Hello sir,
I'm in the exact same situation, I used a file recovery software in order to recover my lost wallet, unfortunately the .dat is partly overwritten. Pywallet could not extract anything. I wonder if I'm screwed. I have less computer knowledge than you so I was wondering, did you tried the recovery professional services ? What would you ask them exactly ?
Best of luck.
PS : David the owner of walletrecovery.info did the pywallet search for me (for free).
Topic: Treasure Hunt - Recover wallet.dat from JAN2010 (Read 710 times)
it's the way you're using the --recov_size parameter... I think the '.' character and all the extra 0's might be confusing it...
Try using
So, full command:
Try using
Code:
--recov_size 8Gio
So, full command:
Code:
python pywallet.py --recover --recov_size=8Gio --recov_device \vaio\desktop --recov_outputdir \vaio\documents
Hi,
Believe I managed to run pywallet.py successfully, on a laptop with a fresh install of MXLinux (first time user).
I ran the 4 commands above with no problems - even managed to download BTC`s whitepaper, which, I understand from jackjack`s thread, is a recent feature.
However when trying to use the --recover command I get the following error:
I tried a lot of syntax but am still pretty sure I failed it. Is this all I am failing with?
Cheers
Believe I managed to run pywallet.py successfully, on a laptop with a fresh install of MXLinux (first time user).
Code:
vaio@vaio:~/Downloads
$ python pywallet.py --version
pywallet.py 1.1
vaio@vaio:~/Downloads
$ python pywallet.py --tests
......
----------------------------------------------------------------------
Ran 6 tests in 2.306s
OK
vaio@vaio:~/Downloads
$ python pywallet.py --random_key
'ecdsa' package is not installed, pywallet won't be able to sign/verify messages
Network: Bitcoin
Compressed: False
P2PKH Address: 1NcXgMwcTpAXivZj2wR4SPEhLPmHdFiuHV
Privkey: 5JbWYDZeZs6ZeqftB57uzxrWtTL3DNfqkNsbfdY8AbYsDrFvFAN
Hexprivkey: 66af6e2a205239a2af627b09f5c9de6088042ecfc2a197ca64154e5129fa5b46
Hash160: ed12cf3239768d1b5eeb47d4cc0d9625403a90f9
Pubkey: 043c33eaf594a9af0468792bf174cbb794545d258de72264062fc763f4f7f70a485b6ddff038539328e1b4152a984cc6d07a5c012e4ae2e7329d997be53d39e3a1
Network: Bitcoin
Compressed: True
P2PKH Address: 15wDZXfDaaCWyVfAXLY9wQX7DrWCUrkTeF
P2SH-P2WPKH Address: 3ESTc8djQyEu26kZ53t5zioyyWAe5xLjpD
P2WPKH Address: bc1qxcshxj8gfamqcdwnlha36w5yacja8exa5tdr7x
Privkey: KzfKNnT6p47Z81pcsTBWvqXYv7D2mceSATYL1WGNdMVefb587YPv
Hexprivkey: 66af6e2a205239a2af627b09f5c9de6088042ecfc2a197ca64154e5129fa5b46
pywallet.py:2887: UserWarning: For compressed keys, the hexadecimal private key sometimes contains an extra '01' at the end
Hash160: 36217348e84f760c35d3fdfb1d3a84ee25d3e4dd
Pubkey: 033c33eaf594a9af0468792bf174cbb794545d258de72264062fc763f4f7f70a48
vaio@vaio:~/Downloads
$ python pywallet.py --whitepaper
Wrote the Bitcoin whitepaper to bitcoin_whitepaper_.pdf
I ran the 4 commands above with no problems - even managed to download BTC`s whitepaper, which, I understand from jackjack`s thread, is a recent feature.
However when trying to use the --recover command I get the following error:
Code:
vaio@vaio:~/Downloads
$ python pywallet.py --recover --recov_size=008.0Gio --recov_device \vaio\desktop --recov_outputdir \vaio\documents
Traceback (most recent call last):
File "pywallet.py", line 3731, in
size = read_device_size(options.recov_size)
File "pywallet.py", line 2000, in read_device_size
n, prefix, bi = re.match(r'(\d+)(|k|M|G|T|P)(i?)[oB]?$', size).groups()
AttributeError: 'NoneType' object has no attribute 'groups'
I tried a lot of syntax but am still pretty sure I failed it. Is this all I am failing with?
Cheers
I spent a few hours with python and was progressing slowly. I was not able to install Twistted because even pip has apparently stopped supporting older versions of python.
Note that twisted was only needed for the fancy "WebUI" for PyWallet that never really took off... and which jackjack has removed in the recent updates... it isn't actually needed for the base pywallet.py commandline tool.You do still need the bsddb package though.
Thank you, this is helpfull. I am already setting up a different computer with Win10 pro but will see if I can progress where I left off yesterday without Twistted.
cheers
I spent a few hours with python and was progressing slowly. I was not able to install Twistted because even pip has apparently stopped supporting older versions of python.
Note that twisted was only needed for the fancy "WebUI" for PyWallet that never really took off... and which jackjack has removed in the recent updates... it isn't actually needed for the base pywallet.py commandline tool.You do still need the bsddb package though.
Thanks I think I will try to use windows based tools for cloning the disk but I appreciate the suggestion.
As for Proton is something quite interesting specially because it is being developed by Valve - 99% of my games are in a Steam account.
Update:
While going through what I have done in 2017 I discovered that maybe I am not as stupid as I sound.
I did an image of the HD and ran WinHex on said image. I cannot recall exactly but believe the image was done using WinHex - I still have the image on a USB hard drive and plan on running pywallet there.
Separately I will proceed to do more clones of the original HD.
I spent a few hours with python and was progressing slowly. I was not able to install Twistted because even pip has apparently stopped supporting older versions of python. As I was using my private computer, which runs Windows 7 professional, I was using Python27 and was unable to further progress the preparation to run pywallet.
Any suggestions on how to proceed? Seems like booting some linux version on that computer I intend to use to run pywallet is my easiest way out.
Cheers
As for Proton is something quite interesting specially because it is being developed by Valve - 99% of my games are in a Steam account.
Update:
While going through what I have done in 2017 I discovered that maybe I am not as stupid as I sound.
I did an image of the HD and ran WinHex on said image. I cannot recall exactly but believe the image was done using WinHex - I still have the image on a USB hard drive and plan on running pywallet there.
Separately I will proceed to do more clones of the original HD.
I spent a few hours with python and was progressing slowly. I was not able to install Twistted because even pip has apparently stopped supporting older versions of python. As I was using my private computer, which runs Windows 7 professional, I was using Python27 and was unable to further progress the preparation to run pywallet.
Any suggestions on how to proceed? Seems like booting some linux version on that computer I intend to use to run pywallet is my easiest way out.
Cheers
If you were in my shoes, do you think considering professional data recovery service would be an option? I read somewhere that sometimes it is possible to infer underlaying data after being overwritten (it sure beats my simple brain model of a hard drive where you have either a 0 or a 1 recorded in a magnetic plate). If going for that would you still Clone beforehand or just don't touch it any more?
Reading from the disk does not mess with its contents so you're alright with cloning it before sending it off to a recovery firm.
With the current BTC price at $47K, once-measly amounts of bitcoin are now worth fortunes especially given that you got a wallet from 2010. If the amount of bitcoin in the wallet exceeds the costs of a professional data recovery then do it, especially given that 5 or even just 1 BTC is worth tens of thousands of dollars today.
Thanks. I guess the question than becomes what should I ask them to look for specifically. At my current level of knowledge I am still far away to know how to answer that.
Side note: I remember that when I first started messing with hardware, HDs had a combination of pins that would allow a disk to be made read only - not sure if that was a particular thing or a general characteristic.
Cheers
If you were in my shoes, do you think considering professional data recovery service would be an option? I read somewhere that sometimes it is possible to infer underlaying data after being overwritten (it sure beats my simple brain model of a hard drive where you have either a 0 or a 1 recorded in a magnetic plate). If going for that would you still Clone beforehand or just don't touch it any more?
