Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Re: Wallet.dat fragmented from OS resintallation on HDD
by
Hristiyan99
on 04/03/2025, 12:50:52 UTC
Quote from: bulleteyedk on Today at 11:56:56 AM
X-ways Forensics is way more advanced than R-studio.
That being said, i've only used R-studio once some 5-6 years ago, when i tried it privately.

Maybe give the open source tool a chance, i think they are capable of doing what you need.
There might be a difference in the way each tool is using their regex syntax, the ones i've written in the last post would work for X-ways forensics.

The hex values of the wallet.dat headers I did have some older versions myself, and used them at first to verify.
I asked Chat GPT for every variant of the wallet.dat files from all versions, and it came up with the ones i did not already have myself.

EDIT:
Quote
The wallet would be from 2009 which means the following header would be applicable ?

\x00\x05\x31\x62\x00\x00\x00\x03

YES, \x is used by X-ways when doing regex searches with hex values, so maybe other tools just used the hex value, you will have to maybe do some test searches to verify that


Image below is the search window in X-ways, in this search i've chosen to search in all objects in the volume (all logical + unallocated area)
Regular expression selected, and the regex search it self.

https://i.postimg.cc/G24FtYgx/regex-wallet.png


Quote
I will first image the disk using the program. However, would this same header be applicable for the creation of "Known file type" in order to perform hex search https://www.r-studio.com/creating-custom-file-type-r-studio.html

YES is does seems like R-Studio uses the same hex syntax as X-Ways
Try and follow the guide you linked to, and create a custom signature with the regex information I posted earlier.
The signature is the header, there is not any known signature for the files end, so it needs to be empty i would assume (this is very typical, not to have an ending signature)


When you mention the open source tool do you refer to pywallet ?

I will download X-ways today and try to source files this way.

i have downloaded bitcoin core and have created a wallet which generated a wallet.dat file. Today I will manually recreate the following procedure:

1. Copy the Bitcoin data folder to external HDD drive
2. Quick Fragment the drive
3. Run X-ways and try searching for the file with the guidance given from you above with X-ways

[Note] I have done this will creating Known file type but I was not able to recover the file from the drive (it was external USB Drive) I guess I didn't write the XML (Known file type) correctly.

Is there anyway I can send you the file I have created and see if it is correct ?



Also if you have further advice I would highly appreciate !