Tuesday, December 17, 2013

Bitcoin Private Key Necromancy

tl;dr: https://github.com/pierce403/keyhunter

~ The Longer Version ~

A few weeks ago, a friend came to me with a problem.  Way back in 2011, he had the great idea to reinstall Windows.  Without thinking too much about it, he installed the new version of Windows, and used the drive for a while.  It was only later that he realized that the drive actually contained a good quantity if bitcoins.  Luckily, he realized there was a chance that the actual data containing the keys may one day be recoverable, and immediately unplugged it and stored it away for safe keeping.

With the price approaching 1000 USD/BTC, he brought the drive to a local bitcoin meetup and asked around.  One guy ran various profession forensics tools against the drive with no luck, and at the end of the night, the drive ended up in my hands.

Discussions of forensic hygiene out out of scope for this particular blog entry, but needless to say, my first step was using dd to pull the raw data off the drive, giving me a 160 gig file on my local filesystem to work with.

Idea #1 BerkeleyDB recovery
So, of course, the original though was "find and pull out the wallet.dat".  My tool of choice for this sort of thing is magicrescue (http://www.itu.dk/people/jobr/magicrescue/).  Magic rescue is typically used to recover images and documents from large blobs of data, for example, damaged filesystems.  Unfortunately for me, there was no BerkeleyDB "recipe file", which is what magicrescue uses to reconstruct files.  With a bit of poking around, I figured out how to write my own custom recipe files, and I was on my way.  Using a hex editor, I checked out the first 16 bytes or so of a normal wallet.dat, and confirmed that it was the same across multiple wallet.dat files that I had lying around.  I ran the magicrescue scan, and came up with no hits.

I read up some more on the format of BerkeleyDB files, kept tweaking my recipie files to support more and more versions of BerekelyDB, and nothing.

Idea #2 Find *Something*
At this point, I started digging around in the middle of my wallet.day files for anything that might be somewhat unique.  The first few things I tried were coming up negative, and then I noticed the string name"1, which was immediately followed by a bitcoin address in the various wallet.dat files I had.  I built the recipe, ran the scan, and got a single hit.  I looked into the output file, and there it was, a bitcoin address.  I looked the address up in blockexplorer, and there it was.  An address with the exact number of coins my friend had guessed was on the drive, and no transactions since 2011.

!!YAY!!

My next thought was that I needed to carve the wallet.dat file out of this chunk of data I had found.  After a bit of futzing around, I noticed that almost directly above the address was a header for a .NET Assembly.  This meant one thing: fragmentation, which was bad news for me. 

Idea #3 Raw Key Extraction
Okay, it was time to finally figure out how to extract the keys directly.  I found various tools for printing out private keys, but everything was outputting this strange 400 byte format, which didn't seem right.  I read up a bit more about how private keys work in bitcoin, and read a ton of code and specs figuring out how they were supposed to be encoded, and "Wallet Import Format".  That let me to this nifty webapp http://gobittest.appspot.com/PrivateKey.

My big break came last night when I realized I could export one of my own empty private keys, and get the raw 32 byte hex from the website.  Once I knew that, I could dig around in the wallet.dat file.  I noticed that there were some interesting bytes that preceded the private key, and noticed that this preceding magic number was in front of all of the private keys in the wallet.  I quickly whipped up a magicrescue recipe, and before I knew it, I had 400 hits.  I wrote up some code to go through the files, translate the 32 byte data into base58 WIF keys, and threw them into a shellscript that ran "bitcoind importprivkey ...", and imported them into a local wallet that I had.  When that was done, I ran "bitcoind getbalance" and there they were :-D  I quickly moved the coins to a safer place, and let my friend know the good news.

The birth of KeyHunter
I figure not everyone wants to dink around with magicrescue, so I wrote up a tool called keyhunter to automatically rip through a large chunks of data, and spit out the base58 Import Address.  The code is here:

https://github.com/pierce403/keyhunter

If it helps you find any of your lost and forgotten coins, I've set up a donation address here:

1YAyBtCwvZqNF9umZTUmfQ6vvLQRTG9qG

Good luck!

98 comments:

  1. Had luck with this before.. Maybe there are some nuggets of wisdom in it:

    #!/usr/bin/perl
    $_ = `cat CORRUPT_wallet.dat`;
    while (/keyA(.{65})/sg) { $k{$1}++ }
    for my $k (keys(%k)) {
    while (/(\xfd.{216}\Q$k\E)/sg) {
    print("PUBKEYHEX=", unpack("H*", $k), "\n");
    print("KEYPAIRHEX=", unpack("H*", $1), "\n\n");
    }
    }

    ReplyDelete
  2. Would this work for a namecoin wallet?

    ReplyDelete
  3. What then was your total treasure recovery?

    ReplyDelete
  4. Hi ! I had some success using photorec: http://blog.cyplo.net/2012/04/01/bitcoin-wallet-recovery-photorec/ However, as pointed out in the comments there might a problem of sifting through false positives if the drive is large. Will try your tool and recommend for my commenters to try it out also definitely !

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. I made an image using dd for windows (http://aeroquartet.com/movierepair/dd%20for%20windows). Scanned the resulting image file using keyhunter.py and found nothing. Atleast I got no message returned and the scan of the 147gig file was fairly fast. I know there's atleast one wallet.dat file on the drive. I was trying to find an older wallet file that might have had coins in it. Anyways, I got no results. Not sure if its a windows related issue or if I am doing something wrong. Any tips?

    ReplyDelete
    Replies
    1. Hey Raja, did you ever figure this out? Was this a regular bitcoin-qt wallet? Do you have any idea what version of the client made the wallet? Do you know if it was encrypted? I don't think my tool will find encrypted wallets at the moment.

      Delete
    2. My wallet was made from a client earlier than 0.3.2 I think and was unencrypted. I installed in the really early days and still don't understand how the wallet file got overwritten/lost. Anyways, keyhunter didn't work on windows at all. I switched to Linux and got keyhunter to work but didn't find any lost keys. :(

      Delete
  7. Will this work with Android based wallets?

    ReplyDelete
  8. Over the past few months I have watched stores that accept Bitcoin value rise exponentially. I had no idea what where to spend bitcoin was and never even heard of crypto currency a few months ago

    ReplyDelete
  9. What ever the interests, end up being these people Bitcoin inexperienced or perhaps investment possibilities, locate facts in addition to media concerning current business styles when they relate with Trade bitcoin online

    ReplyDelete
  10. This is very unique services that exkash is offering in the world ever. I am sure that you will enjoy about to hair that. Now suppose that you have money into your wallet and you want to change into real cash.
    Bitcoin to Bank, Bitcoin, Bitcoin to Bank wire

    ReplyDelete
  11. hi buddy. i keep getting no permition when i try your code on c:/ any ideas? thanks alot

    ReplyDelete
  12. Hi buddy could you help this newbie out ? i am trying to recover my PrivateKeys. i have downloaded keyhunter but i dont know what to do next. PLEASE HELP ME OUT. SOME HELP WOULD ME REALLY APPRECIATED BOSS.

    ReplyDelete
  13. if anyone needs help with their lost keys and wallets. send me a note. In most cases I can extract your keys. I charge 20% of value for service.

    ReplyDelete
  14. Wow, this article is really very good, so that I can't say how happy feeling. The article make every detail of the story depicts streaming with the best, and every movement of the characters all write so lifelike, let me see the waves excited. bitcoin hosting

    ReplyDelete
  15. Guys, trying to run it from linux (kali x64) several times... with different commands and nothing happened. Can anybody do a screen or at least describe what must be at display, when keyhunter is working?

    ReplyDelete
  16. Yep, but now bicoins works not like y write, it's impossible to create more.
    data room services

    ReplyDelete
  17. Thank you for your post.
    https://Verdina.NET/ - powerful dedicated hosting on enterprise hardware in BG/EU
    Accept Bitcoin.