Reading from the disk does not mess with its contents so you're alright with cloning it before sending it off to a recovery firm.
With the current BTC price at $47K, once-measly amounts of bitcoin are now worth fortunes especially given that you got a wallet from 2010. If the amount of bitcoin in the wallet exceeds the costs of a professional data recovery then do it, especially given that 5 or even just 1 BTC is worth tens of thousands of dollars today.
INFO "Filename: 49C7D454d01 Path: D:\?
Size: 30.6 KB (31,348)
State: Very poor
Creation time: 1/31/2010 19:59
Last modification time: 1/31/2010 19:59
Last access time: 1/31/2010 19:59
Comment: This file is overwritten with "D:\Programas\Mozilla Firefox\chrome\pippki.jar.moz-backup"
6 file cluster(s) overwritten (0, 1, 2, 3, 4, 5)
4 cluster(s) allocated at offset 6301398 4 cluster(s) allocated at offset 6305132"
Size: 30.6 KB (31,348)
State: Very poor
Creation time: 1/31/2010 19:59
Last modification time: 1/31/2010 19:59
Last access time: 1/31/2010 19:59
Comment: This file is overwritten with "D:\Programas\Mozilla Firefox\chrome\pippki.jar.moz-backup"
6 file cluster(s) overwritten (0, 1, 2, 3, 4, 5)
4 cluster(s) allocated at offset 6301398 4 cluster(s) allocated at offset 6305132"
Your wallet file has the first 6 of its 8 sectors overwritten by some Firefox file, and not Recuva, which amounts to the first 24KB of the 30.6KB gone from your hard disk. It is highly likely the Berkeley DB table that holds the private keys was at the beginning of the file and therefore overwritten. Unless you have clones from before the time you installed Firefox, your odds of recovery are low. I'm not sure if even a recovery service can help you here since the sector data was overwritten.
Thank you Sir!
I agree with it being overwritten with Firefox! Recuva is just the recovery software I was dumb enough to use without having cloned the HD beforehand. (don't judge too much installing Firefox... it was all the rage back then).
This certainly lowers the Chance of Success and increases a bit the frustration - it really seems that it is close. How I wish the private keys were at those last 6 KB!
If you were in my shoes, do you think considering professional data recovery service would be an option? I read somewhere that sometimes it is possible to infer underlaying data after being overwritten (it sure beats my simple brain model of a hard drive where you have either a 0 or a 1 recorded in a magnetic plate). If going for that would you still Clone beforehand or just don't touch it any more?
Cheers
- Can I use a partitioned External USB Drive or should I buy an HD to clone to?
The software support both option (to single file or another drive), but i would recommend first option.
- Would you recommend another program for a second clone?
If you're linux user, you could use built-in tools called dd
Thank you Sir!
Straight to the point. I will look into linux DD (a decade or so ago I did play around with Linux but never used it day to day - I couldn't Game with it!!!)
Cheers
- Would you recommend another program for a second clone?
If you're linux user, you could use built-in tools called dd
dd is a very dangerous tool because a single mistype of a disk letter will overwrite the wrong disk and cause even more data to be lost. So I would not recommend it for newbies.
For example, you have an empty hard disk at /dev/sdc, your bad hard disk as at /dev/sdb and your operating system is at /dev/sea, normally you'd type dd if=/dev/sdb of=/dev/sdc bs=4K, but if you are careless and are just pressing up and down arrow keys on the terminal to get this command you ran before, you might forget to change "sda" to "sdc" and it will overwrite your OS drive!
Thank you for the warning Sir!
If going this way I will make sure to test on something else before.
Cheers
[moderator's note: consecutive posts merged]
(@mod thank you and sorry!)
- Would you recommend another program for a second clone?
If you're linux user, you could use built-in tools called dd
dd is a very dangerous tool because a single mistype of a disk letter will overwrite the wrong disk and cause even more data to be lost. So I would not recommend it for newbies.
