I am writing a C++ application to scour large files (typically disk images) for wallet.dat files, with the intention of recovering the private keys.

At the moment I am struggling the data contained in the ‘mkey’ (Master Key) section of an encrypted wallet.dat file.

From Googling and pouring over the source code for Bitcoin and various other utilities that do what I want to do (such as pywallet) I have deduced the that data layout of mkey data is:

• mkey - a size prefixed string denoting the start of the master key data.
• nID - an integer whose purpose I have been unable to determine.
• encrypted_key - a size prefixed buffer containing the encrypted master key.
• salt - a size prefixed buffer containing the salt data used when encrypting the key.
• derivation_method - an integer containing either 0 or 1 for the method used to encrypt the master key using the wallet password.
• derivation_rounds – an integer containing the number of rounds used to encrypt the master key.
• other_derivation_parameters

However, having examined my wallet.dat file with a hex editor (screenshot attached) I cannot seem to get the data it contains to correlate with the above.

Can someone point me in the right direction or tell me what I have missed.