Recovering an already deleted wallet

[dogemus]

First of all, thanks for this script!
I wanted to describe my case, since it might help someone to recover their wallet in case they've already deleted the extension or replaced the wallet in it. Of course there is no guarantee that this will help.

Basically I am on Ubuntu with Firefox 124.0.1 and Metamask 11.12.4, and have nvme ssd. And I replaced the old wallet with the knew one, since at that point I thought that I don't need the old one, so I didn't even save the seed phrase. But then I understood that I actually need it

According to the docs it might be possible to recover old wallet, but in my case there was only the new wallet in the firefox storage.
So basically I've run the file recovery tool called photorec(I've tried to run it only on linux, but apparently it is available on windows/mac too),and it restored me snappy files with my seed. Some important points:

1. You need to create photorec.sig file in the directory from which you will run photorec with the following content:

snappy 0 0xff060000734e61507059

Basically we just define a new file extension which should start with this 0xff06.. , snappy is just a name, 0 is the offset from the start.
You can check if you've done it correctly by running

fidentify some_existing_snappy_file

it should print that the extension of the file is snappy. You can read the docs: https://www.cgsecurity.org/wiki/Add_your_own_extension_to_PhotoRec

2. Then when running photorec you need to unselect all file types except custom and run it only on the free disk space

3. Most of the files are already damaged, so for example for some of them the size is incorrect and photorec created some 50gb snappy files for me, filling my disk space and breaking ubuntu. But after I've deleted some files everything worked again. So you have 2 options: write the recovery data on the other larger drive, or to stop early and if you will be lucky, your recovery phrase will be somewhere in the beginning. For example in my case my recovery phrase was in the first recovered folder(out of 5), and the file size was 144mb, much larger than regular metamask snappy file, which means it was broken, but the part with the seed phrase was on it.

4. Then I've run this script for restored data and it recovered my seed phrase. The only problem is that the script raised exceptions in some places, since files are broken, so I had to add try/except. If you add exception handling(just continue to the next file if exception arises) in all the places where broken files can be used, then it would work perfectly

5. I was recovering the seed phrase on the same day I've deleted the old wallet. It might be important, since if long time have passed, then it might be impossible for the files to survive. But firefox creates thousands of these snappy files for a single metamask extension, so maybe it will be possible to restore them even after some time.

Also it might be possible to implement something similar to what photorec does, but without creating this 50gb files, just scanning the memory for snappy prefix. But I have no idea how to do that, probably not very easy to implement

[JesseBusman]

Thanks for the comments and advice! Nice to hear that you managed to get your wallet back.

I will clean up the script a bit to not crash on broken files. Should have done that from the start of course, sorry about that.

I actually already started writing a wallet recovery tool in C/C++ for the deleted/damaged/unmountable file scenario.

The idea of making a Photorec extension is interesting. I might consider doing it later, but I don't like having that much overhead because someone looking for their crypto wallet probably only cares about getting their crypto wallet back ASAP with minimal fuss.

[dogemus]

That's very cool, will save a lot of wallets. You don't need this photorec overhead indeed. I just meant that it makes sense implementing manual script that will scan the memory without restoring the files themselves. Exactly what you are planning to do! Good luck with it!