: 4363
PyWallet read the image file... gave this summary:
Code:
Read 32.7 Go in 1.1 minutes

Found 39 possible wallets
Found 11764 possible encrypted keys
Found 171 possible unencrypted keys
Can't decrypt them as you didn't provide any passphrase.
The wallet is encrypted and the passphrase is correct

And then it output 109 private keys (actually 218 as it showed both the uncompressed and compressed keys)... I imported all of those to Electrum and nada:


So if there is anything for PyWallet to find, it will be in the "possible but encrypted" wallets/keys... however as mentioned, PyWallet won't do anything with them unless you know the correct passphrases that may have been used that you can feed it so it can attempt to decrypt the "11764 possible encrypted keys".
member
Activity: 102
Merit: 10
You are sure that You want to share vhd like that?

Yes password is strong. This laptop have no value for me, there is nothing important on the disk.
member
Activity: 158
Merit: 39
to the OP, for the deep recovery - there is need to do it on actual disk (not image).
copper member
Activity: 2198
Merit: 1837
🌀 Cosmic Casino
You are sure that You want to share vhd like that?
Perhaps he's so sure that the password he used for the wallet is very strong and  any other recoverable files in the VHD are not that important
member
Activity: 158
Merit: 39
You are sure that You want to share vhd like that?
member
Activity: 102
Merit: 10
I lost a .dat wallet with 1.54BTC.

I found the file by scanning the original laptop used to create the wallet in 2014. Unfortunately the file seem to be highly damaged. Someone tried to extract the keys using Pywallet but it failed.

I am looking for a deep disk partition research, in order to find the key. Unfortunately I am not capable of doing this.

I am willing to give 10% to the person able to succeed. If that's even possible. Which is around ~7500$ now.

I created an image of the disk here :
https://mega.nz/file/ux4WQLDB#cc_OHpVKRNszxDrnl5Y4A1GwzfszlNNpVJwi43vtXJY

Alternative download link here :
https://bitcointalksearch.org/topic/m.56502435

Address : 1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq
https://www.blockchain.com/btc/address/1FHYSH65uKdVGhR7Y2QznxfBtLWhjotqUq

Wallet have a strong password. I'm ready to visit that person, or the other way around, preferably in the EU due to travel restrictions. In order to make the transaction as safe as possible.


More infos

It's an old netbook from 2010 or even older. I bought it second hand just to create the wallets. I very rarely use it because it's very old and slow. I can't remember what I did with this laptop... I think I messed with windows in May 2020 (reinstall, recover...) I'm not sure.

I created about 20 altcoin wallets and 5 bitcoin wallets with that computer. So there might be other keys around.

Crossing fingers. Thanks for your help.



[08.03.21] Current state of search :


Quote

Found 22 altcoin wallets and 38 other wallets, while scanning .db files : Berkeley DB (Btree, version 9, native byte-order)

17 wallets with a size of 9 bytes which is impossible to recover
21 wallets of 29 bytes many of these can not be dumped because encrypted.

Now have to check the ones that are encrypted and their files size this will show if it can be done and be used as an indicator for the amount of effort it will take to try.

We know the wallet is encrypted so it all does make sense at this point in time. Will require further investigation likely examination on the bit level.

A wallet has a specific structure, for example like a start header and end header. Positions of the elements in between is fixed so we know what should be where after a certain start header and before a certain end header.

This means you drag a partial overlay over the remaining data and when it slides over a old damaged wallet, and there are still elements present then the overlay will match and ID the underlaying data and we make a snapshot of that for further examination.

If there are enough bits left on the drive then you would be able to recover the coins.

The 9 bytes wallets mentioned earlier are the standard that gets written in case of failure. Those look like this:

main
 \00\00\00\02
DATA=END

It is empty, but it can be empty for many reasons that is why you have to compare those nine bytes to the original file. If the original file is larger then it means that there is more then those nine bytes.

Jump to: