Case Study 2 — The Estate With Two Wallets

A man died suddenly, leaving a family that knew he had "bought a lot of Bitcoin years ago" and no idea how to reach it. Two wallets sat on his laptop. One the recovery firm opened in an afternoon, using the same command an examiner uses to crack a suspect's wallet under warrant — the only difference being a piece of paper that said the firm was authorized. The other is on the blockchain, visible to the satoshi, and gone forever. This is the mirror of Case Study 1: there, forensic tracing pulled money back from an offender; here, recovery pulls money back for an owner — and runs hard into the oldest limit in this book.

Background

The decedent was a methodical early adopter who told his family, more than once, that he held Bitcoin "for the grandkids" and that "it's all on the computer." After the funeral, the executor — his daughter, formally appointed by the probate court — found a five-year-old laptop and a desk drawer with a hardware wallet still in its box. She engaged a data-recovery firm that handles cryptocurrency. The firm's first act was not technical but legal: it confirmed the daughter's authority with the letters testamentary (the court's appointment of the executor) before touching anything, and papered the engagement so the authorization to access the wallets was unambiguous and on file.

Only then did the technical work begin, and it began the way every job in this book begins. The firm did not boot the laptop or open any wallet software. It imaged the drive with a write-blocker, hashed the image, and worked exclusively on a verified copy — because the original is irreplaceable and because operating a live wallet can broadcast state or let a watch-only adversary race you. Two wallet artifacts surfaced on the image, and they had opposite endings.

Recovery vs. Forensics. This engagement is the book's signature dual-lens at its starkest. The firm extracted the encrypted wallet.dat, hashed the working copy, ran bitcoin2john.py, and attacked it with hashcat -m 11300byte-for-byte the workflow an examiner runs against a suspect's wallet under a seizure warrant. The artifact is identical; the tooling is identical; the commands are identical. The only difference is authority: here, the verified consent of the rightful owner's estate; there, a court's order over its objection. That one fact — which piece of paper authorizes the crack — is the entire ethical and legal weight of this work.

Wallet one: the wallet.dat that opened

The first artifact was a legacy Bitcoin Core file at C:\Users\<user>\AppData\Roaming\Bitcoin\wallet.dat. Its header settled what it was, and a strings pass settled that it was locked:

# On a WORKING COPY from the verified image, under documented estate authority.
sha256sum ./work/wallet.dat >> provenance.txt      # hash the working copy first

file    ./work/wallet.dat
#   → Berkeley DB (Btree, version 9, native byte-order)   (magic 0x00053162)
strings ./work/wallet.dat | grep -E "mkey|ckey"
#   → mkey   ckey   ckey   ckey ...   ⇒ private keys are passphrase-encrypted

python3 bitcoin2john.py ./work/wallet.dat > wallet.hash      # → $bitcoin$...

Brute force was never the plan — the passphrase wraps an AES key, but the keyspace below it is human, not 256-bit, so the attack targets the passphrase, not the key. The firm built a targeted wordlist from the decedent's own artifacts on the same image: his password-manager export, browser-saved credentials, a photographed sticky note from his "old passwords" file, and the names, dates, and pet names that recur in any person's passwords. A rules-mangled run found it quickly:

hashcat -m 11300 -a 0 wallet.hash decedent_wordlist.txt -r rules/best64.rule
#   → recovered: a passphrase combining a grandchild's name and a memorable year

With the passphrase, the firm derived the wallet's addresses and confirmed the holdings on a public explorer (verified against the firm's own node): about 6.2 BTC across a handful of addresses, including change addresses the decedent had long forgotten. Clustering his own outputs with the common-input and change heuristics — the very math an examiner uses against a suspect — reconstructed a complete picture of the estate's on-chain assets for the probate accounting. The coins were swept to a new wallet the executor controlled, with every destination address verified character-by-character before broadcast, because a crypto transfer is irreversible and a typo sends the inheritance into the void.

Wallet two: the stash that stayed dark

The decedent's notes referred to a second holding — "the cold one, ~3 BTC" — and the desk drawer held a hardware wallet. This is where the case turned honest. The device was PIN-locked; the firm did not guess, because a wrong-PIN policy can wipe the device and destroy the one careful pass you get (theme two, the original is sacred, in its sharpest form). The keys could not be extracted from the secure element. Everything therefore depended on the 24-word recovery sheet — and it was nowhere. Not in the box, not in the safe, not photographed on any device, not in the notes, not in unallocated space on the laptop after a full carve for BIP39 word sequences.

