5

I need to recover a bitcoin wallet that I created about 8 years ago.

I was a kid, and I thought I would be super clever and zip or rar the wallet, then change the extension to an image file. I uploaded it to my website.

I have a backup of the website, it is about 30 gigs, it contains thousands of images. I can limit by file size as my zip/image file is most likely small. But because it hosts a ton of web pages there is thousands of tiny image files.

How can I recover this wallet?

Questions

  • Is it possible to search for file that say they are images but are not?
  • Is it possible to find all files that are compressed regardless of file type?
Vomit IT - Chunky Mess Style
  • 40,038
  • 27
  • 84
  • 117
marsh
  • 153
  • 4

1 Answers1

4

PowerShell: Verify if not an image file regardless of file extension

You can use the below PowerShell to spit the full file name for each file processed using the Bitmap Class of the System.Drawing Namespace which is not a valid image in red to the output.

The files that are not valid image types regardless of the file extensions will be the ones listed in red that you will want to check first to see if these are the files you changed years ago.

If the file is a valid image type regardless of its file extension, it will not be listed.

PowerShell

Add-Type -AssemblyName System.Drawing;
Get-ChildItem -Path "C:\SearchFolder" -File -Recurse -Filter "*.*"  | % { Process {
    If ( $_.Length -gt 0 ) {
        $fn = $_.FullName;
        $img = "";
        Try { $img = New-Object System.Drawing.Bitmap $_.FullName } Catch { Write-Host $fn -ForegroundColor Red };
        }
}};

Output Example

Note: These will be the files that are not valid images you should check first.

C:\SearchFolder\CentosScripts.zip.png
C:\SearchFolder\epel-release-latest-8.noarch.rpm
C:\SearchFolder\Test432\firmware.zip
C:\SearchFolder\Test432\Test\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe
C:\SearchFolder\Test123\Test\irc_Silo2_Level.txt

Supporting Resources

Vomit IT - Chunky Mess Style
  • 40,038
  • 27
  • 84
  • 117
  • Amazing! Did not expect such a detailed and ready to use response thank you! Running it now, seems to be working so far. – marsh Feb 16 '21 at 04:31
  • Is there a way to remove 0 byte files? Its getting some false positives with empty files. – marsh Feb 16 '21 at 04:38
  • Amazing and very fast! Thank you, going to keep searching. Nothing obvious popping up yet. – marsh Feb 16 '21 at 04:47
  • @marsh: good luck. But beware: another way to hide something in a (valid!) image file is using some steganography.methods. You may have used that instead, and it will make it much more difficult to find the (valid) image file(s) hiding the encrypted wallet data. – Olivier Dulac Feb 17 '21 at 04:19