    ReplyDelete
  18. Recovery password
    Fast, high-quality recovery of your forgotten password. Inexpensive!
    communicate http://recoverywallet.com/

    ReplyDelete
  19. "It was only later that he realized that the drive actually contained a good quantity if bitcoins"... wow, when will this fortune come to me... png download

    ReplyDelete
  20. Bitcoin, on the other hand, is intended to simulate a commodity, like gold. There is only a limited amount of gold in the world, and with every gram of gold that is mined, the gold that still remains becomes harder and harder to extract. Sincerely

    ReplyDelete
  21. this is really nice to read..informative post is very good to read..thanks a lot!

    ReplyDelete
  22. this is any other alphanumeric address/wide variety that is derived from private keys handiest by means of the usage of cryptographic math features. it's far not possible to opposite engineer and reach the private key from which it was generated. that is the cope with used to publicly acquire bitcoins. This how the Bitcoin public deal with appears (it always begins with 1) bitcoin investment coin-banks

    ReplyDelete
  23. شركة عزل اسطح
    كشف تسربات المياه
    خدمات عزل الاسطح من الخدمات التى فى حاجة الية فى المكان فاذا اراد ان تقوم باعمال العزل لاى اسطح فى المصانع – المنازل – الفلل ... وغيرها وتبحث عن افضل الخدمات التى تساعد فى الوصول الى افضل ما تتمنى ان ترى علية النتائج فعليك ان تتعاون مع شركة قمم التميز التى تحقق اعلى مستوى من العزل بالاعتماد على افضل المواد المخصصة فى القيام باعمال العزل والتى استطاعت ان تتاكد ان اعمال العزل التى تتم بالخيش المقطرن والسيلتون من افضل الخدمات المثالية المميزة التى تحقق اعلى مستوى من العزل دون ان يؤدى الى ظهور اى عيب فى اعمال العزل . كشف تسربات المياه بالرياض
    لا تكتفى شركة قمم التميز بالقيام باعمال العزل فى منطقة معينة بل تسعى الى الوصول الى اى مكان فى شرق الرياض – جنوب الرياض – غرب الرياض – وسط الرياض من اجل ان تحقق خدمات العزل لجميع عملاء الشركة الكرام . شركة كشف تسربات بالرياض
    تهتم شركة عزل اسطح بالقيام باعمال العزل الحرارى من خلال الاعتماد على افضل الطرق المثالية وافضل الخدمات المميزة فى القيام باعمال العزل بالاضافة الى ان الشركة تهتم باعمال الكشف الدورى من فترة الى اخرى من اجل ان يتم التحقق ان اعمال العزل تمت كما هو مطلوب فى المكان . كشف تسربات المياه شرق الرياض
    العزل الحرارى يساعد فى حماية الاسطح من التعرض الى ارتفاع فى درجة الحرارة وتسربها عبر الجدران فى فصل الصيف بالاضافة الى التعرض الى التصدعات وعوامل المناخية المختلفة التى تتعرض الية فى فصل الصيف نتيجة لشدة الحرارة التى تظهر التشوهات فى المبانى ، بالاضافة الى ان لدينا خدمات العزل المائى من خلال الاعتماد على خدمات العزل المائية التى تتم من خلال افضل خدمات متواجدة والتى تسعى الى تحقيق افضل مستوى من الخدمة والعزل بالفوم ايضا من اهم الطرق الحديثة التى استخدامت فى العديد من الدول الاوربية لانه يساعد فى حماية المبنى من التعرض الى الحرارة المرتفعه او التعرض الى التسربات للمياة والحفاظ على المبنى من اى مشاكل وعوامل مناخية ، فاعمال العزل للفوم اختصار لكل طرق العزل والتى تساعد فى الحفاظ على المبنى .
    كشف تسربات المياه
    كشف تسربات المياه غرب الرياض

    ReplyDelete

  24. انواع تسربات المياه هى :

    تسرب سحري : لا يمكن رؤيته الا من خلال الاجهزه الالكترونية.

    تسرب خارجي : له اضراره ويري بالعين.

    التسرب المخفي : اخطر انواعهم نظرا لظهوره بعد تأكل جزء كبير من المحيط.



