I've been using X-ways Forensics since 2011, with a tool like this you would be able to search with regular expressions in the unallocated area of a harddrive.
https://www.x-ways.net/forensics/index-m.htmlMy approach would be to search for the header of possible deleted wallet.dat files with regex searches in unallocated area, swap files etc.
Regex searches in X-ways forensics for each header type:
2009-2012 wallet.dat file header:
\x00\x05\x31\x62\x00\x00\x00\x02Slight change to wallet.dat file in 2017:
\x00\x05\x31\x62\x00\x00\x00\x03With Bitcoin core 0.18.0 in 2019, the header changed once again:
\x00\x05\x31\x62\x00\00\x00\x03With Bitcoin core 0.21.0 in 2021 and onwards to today, the header changed completely:
\x53\x51\x4C\x69\x74\x65\x20\x66\x6F\x72\x6D\x61\x74\x20\x33\x00If you're not able to get a license for X-ways Forensics, you could take a look at Autopsy ->
https://www.autopsy.com/ or the Sleuth Kit ->
https://www.sleuthkit.org/I've never used any of these, but it seems both tools are free to use, and they may also be able to perform regex searches.
R-Studio is apparently the most advanced forensic search which the web provides at the moment (no idea if true or not).
The wallet would be from 2009 which means the following header would be applicable ?
\x00\x05\x31\x62\x00\x00\x00\x03I will first image the disk using the program. However, would this same header be applicable for the creation of "Known file type" in order to perform hex search
https://www.r-studio.com/creating-custom-file-type-r-studio.htmlTo be honest its a bit too advanced for me with all the commands I need to write and input.
Would X-Ways be a bit easier in this perspective and do you have any guidance on how to search for the file with the headers you have written. Where have you got the reference for the wallets from 2009 headers?