~ The Longer Version ~
A few weeks ago, a friend came to me with a problem. Way back in 2011, he had the great idea to reinstall Windows. Without thinking too much about it, he installed the new version of Windows, and used the drive for a while. It was only later that he realized that the drive actually contained a good quantity if bitcoins. Luckily, he realized there was a chance that the actual data containing the keys may one day be recoverable, and immediately unplugged it and stored it away for safe keeping.
With the price approaching 1000 USD/BTC, he brought the drive to a local bitcoin meetup and asked around. One guy ran various profession forensics tools against the drive with no luck, and at the end of the night, the drive ended up in my hands.
Discussions of forensic hygiene out out of scope for this particular blog entry, but needless to say, my first step was using dd to pull the raw data off the drive, giving me a 160 gig file on my local filesystem to work with.
Idea #1 BerkeleyDB recovery
I read up some more on the format of BerkeleyDB files, kept tweaking my recipie files to support more and more versions of BerekelyDB, and nothing.
Idea #2 Find *Something*
At this point, I started digging around in the middle of my wallet.day files for anything that might be somewhat unique. The first few things I tried were coming up negative, and then I noticed the string name"1, which was immediately followed by a bitcoin address in the various wallet.dat files I had. I built the recipe, ran the scan, and got a single hit. I looked into the output file, and there it was, a bitcoin address. I looked the address up in blockexplorer, and there it was. An address with the exact number of coins my friend had guessed was on the drive, and no transactions since 2011.
!!YAY!!
My next thought was that I needed to carve the wallet.dat file out of this chunk of data I had found. After a bit of futzing around, I noticed that almost directly above the address was a header for a .NET Assembly. This meant one thing: fragmentation, which was bad news for me.
Idea #3 Raw Key Extraction
The birth of KeyHunter
I figure not everyone wants to dink around with magicrescue, so I wrote up a tool called keyhunter to automatically rip through a large chunks of data, and spit out the base58 Import Address. The code is here:
https://github.com/pierce403/keyhunter
If it helps you find any of your lost and forgotten coins, I've set up a donation address here:
1YAyBtCwvZqNF9umZTUmfQ6vvLQRTG9qG
Good luck!