    ماهى العلامات الداله على وجود تسرب فى المياه :

    1- رائحة الرطوبة الظاهره بشكل واضح فى المكان .

    2- هناك علامة غالية و تجعلك تنفق الكثير من المال الا و هى فاتوره المياه .

    3- المياه المتراكمه فى اركان الحمامات و المطابخ و كذلك اصابة ارضياتهم بالرطوبة بشكل واضح .

    4- الرشح الموجود فى الاسقف و تشقق الحائط و سقوط الدهان .

    5- اذا كان التسرب فى المياة الساخنة سوف يكون هناك سخونة ظاهره فى الحائط التى بها مواسير المياه .

    كشف تسربات المياه
    كشف تسربات المياه
    كشف تسربات المياه
    كشف تسربات المياه
    كشف تسربات المياه
    كشف تسربات المياه

    ReplyDelete
  25. As it is growing very popular around the world so it is in UK. Just the other day as I was chatting with a friend of mine he popped the question about bitcoins. how to buy bitcoin with credit card

    ReplyDelete
  26. While Bitcoin advances itself as "an exceptionally secure and economical approach to deal with installments,"Monaco VISA scam

    ReplyDelete
  27. The next phase started with the fall of the Roman Empire when private moneyed individuals were asked to deal with all matters related to money. guarantor loans

    ReplyDelete
  28. Some of the Walmart stores have Bitcoin ATMs. Bitcoin atm is a standard cash atm where you can deposit or withdraw money. Bitcoin atm let you buy Bitcoin using your credit or debit card. It is fast and convenient. The downside is that Bitcoin ATM charges higher fees as compared to other websites where you can get Bitcoin online at lower fees go there.

    ReplyDelete
  29. The blog is sensationally wonderful. Simply cherish the way how all the written work has been put.
    Changelly reviews

    ReplyDelete
  30. Superlative style of composing that each new blogger tries to have.
    Ricona ICO

    ReplyDelete
  31. Bitcoin is only one of numerous and happens to be the most mainstream for the present. In some ways it is Naturally the concentration of scorn and feedback. Bitcoin

    ReplyDelete
  32. This comment has been removed by the author.

    ReplyDelete
  33. Stake United Proof-of-Stake Automated & managed multicoin pool
    Stake United

    ReplyDelete
  34. There will be a zone where you can make an address and a QR code (like the one I have above). hottest new cryptocurrency

    ReplyDelete
  35. Some Bitcoin clients have likewise proposed that the cash can fill in as a way to evade charges.initial coin offering

    ReplyDelete
  36. https://www.pxdojo.net/2016/04/the-enslaved-oracle-and-future-of.html

    ReplyDelete
  37. The first tip to avoid bad credit is to use loan funds only for something important and crucial. Gadai BPKB So before actually applying for this loan you should ask yourself if you really need the funds? Gadai BPKB If the loan fund is liquid what are the main needs that you will meet? Are your needs consumptive? Or is it for business capital and something productive? Or is there a sick family and need emergency funds?

    These questions are very Gadai BPKB important to do so you can borrow with a sense of security and comfort without any worries of having bad credit. After you consider the reason you are applying for this money loan and indeed the situation is important and crucial, Gadai BPKB then your choice to make a motorbike BPKB loan to get the loan funds is already right and you can immediately submit.

    The name credit loan loan means you should be able to pay installments or installments every Gadai BPKB Mobil Motor month. Well this is where you as a debtor should menyipakan funds this installment well. If you have savings or deposits it will be better Jaminan Gadai BPKB Mobil Motor.

    Because with this savings you will not be bothered again with this monthly expenditure. Gadai BPKB If you do not have savings or savings then you have to set aside some funds from your salary or income to pay the mortgage. You can put it aside in a separate envelope or wallet or put it into a separate account. Another thing to note is commitment. Gadai BPKB You have to commit whatever happens that the money you have set aside should be allocated for the payment of your credit installment Gadai BPKB Mobil Motor

    ReplyDelete
  38. With the help of thehhackhub.co i was able to recover my bitcoins from a scam broker.

