Filename: UTC--2017-12-15T05-23-06.593317100Z--cfebf89f6fcea755ebba061b25a0db398a592055
Path: C:\?
Size: 491 bytes (491)
State: Unrecoverable
Creation time: 12/15/2017 00:23
Comment: This file is overwritten with "C:\pagefile.sys"
1 file cluster(s) overwritten (0)
1 cluster(s) allocated at offset 7864679
It's as it says. The deleted file's one data cluster has been overwritten with another file, so is unrecoverable by any means.
Not really true, what does "overwritten (0)" mean?
After a day of trying I used Recuva's Scan Contents... and searched for {"address":
it said it was inside the 17GB pagefile that the new win10 installation is using, I had set it to that size as 6 graphics cards needs it
Recovered it (just copy and save really), used windows cmd FIND "<span style="background-color:transparent;color:rgb(53,60,65);font-size:14px;font-style:normal;font-variant:normal;font-weight:400;letter-spacing:normal;margin-bottom:0px;margin-left:0px;margin-right:0px;margin-top:0px;text-align:left;text-decoration:none;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;"><font color="#000000" face="Calibri" size="3">cfebf89f6fcea755ebba061b25a0db398a592055" K:pagefile.sys
As I could not look for strings that have " in them, maybe with escape char? so I could not look for </font></span><span style="float:none;background-color:transparent;color:rgb(53,60,65);font-family:Roboto, 'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:14px;font-style:normal;font-variant:normal;font-weight:400;letter-spacing:normal;text-align:left;text-decoration:none;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;">{"address": again.</span>
and bingo, ready to copy and paste back the whole ciphertext back in to Mist Ethereum wallet.
The dot in file name is what separates the name and type, so I recreated those for the file, just in case.
What's not quite true?
Overwritten (0) means that the cluster at offset 0 in the cluster list for this file (i.e. the first and only cluster) has been overwritten.
I assume that you have now recovered your data by another means.
But the text string was actually still there, unless some shadow text of it was in a second location, but I never copy/pasted/deleted that file.
Recuva's Scan Contents... found the file the text was in, in was the same file Recuva said had overwritten it, I recovered it by using windows FIND.
So here is a new recommended feature for Recuva: recover crypto currency accounts.
Scan that harddrive just for known beginning text of encrypted privatekey strings, don't care about if it's still a file.
Well, I'm glad you managed to recover your data, as far as I can tell you found it within the pagefile. That's a lucky find, I would say.
I'm now telling other people how to use Revuca to find keystore files, people (like I did) think password you use to set up Mist Wallet is your account,
but it's just used to hide the privatekey from plain view, without it the money is gone in the cloud forever, some people have lost $1000.
https://github.com/ethereum/mist/issues/3489