For example, you have an empty hard disk at /dev/sdc, your bad hard disk as at /dev/sdb and your operating system is at /dev/sea, normally you'd type dd if=/dev/sdb of=/dev/sdc bs=4K, but if you are careless and are just pressing up and down arrow keys on the terminal to get this command you ran before, you might forget to change "sda" to "sdc" and it will overwrite your OS drive!
INFO "Filename: 49C7D454d01 Path: D:\?
Size: 30.6 KB (31,348)
State: Very poor
Creation time: 1/31/2010 19:59
Last modification time: 1/31/2010 19:59
Last access time: 1/31/2010 19:59
Comment: This file is overwritten with "D:\Programas\Mozilla Firefox\chrome\pippki.jar.moz-backup"
6 file cluster(s) overwritten (0, 1, 2, 3, 4, 5)
4 cluster(s) allocated at offset 6301398 4 cluster(s) allocated at offset 6305132"
Size: 30.6 KB (31,348)
State: Very poor
Creation time: 1/31/2010 19:59
Last modification time: 1/31/2010 19:59
Last access time: 1/31/2010 19:59
Comment: This file is overwritten with "D:\Programas\Mozilla Firefox\chrome\pippki.jar.moz-backup"
6 file cluster(s) overwritten (0, 1, 2, 3, 4, 5)
4 cluster(s) allocated at offset 6301398 4 cluster(s) allocated at offset 6305132"
Your wallet file has the first 6 of its 8 sectors overwritten by some Firefox file, and not Recuva, which amounts to the first 24KB of the 30.6KB gone from your hard disk. It is highly likely the Berkeley DB table that holds the private keys was at the beginning of the file and therefore overwritten. Unless you have clones from before the time you installed Firefox, your odds of recovery are low. I'm not sure if even a recovery service can help you here since the sector data was overwritten.
Create a USB with kali linux, (it comes prebundled with testdisk and other tools)
start kali linux live usb on the device and create a system image with testdisk of the hard disk the wallet existed in.
if you value any chance of recovering crypto (and there is loads of methods yet untested such as https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15947 that shows bitcoin-qt creates a crash log with current state i believe of the event of crashing. and the file won't show up with normal scans.
Whatever it is you want to do, if you dont make a clone of this hard disk you will regret it. i have done this countless times.
The cloned file image of the disk can be used just as the hard drive without any of the weakness. imagine loading it in nvme ssd and now you have 100x the read/write speed or more
"5. Delivery it to the pros at Wallet Recovery Services (not sure if they accept forensic cases)" i hear this guy is a selective scammer, he shows up everywhere you look for wallet recovery but he can't do shit.
start kali linux live usb on the device and create a system image with testdisk of the hard disk the wallet existed in.
if you value any chance of recovering crypto (and there is loads of methods yet untested such as https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15947 that shows bitcoin-qt creates a crash log with current state i believe of the event of crashing. and the file won't show up with normal scans.
Whatever it is you want to do, if you dont make a clone of this hard disk you will regret it. i have done this countless times.
The cloned file image of the disk can be used just as the hard drive without any of the weakness. imagine loading it in nvme ssd and now you have 100x the read/write speed or more
"5. Delivery it to the pros at Wallet Recovery Services (not sure if they accept forensic cases)" i hear this guy is a selective scammer, he shows up everywhere you look for wallet recovery but he can't do shit.
Thank you Sir!
I will make sure to take my time before cloning the disk to make sure I am not further messing it. I understand the point on faster medium such as NVME
Would you recommend I look into something else about cloning? Even if I have to read a few extra things its an investment of time I would be willing to do.
Regarding the Wallet Recovery Services, I believe this is related to a trusted member DaveF. I am obviously a few steps away from delivering this to anyone but would appreciate any further inputs here.
Create a USB with kali linux, (it comes prebundled with testdisk and other tools)
start kali linux live usb on the device and create a system image with testdisk of the hard disk the wallet existed in.
if you value any chance of recovering crypto (and there is loads of methods yet untested such as https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15947 that shows bitcoin-qt creates a crash log with current state i believe of the event of crashing. and the file won't show up with normal scans.