The companion application told the firm exactly what it was losing. Ledger Live stored the account's xpub, from which the firm derived the addresses watch-only and confirmed on-chain that the cold wallet held about 3.0 BTC, untouched for years:

WATCH-ONLY (from xpub in Ledger Live) — the loss made visible
  derived addrs:  bc1q…  bc1q…  bc1q…   balance: ~3.0 BTC   last activity: 2,018 days ago
  private keys:   NOT on device-accessible storage
  recovery sheet: NOT FOUND (drawer, safe, photos, notes, carved unallocated — all negative)
  ⇒ funds are VISIBLE and PROVABLE, and PERMANENTLY INACCESSIBLE

Limitation. This is the oldest limit in the book applied to keys instead of platters: if the keys are gone, the coins are gone. A seed phrase that was never written where anyone can find it is as final as a securely-erased disk or a shredded platter. The firm could see the 3 BTC, prove it existed, and never spend it. There was no flaw to exploit, no passphrase to guess (a 24-word seed is 256 bits of entropy — uncrackable), and no one alive who held the words. "The available evidence is insufficient to access this wallet, and the funds cannot be recovered" was the only honest finding (theme five).

Ethics Note. Verifying the right to recover came before any attempt, and it is what separates this engagement from theft. The firm required the court's appointment of the executor, not merely a grieving relative's request, precisely because "the family asked us to" is not, by itself, authority to unlock someone's wealth. The same wallet, opened without that authority, would be a crime — the identical line that, in a forensic context, separates a warranted seizure from an unlawful access (Chapter 28 — Ethics).

The estate's accounting recorded both outcomes plainly: ~6.2 BTC recovered and distributed, ~3.0 BTC visible on-chain but permanently inaccessible for want of the recovery phrase. The family grieved the lost coins, but they were spared the worse fate of never knowing — and they took away the lesson the firm put in writing: a seed phrase is the wallet, and an inheritance in self-custody is only as recoverable as the words someone can find.

The analysis

  1. Authority is the only thing separating lawful recovery from theft — and from a seizure. The crack on wallet one used the same artifact, tooling, and command an examiner uses against a suspect. What made it lawful was the executor's court appointment, verified and documented before the first hash. Establish and paper authority first, always.

  2. The attack targets the passphrase, not the key. Nobody breaks a 256-bit key. A targeted wordlist built from the custodian's own artifacts — saved credentials, password manager, photographed notes, personal names and dates — beats generic brute force because human passphrases are guessable in a way cryptographic keys are not.

  3. The original is sacred, and a hardware wallet gives you one pass. Image first, work on the copy, never operate the live wallet, and never guess a hardware-wallet PIN that may wipe the device. The discipline that protects a suspect's evidence is the same discipline that protects an heir's inheritance.

  4. If the keys are gone, the coins are gone. A never-recorded seed phrase is unrecoverable in the same final sense as a destroyed platter. The watch-only xpub let the firm prove the 3 BTC existed and was real — turning "we couldn't find it" into a defensible, documented "this is permanently inaccessible," which is a finding, not a failure.

  5. Clustering serves restoration, too. The same common-input and change heuristics that attribute a suspect's addresses reconstructed the decedent's own scattered outputs and forgotten change addresses for the estate. The math is neutral; the purpose — attribution against someone, or restoration for someone — is set by who hired you and why.

Discussion questions

  1. State precisely what authority you would require before touching either wallet, and explain why "the family asked us to" is not sufficient on its own. What document established it here, and where would it live in your file?

  2. Brute-forcing the private key is impossible, yet the firm opened wallet one quickly. Explain what the attack actually targeted and why a wordlist built from the decedent's own artifacts outperformed a generic dictionary.

  3. ⭐ Wallet two is visible (3 BTC, watch-only via the xpub) but inaccessible forever. Write the finding you would deliver to the family — honest, kind, and not implying you failed — and connect it to the book's theme that some data is genuinely unrecoverable. Then write the same technical situation as it would appear in a forensic seizure report. What changes, and what stays identical?

  4. Compare this engagement's ethical hinge with a warranted seizure of a suspect's wallet. The tools are the same; identify the one fact that changes everything and describe exactly how you would document it in each context.

  5. Set this case against Case Study 1: one is recovery for a rightful owner, the other forensic tracing against an offender. State the single principle — and the single category of paper — that reconciles them, and explain why the underlying graph mathematics is indifferent to which one you are doing.