    ReplyDelete
  39. This is terrible in light of the fact that these new speculators are entering the market without understanding blockchain and the fundamental standards of these monetary standards meaning they are probably going to get scorched". why not find out more

    ReplyDelete
  40. The response to this is both a yes and a no. Bitcoin, by its exceptionally nature, is an advanced cash and has no physical shape. best asic miners 2018

    ReplyDelete
  41. As a portrayal, one day the swapping scale may well enable you to exchange 1 bitcoin for $4900. Double bitcoins

    ReplyDelete
  42. A payday credit organization may practice various alternatives to gather this loan:

    •Sue you for the assets.

    •Use a gathering office.
    Payday Loans Chicago

    ReplyDelete
  43. The Winklevosses would make Bitcoin contributing simpler by enabling littler scale financial specialists to benefit, or lose, by and large, without the problem of really purchasing and putting away the electronic coins. where to buy hardware wallets

    ReplyDelete
  44. Not at all like different monetary forms, there are three approaches to profit with Bitcoin, sparing, exchanging and mining. To know more about bitcoin Visit Website here

    ReplyDelete
  45. Enrolling for an account comes to providing your name, date of birth, address, email address, telephone number, and other personal data.eyeline trading

    ReplyDelete
  46. This will be shrouded all the more profoundly in a second; the most imperative thing to acknowledge is that "getting rich" with BTC isn't an instance of giving individuals any better monetary standing.Binance

    ReplyDelete
  47. Verify that they create motions in the speediest way imaginable; it has a significant effect. binance login

    ReplyDelete
  48. It isn't inflationary - Federal Reserve prints more dollars, at whatever point the economy is sputtering. http://icowatchers.co

    ReplyDelete
  49. To address individuals' monetary challenges, auto title credits have acted the hero. Individuals never again need to stress over their record in applying for advances. Auto title advances have developed as a decent contrasting option to individuals who have awful credit or no record of loan repayment. online car title loans chicago

    ReplyDelete
  50. However, the Bitcoin price depends on the level of confidence its users have, as the more major companies accept Bitcoin as a method of payment, the more successful Bitcoin will become.jetwin.com

    ReplyDelete
  51. There you can download for free, see the first of these data.
    ビットコインニュース

    ReplyDelete
  52. Ethereum was created in mid-2015 and has gained popularity, but is still well behind Bitcoin in terms of use, acceptance and value.https://www.jetwin.com/en-us/bitcoin-casino

    ReplyDelete
  53. There is no doubt in the fact that bitcoin trading is slowly taking the world of trading by storm https://bitcoinvest.cc

    ReplyDelete
  54. The Anti-Drug Agency has just completed its first confiscation of Bitcoin after allegedly associating an anonymous Bitcoin transaction Silk Road with https://www.jetwin.com/en-us/bitcoin-casino the sale of prescription and illegal drugs.

    ReplyDelete
  55. Thank you for all the knowledge you distribute,Good post. I was very interested in the article, if you are looking Binance, Then statrader.com will help you to get the detailed, reviews to integrate your focus on the exchange platform.

    ReplyDelete
  56. It proved to be Very helpful to me and I am sure to all the commentators here! blog comments

    ReplyDelete
  57. I like to read your article because it really helps me. Thank you for sharing this post with us.
    Togel Online

    ReplyDelete
  58. You have shared useful information about bitcoin.You can visit
    live bitcoin news if you want to know detailed information about the bitcoin.

    ReplyDelete
  59. I BCHAC Forklike to read your article because it really helps me. Thank you for sharing this post with us.

    ReplyDelete
  60. After you get the knowledge of the origin of every single bitcoin, which is based on a mining process, you'll believe that the best way to get them is by joining this mining process Bitcoin Cash SV Core.

    ReplyDelete
  61. After you get the knowledge of the origin of every single bitcoin, which is based on a mining process, you'll beClaim Bitcoin Cash ABC Forklieve that the best way to get them is by joining this mining process

    ReplyDelete
  62. Very efficiently written information. It will be beneficial to anybody who utilizes it, including me. Keep up the good work. For sure i will check out more posts. This site seems to get a good amount of visitors Bitcoin Cash SV Electrum Claim.

