Try searching for the hex string "fd1701308201130201010420".
In old wallet files, a 32 byte sequence following the above string will be your private key.
Does this look right?
grep -i -a -B10 -A100 --binary --text --perl-regexp 'fd1701308201130201010420' /dev/sda1
Doing some research I just read a blog that says wallet encryption was not until version 0.4.0 on September 23, 2011?
If that is correct does that mean the wallet.dat before that date are plain text or still Berkerely DB? If it is in Berkerely DB would that mean I could retrieve the entire wallet including all keys by simply using db_dump.py on a found wallet.dat file?
thx
No, that doesn't seem correct.
I recommend dumping an image of the disk drive (you should keep a copy, NEVER do anything on the disk you're trying to recover the data from!)
Then you can use a hex editor such as Okteta to search for the hex string in the dump file.