Whatever it is you want to do, if you dont make a clone of this hard disk you will regret it. i have done this countless times.
The cloned file image of the disk can be used just as the hard drive without any of the weakness. imagine loading it in nvme ssd and now you have 100x the read/write speed or more
"5. Delivery it to the pros at Wallet Recovery Services (not sure if they accept forensic cases)" i hear this guy is a selective scammer, he shows up everywhere you look for wallet recovery but he can't do shit.
start kali linux live usb on the device and create a system image with testdisk of the hard disk the wallet existed in.
if you value any chance of recovering crypto (and there is loads of methods yet untested such as https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15947 that shows bitcoin-qt creates a crash log with current state i believe of the event of crashing. and the file won't show up with normal scans.
Whatever it is you want to do, if you dont make a clone of this hard disk you will regret it. i have done this countless times.
The cloned file image of the disk can be used just as the hard drive without any of the weakness. imagine loading it in nvme ssd and now you have 100x the read/write speed or more
"5. Delivery it to the pros at Wallet Recovery Services (not sure if they accept forensic cases)" i hear this guy is a selective scammer, he shows up everywhere you look for wallet recovery but he can't do shit.
I ran the bitcoin client for a couple of days in January 2010.
I am using Recuva to try and recover Wallet.dat.
Does this filename ring any bells?
INFO "Filename: 49C7D454d01 Path: D:\?
Size: 30.6 KB (31,348)
State: Very poor
Creation time: 1/31/2010 19:59
Last modification time: 1/31/2010 19:59
Last access time: 1/31/2010 19:59
Comment: This file is overwritten with "D:\Programas\Mozilla Firefox\chrome\pippki.jar.moz-backup"
6 file cluster(s) overwritten (0, 1, 2, 3, 4, 5)
4 cluster(s) allocated at offset 6301398 4 cluster(s) allocated at offset 6305132"
Cheers
You'll most likely need the full file to be able to get the coins/private keys out. I am using Recuva to try and recover Wallet.dat.
Does this filename ring any bells?
INFO "Filename: 49C7D454d01 Path: D:\?
Size: 30.6 KB (31,348)
State: Very poor
Creation time: 1/31/2010 19:59
Last modification time: 1/31/2010 19:59
Last access time: 1/31/2010 19:59
Comment: This file is overwritten with "D:\Programas\Mozilla Firefox\chrome\pippki.jar.moz-backup"
6 file cluster(s) overwritten (0, 1, 2, 3, 4, 5)
4 cluster(s) allocated at offset 6301398 4 cluster(s) allocated at offset 6305132"
Cheers
Is that the original file name or is it a name added by the recuva recovery software? It has to be wallet.dat in order for you to get anything. Also, the file is quite small and the signatures it leaves as a trace will be small (the wallet.dat file, not this specific one).
Thank you for your comment ~2,5 years ago! I am going to restart this treasure hunt...
I have spent a couple of hours going through the most recent threads about wallet.dat file recovery or extraction of private keys.
I will lay out my game plan and would appreciate all comments and suggestions.
I will reiterate my problem as I don't think I was clear enough initially:
Background
- I believe I ran the Bitcoin client around January 2010 - I am pretty sure it was before July 2010 and I am certain I struggled with stability issues to keep it running over a few nights
- In 2017 propped by one of the pumps in BTC price I grabbed my old hard drive to see if I could find the wallet files - nothing was found and I assume the drive was either formatted or the file overwritten
- I came across the following thread: https://bitcointalksearch.org/topic/walletdat-recovery-recover-your-own-lost-bitcoins-22697 and unfortunately proceeded to run Recuva on the original hard drive without making one/various clones - big mistake, I understand
- My original post shows what I found then to be the most promising results - and you clearly can understand how limited my knowledge of this matter is.
- The HD was connected to my PC since 2017 but it was not used for booting nor accessed
- I have been approached by a couple of persons via PM which I have not seriously engaged with out of being afraid of a scam. Simultaneously, this approaches do provide some hope.