    ReplyDelete
  63. Make a lot of money with online casino BGAOC we have top rated online casinos If you want to always be in the money, then try to play online casino with us.

    ReplyDelete
  64. I truly value this superb post that you have accommodated us. I guarantee this would be helpful for a large portion of the general population. https://coinairdrops.com

    ReplyDelete
  65. We're a cryptocurrency alerting website that offers price alerts, percent price alerts, wallet alerts and other alerts for bitcoin and other cryptocurrencies with many notification options (email, sms, slack, telegram, etc). cryptocurrency

    ReplyDelete
  66. Pause, that is clearly too hard to even consider solving here. Furthermore, my entire objective is to keep things straightforward. Anyway, Bitcoins are made by taking care of complex math issues.best cloud mining sites

    ReplyDelete
  67. When you purchase a mining contract, it is smarter to accept a steady cost for Bitcoin, since your other option is to purchase bitcoins and trust that the cost will rise. iqmining promo code

    ReplyDelete
  68. I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post. bitcoin price today

    ReplyDelete
  69. Very informative blog post.Thanks Again. Cool. Lockout Jacksonville

    ReplyDelete
  70. It's no fortuitous event that India and South Korea are among the most dynamic nations on the digital currency trades, yet the two governments are thinking about forbidding the exchanging of all cryptos. crypto signals

    ReplyDelete
  71. In a world economy that is destabilized, this framework can turn into a steady power. cryptocurrency predictions

    ReplyDelete
  72. Hey, this day is too much good for me, since this time I am reading this enormous informative article here at my home. Thanks a lot for massive hard work. visit the manufacturer here for purchasing

    ReplyDelete
  73. I am really enjoying reading your well written articles. It looks like you spend a lot of effort and time on your blog. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work.
    visit the manufacturer here for purchasing

    ReplyDelete
  74. Could you add a passphrase option for encrypted wallets? thanks.

    ReplyDelete
  75. Your blog provided us with valuable information to work with. Each & every tips of your post are awesome. Thanks a lot for sharing. Keep blogging.. Binary options recovery

    ReplyDelete
  76. This particular looks for example certainly superb. Most of these slight tips are made using availablility of cosmetic foundation interest. I like to him or her appreciably. blockchain whispers for you

    ReplyDelete
  77. In the event that this is the methodology you need to change over your bitcoins to dollars, put your payout technique to the online computerized wallet you need to utilize. https://cryptalker.com/sell-bitcoin/

    ReplyDelete
  78. Mining includes tackling of complex scientific issues in regards to squares utilizing PCs and adding them to an open record. Mining includes tackling of complex scientific issues in regards to squares utilizing PCs and adding them to an open record. https://cryptalker.com/trading-bot/

    ReplyDelete
  79. This information is meaningful and magnificent for us which you have shared here about the bitcoin. Bittreo provides BITCOIN price calculator such as BTC to CAD. To know more about us you can visit on Buy bitcoin in Canada

    ReplyDelete
  80. I found that site very usefull and this survey is very cirious, I ' ve never seen a blog that demand a survey for this actions, very curious... Private Bitcoin Exchange

    ReplyDelete
  81. First things first, you need to research your desired exchanged rate.  5.99 The most effective way to know if you are acquiring the best foreign money exchange rate is by knowing the prevailing rate.

    ReplyDelete
  82. China in December 2013 eliminated the use of Bitcoin and this led to a drastic drop to its value from $1240 to $576 in just three weeks. Programmers also determine the functionality of this global currency and many question the thought of risking their finances for some group of geeks. php hyip script

    ReplyDelete
  83. I might want to thank you for the endeavors you have made in composing this article. I am trusting the same best work from you later on too..  bitcoins free

    ReplyDelete
  84. Aside from being direct notwithstanding for first time clients, an adaptable trading bot is far and away superior. Get best trading platforms online

    ReplyDelete
  85. This is the great blog which is the explaining about the bitcoin. livecryptochart.com is the place where you can get all cryptocurrency charts live which is updated you about the market valuation.

    ReplyDelete