While this blog post covers my initial ‘research’, intention of this blog is to give an easier to digest guide into recovering or undeleting a Bitcoin wallet.dat file.
Note that if you delete files or lose files due to formatting on a SSD, they are beyond DIY Recovery!! In that case you increase chances of file recovery by a lab by immediately disconnecting the SSD from power!!
First of all you’ll need R-Studio for this, which you can download at this website. There are two recovery methods available to us, which I will explain. Note that R-Studio is a commercial tool, to actually save files you need to purchase a license.
Method 1: File system based recovery of a wallet.dat file
This is the easiest method and is useful if the file system is relatively intact. Situations in which you can expect this to be the case is when:
- You accidentally deleted a file
- Accidentally formatted a volume
- Or after you deleted a partition by accident
- Also RAW file systems are often reasonably intact
You may be tempted to use a free tool like Recuva, and by all means, try. But don’t assume if Recuva can not find the file, that it is not there! This short video demonstrates recovery of deleted files using Recuva vs. R-Studio:
If the file system is reasonably intact all you need to do in R-Studio is select the volume > Right Click > Show Files.
You’ll be presented with an Explorer like view in which you can simply browse to the original location of the lost or delete file, and select and recover it. If the file system is slightly more damaged, for example in case of a RAW file system you may have to scan the drive. In R-Studio, select the volume > Right Click > Scan.
Method 2: RAW recovery of the wallet.dat using R-Studio custom signatures
I see an influx in people wanting to examine old hard drives for Bitcoin wallets, and often at some point the wallet was lost or deleted while the drive stayed in use to some degree after this. Often attempts to recover the file have already been made using various file recovery tools, but without success.
There are two problems with lost or deleted files:
- At some point file system meta data is overwritten
- Worse, file data itself is overwritten
Or both. If option 2 then that’s the end of the adventure, however we will never know until we try finding the file. If option 1 we can not use method 1 as described above.
If option 1 is not available to us, we can fall back to a method called raw recovery (or sometimes carving or signature based recovery). The trick is to find some identifying byte patterns within the actual file data, often called magic bytes or a signature.
Say we examine 3 intact files and in all 3 we find a sequence of bytes: 62 31 05 00. If we now search the hard drive for this sequence it gives us a chance of finding the file. If we know the exact offset of the bytes within the file, we can reliably determine the start position of the file.
What we can not do is find the file name or the folder it was in. We can also not determine the file size or find different fragments in case the file was not contiguous (unfragmented).
I have a custom signature file for R-Studio. It contains 12 signatures that I found that can be used to identify a possible wallet.dat. We first need to import the file into R-Studio
Importing a custom wallet.dat signature file into R-Studio
Download the custom signatures here. Unzip to for example your desktop.
- Now run R-Studio.
- Click Tools menu item > then Settings.
- In Main TAB, under ‘User file types’ click … and select the wallet.xml file.
- Click ‘Yes’ if R-Studio asks if it should load the file immediately.
- In R-Studio, select the volume > Right Click > Scan.
- Make sure ‘Extra search for known file types’ is ticked.
- Click ‘Known file types’ and make sure that under ‘Other’ > ‘bitcoin wallets’ is checked.
- Select ‘Detailed scan’
- Click OK.
- When scan is finished pick RAW results, possible wallets are sorted under other > bitcoin wallets.
This is as far as I can help you.
What’s next, extracting keys..
You’ll (hopefully) end up with some, but not too many .dat files. Undoubtedly some will be false positives but hopefully at least one contains your wallet.dat data.
You’ll now have to research and try to find tools that can ‘repair’ a corrupt wallet.dat. Often repair consists of extracting and exporting various keys (don’t ask me I know very little about Bitcoins etc.).
What follows is info I found while Googling, it appears Googling for pywallet.py should give you plenty of follow up leads.
- Install Python 2.7 and download pywallet to your
c:\drive. - Copy your corrupt wallet.dat file to
c:\ - Open a Command Prompt and type:
C:\>pywallet.py --dumpwallet --datadir c:\ --wallet=wallet.dat --recover --recov_device=c:\wallet.dat --recov_size=416Gio --recov_outputdir=c:\ - It should extract all the keys to a new wallet on
c:\Copy the new wallet.dat to thec:\users\USERNAME\Appdata\Roaming\Bitcoinfolder - rename it wallet.dat.
- Start up Bitcoin-QT with the
--rescanswitch. It should take a while, but eventually it will start up and your coins are back.
I also found this video which also seems to do what we need, try feeding the recovered .dat files to this tool:
I found the tool and source code here: https://github.com/prof7bit/wallet-key-tool/releases. The compiled exe was safe at the time I checked it (May 7, 2021):
This the binary, I am hosting in case original for some reason is removed: Password for ZIP is 123.
If this guide ever helps you recovering your wallet it’d be awesome if you let me know. GOOD LUCK!!
NOTE: edited by webmaster!! If you ever see messages like these, IGNORE them!! IT’s SPAM AND IT’S FRAUD!! You will lost the money you pay them and you’ll get NOTHING in return!!
I’m here to express my sincere appreciation for the invaluable services provided by Wizard Web Recovery. With the lessons learned and their professional assistance, they have been able to navigate the world of cryptocurrency with greater confidence.
Wizard Web Recovery specializes in BTC recovery, leveraging their deep understanding of blockchain technology and the various methods employed by hackers. Through their advanced tools and techniques, they have consistently achieved a high success rate in tracing and recovering lost or stolen BTC.
Their expertise and dedication have not only restored our peace of mind but also enabled me to regain control over our digital assets. We are truly grateful for the support and guidance provided by the team at Wizard Web Recovery.
Should you require their services or wish to learn more about their approach, Wizard Web Recovery can be contacted using the following details:
– Phone: [xxxxxxxxxxx]
– Email: [xxxxxxxxxxxxxxxxxx(@)programmer.net]
I highly recommend their services and trust that you will find their expertise and professionalism. Thank you once again for your outstanding assistance, Wizard Web Recovery.