Bitcoin Recovery – wallet.dat

By | May 6, 2021

My Bitcoin wallet had little value back then ..

Disclaimer: This is a quick write up, and so it does not even touch my usual not so high standards.

In various forums and online communities there seems to be a significant influx of people trying to recover old Bitcoin wallets.

Story often goes something like: “I have this old hard drive that was formatted but contained a Bitcoin wallet” .. Or sometimes people are more vague, like “I am trying to recover a .dat file” and similar without revealing the nature of the file. Since worth of the Bitcoins was trivial back then, no attempts were made to recover the wallet. It’s no surprise people are becoming more interested in recovering these files considering the current value of a Bitcoin.

Note that I know very little about Bitcoins, I just became interested in recovering the file seen the great lengths of trouble people go through to get it back. So, I will concentrate on recovery of the wallet.dat file since I do know something about data recovery. It is very well possible that the recovered wallet.dat is not in perfect condition, I can not help you repair it, but will point to sources which possibly can.

Recovering Bitcoin wallet.dat

We need to distinguish between several scenarios, all I have seen online:

  1. Hard drive containing the wallet.dat was put aside since the accident and no longer used
  2. Owner continued using the hard drive
  3. Hardware failure

Scenario 1

In scenario 1 the file should be recoverable using any decent file recovery software as it is a very standard situation in which a good part of file system meta data survived. You should be able to recover or undelete the wallet.dat from the location where you left it after scanning the drive.

I am not going further into this, you should be able solve this using instructions that came with the software. At the bottom of this post I’ll list software that I consider solid data recovery software.

Above is true as long as the drive the wallet.dat was deleted from an SSD!!

If you delete a wallet.dat from an SSD, associated LBA blocks are probably trimmed within seconds, ordinary file recovery software will only be able to recover zeros from these blocks. SSD now considers them stale blocks which will at some point be actually erased by garbage collector. If the wallet represents significant value:

  • Disconnect the SSD from power. By doing to you prevent garbage collector erasing stale blocks.
  • Consult a data recovery lab, do not DIY, any minute the SSD is powered, the less chance there is to recover the data! It depends in drive model and firmware, but a lab may be able to access trimmed data using PC3000 software/hardware.

Scenario 2

As the drive is continued being used, there is a good chance the deleted or lost wallet.dat is overwritten. Overwritten data can not be recovered, that is a simple fact. But our dilemma is that we can not tell for certain if the file was ever overwritten or miraculously survived. What we do know is that it is very likely the file system meta data is lost after continued use of the drive. Our remaining option is then ‘raw data recovery’: To find the file we need to search the hard drive for information that can be found in the file itself.

So, what we have is a needle-haystack scenario.

Scenario 3

If hardware failed you best bet is to consult a data recovery specialist.

  • hard drive no longer detected, clicking sounds
  • connector broken from USB flash drive
  • Drive freezing on access
  • etc.

All these situations require either equipment, experience or both to address the situation. Do not fall for YT videos that explain how to unstuck heads. Do not rush out and buy a cheap soldering iron while you have never soldered to put a connector back in place.

Wallet.dat, the needle in the haystack

Raw file recovery is very much like looking for a needle in a haystack. We need something we can look for. Something we expect to find in specifically the file type we’re looking for and that is reasonable unique, like a signature. If it’s too common we’ll end up with thousands of false positives.

I stumbled in this: Someone created several intact wallets and opened them in a hex editor. He saw this:

00 00 00 00 01 00 00 00 00 00 00 00 62 31 05 00 09 00 00 00 00 20 00 00 00 09 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 DA 40 08 00 00 00 29 00 A7 04 B9 12 00 00 00 00 00 00

00 00 00 00 01 00 00 00 00 00 00 00 62 31 05 00 09 00 00 00 00 20 00 00 00 09 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 D9 40 08 00 00 00 1D 00 BE 0B C7 29 00 00 00 00 00

00 00 00 00 01 00 00 00 00 00 00 00 62 31 05 00 09 00 00 00 00 20 00 00 00 09 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 D9 40 08 00 00 00 1E 00 29 54 36 19 00 00 00 00 00 00

So what they seem to have in common is 62 31 05 00 09

Now this is something that can be useful as a signature. I also found pieces of Bitcoin related source code:

00457 #define DB_BTREEVERSION 8 /* Current btree version. */

00458 #define DB_BTREEOLDVER 6 /* Oldest btree version supported. */

00459 #define DB_BTREEMAGIC 0x053162

There is part of our signature in reversed order!

Then I remembered something. Unlike Windows, Linux does not look at a file’s extension to determine the file type, instead it looks for ‘magic bytes’ hidden inside the file itself to identify the file type. I wondered if and how Linux identified wallets and found wallets are stored in BerkeleyDB database format (I had never heard of it either). And this nice gentleman was kind enough to list the magic bytes Linux associates with this database format:

dat 0x0 0x00061561
dat 0x0 0x61150600
dat 0x0 0x00053162
dat 0x0 0x62310500
dat 0xc 0x00061561
dat 0xc 0x61150600
dat 0xc 0x00053162
dat 0xc 0x62310500
dat 0xc 0x00042253
dat 0xc 0x53220400
dat 0xc 0x00040988
dat 0xc 0x88090400

Note that byte sequences are in reverse order. Value in front of byte sequence is offset of magic byte sequence within the file.

As a Windows person I now could use for example HxD and start searching a hard drive for the signatures one by one, but that would become very labor intensive and time consuming. I can assure you, you will find many false positives when you for example search a drive for ’61 15 06 00′ (remember the reverse order). I do not own a wallet and the signature is found within a second when I search my hard drive: a false positive.

And, yes you will get false positives, no ways around that! But we can make our lives a tad easier.

We can use existing file recovery software and add our own custom signatures to detect possible wallet.dat files.

Bitcoin wallet.dat signatures for R-Studio file recovery software

Custom signatures for R-Studio (ZIP file for download below)

Option 1: R-Studio

R-Studio is the work horse for many data recovery technicians for doing logical data recovery, you can download from R-TT website. I created custom signature which you can download here. Unzip the XML file (to desktop for example).

  1. Run R-Studio.
  2. Click Tools menu
  3. Click Settings
  4. In Main TAB click … button to browse and select the XML file, OK that
  5. R-Studio will ask if you want to load the settings right now, click yes.

That’s it. R-Studio is now ready to hunt for Bitcoin wallet files.

Option 2: DMDE

Let DMDE do the heavy lifting for us. Added advantage is that DMDE only scans for the signatures are the correct offset (unlike HxD) so we should see less false positives.

You can use the free version, download from www.dmde.com. Using the registered version is easier if we find wallets through different signatures, license is only $20. You do not install DMDE, you simply extract files from the ZIP file.

We can add our own customer signatures to DMDE and I have done so for all signatures that were identified in Linux. Download here. Unzip wallet.ini, we’ll use it to scan the hard drive.

  1. Now run DMDE
  2. Select drive presumably containing the wallet.dat
  3. Select either the physical drive or partition containing the wallet
  4. Click ‘Full Scan’
  5. Click ‘RAW: File Signatures’
  6. Click ‘Load’ and navigate to the wallet.ini file
  7. Under ‘Other’ you should now see 12 entries for wallets
  8. Click OK
  9. Click Scan

If all is well you should end up with various wallets in RAW (Other > Wallet) results. Select them and save them. You now have recovered potential wallets! Many may be in fact false positives.

EDIT: wallet2 signature may be incorrect, I suggest you disable it, will fix it when I have the time.

Examining the ‘wallets’

I can not help with this. What follows is info I found while Googling.

  • Install Python 2.7 and download pywallet to your c:\ drive.
  • Copy your corrupt wallet.dat file to c:\
  • Open a Command Prompt and type: C:\>pywallet.py --dumpwallet --datadir c:\ --wallet=wallet.dat --recover --recov_device=c:\wallet.dat --recov_size=416Gio --recov_outputdir=c:\
  • It should extract all the keys to a new wallet on c:\ Copy the new wallet.dat to the c:\users\USERNAME\Appdata\Roaming\Bitcoin folder
  • rename it wallet.dat.
  • Start up Bitcoin-QT with the --rescan switch. It should take a while, but eventually it will start up and your coins are back.

I also found this video which also seems to do what we need:

I found the tool and source code here: https://github.com/prof7bit/wallet-key-tool/releases. The compiled exe was safe at the time I checked it:

https://www.virustotal.com/gui/url/ddbfa7eb30e5211971531669bd1585fc9192e7e42412b92ce812dfe87a76c477/detection.

GOOD LUCK!!

Recommended file recovery software:

[OS Support] {File System Support]

Try a demo version first!

R-Studiowww.r-tt.com. Used by many pros for logical data recovery. Moderately difficult to use. [Mac/Win/Lin]{FAT|NTFS|UFS|HFS|HFS+|APFS|EXT}

GetDataBackwww.runtime.org. For some issues and file systems the goto tool for quite a few data recovery pros. Moderately difficult to use. [Win]{FAT|NTFS|HFS+|APFS|EXT}

ReclaiMewww.reclaime.com. This is the end user version that’s based on the Pro version used by pros. Super easy to use. [Win]{FAT|NTFS|UFS|HFS|HFS+|APFS|EXT|BTFRS|XFS}

UFS Explorerwww.ufsexplorer.com. Goto tool for many pros. Moderately difficult to use. [Win]{FAT|NTFS|UFS|HFS|HFS+|APFS|EXT|BTFRS|XFS}

DMDEwww.dmde.com. Another favorite for some pros. If you’re new to this, this tool can be quite overwhelming. Be warned that this tool can write to patient drive. [Mac/Win/Lin]{FAT|NTFS|HFS|HFS+|APFS|EXT}

FileScavengerwww.quetek.com. Not mentioned very often but definitely worth it IMO. Quite simple to use in standard situations. [Win]{FAT|NTFS|UFS|HFS|HFS+|APFS|EXT|BTFRS|XFS}

 

Leave a Reply

Your email address will not be published. Required fields are marked *