Summary
- I am not sure if I was actually awarded any BTC when I ran the client
- My wallet file was likely overwritten or deleted during a HD format
- I put my Changes of Success at under 5% but with BTC approaching 50k I feel like I can dedicate a few days to this
Plan
1. Clone the old hard drive (it is currently disconnected from Desktop)
Planning to use: https://hddguru.com/software/HDD-Raw-Copy-Tool/ as I have seen it recommend around by trusted member ETFBitcoin
- Can I use a partitioned External USB Drive or should I buy an HD to clone to?
- Would you recommend another program for a second clone?
3. Try findwallet (ref. https://bitcointalksearch.org/topic/findwallet-bitcoin-core-wallet-finder-5071775)
4. Try Rstudio or other recovery software (ref. https://bitcointalksearch.org/topic/how-i-rescued-my-walletdat-2637884)
5. Delivery it to the pros at Wallet Recovery Services (not sure if they accept forensic cases)
Credits
https://bitcointalksearch.org/topic/read-trying-to-recover-bitcoin-read-this-5308461
https://bitcointalk.org/index.php?topic=4959742.msg44708601#msg44708601
Cheers!
I ran the bitcoin client for a couple of days in January 2010.
I am using Recuva to try and recover Wallet.dat.
Does this filename ring any bells?
INFO "Filename: 49C7D454d01 Path: D:\?
Size: 30.6 KB (31,348)
State: Very poor
Creation time: 1/31/2010 19:59
Last modification time: 1/31/2010 19:59
Last access time: 1/31/2010 19:59
Comment: This file is overwritten with "D:\Programas\Mozilla Firefox\chrome\pippki.jar.moz-backup"
6 file cluster(s) overwritten (0, 1, 2, 3, 4, 5)
4 cluster(s) allocated at offset 6301398 4 cluster(s) allocated at offset 6305132"
Cheers
You'll most likely need the full file to be able to get the coins/private keys out. I am using Recuva to try and recover Wallet.dat.
Does this filename ring any bells?
INFO "Filename: 49C7D454d01 Path: D:\?
Size: 30.6 KB (31,348)
State: Very poor
Creation time: 1/31/2010 19:59
Last modification time: 1/31/2010 19:59
Last access time: 1/31/2010 19:59
Comment: This file is overwritten with "D:\Programas\Mozilla Firefox\chrome\pippki.jar.moz-backup"
6 file cluster(s) overwritten (0, 1, 2, 3, 4, 5)
4 cluster(s) allocated at offset 6301398 4 cluster(s) allocated at offset 6305132"
Cheers
Is that the original file name or is it a name added by the recuva recovery software? It has to be wallet.dat in order for you to get anything. Also, the file is quite small and the signatures it leaves as a trace will be small (the wallet.dat file, not this specific one).
I ran the bitcoin client for a couple of days in January 2010.
I am using Recuva to try and recover Wallet.dat.
Does this filename ring any bells?
INFO "Filename: 49C7D454d01 Path: D:\?
Size: 30.6 KB (31,348)
State: Very poor
Creation time: 1/31/2010 19:59
Last modification time: 1/31/2010 19:59
Last access time: 1/31/2010 19:59
Comment: This file is overwritten with "D:\Programas\Mozilla Firefox\chrome\pippki.jar.moz-backup"
6 file cluster(s) overwritten (0, 1, 2, 3, 4, 5)
4 cluster(s) allocated at offset 6301398 4 cluster(s) allocated at offset 6305132"
Cheers
I am using Recuva to try and recover Wallet.dat.
Does this filename ring any bells?
INFO "Filename: 49C7D454d01 Path: D:\?
Size: 30.6 KB (31,348)
State: Very poor
Creation time: 1/31/2010 19:59
Last modification time: 1/31/2010 19:59
Last access time: 1/31/2010 19:59
Comment: This file is overwritten with "D:\Programas\Mozilla Firefox\chrome\pippki.jar.moz-backup"
6 file cluster(s) overwritten (0, 1, 2, 3, 4, 5)
4 cluster(s) allocated at offset 6301398 4 cluster(s) allocated at offset 6305132"
Cheers
Jump to: