Recover deleted files from a bitlocker’ed drive or partition

This uses dislocker, testdisk and photorec

You **WILL** need the recovery key for the bitlocker drive, this cannot get around that, but the drive will be unharmed in the process.

It’s a multistep process to be able to recover, this was accomplished with MX Linux 9.2  (a debian dervative), but anything new should be ok

I recommend making a Ventoy USB drive, copy the iso’s to it, boot up and select the OS/ISO to boot from.

Links: Ventoy MX Linux UltimateBootCD Windows 10 Kaspersky Live CD ESET Live CD (You can put whatever you want into the root of a Ventoy USB drive, it scans and lets you select them on bootup, very, very slick!)

Use a distro to clone the disk to your server first, so you can always restore it back to ground zero (such as it is) (Ultimate Boot CD recommended), then clone the drive FIRST I used Clonezilla to clone the disk to my server.

Pre-requisites:

You’ll need to mount a server drive or external disk to recover to!

Boot via USB Ventoy, Choose Ultimate Boot CD, Choose Clonezilla

Prep #
Open a terminal and run:
# like: sudo mount //HOST/SHARE mountpoint -o username=username,password=password
mkdir /mnt/server
sudo mount //192.168.0.253/backup /mnt/server -o username=brad,password=password
mkdir /mnt/decrypted-image
mkdir /mnt/decrypted-filesystem

# Use Clonezilla to back up the entire disk to your server

(Beyond the scope of this particular article, but there are may ways of doing it. Restoring can be difficult, so pay attention to how you backed it up.)

Recover deleted files from the free space on the disk
# Pre requisites (I switched to the MX Linux Distro for this part, again, using the Ventoy USB):
open a terminal
apt update
apt install dislocker testdisk photorec mc

# decrypt the partition and mount it as a loopback image (that’s the way it works):
dislocker /dev/sda2 -p111111-222222-333333-444444-555555-666666 -- /mnt/decrypted-image
# NOTE NO SPACE   after the -p and your Bitlocker key. You may have to play around with what sdX letter you use, but it is usually sda.
mount -o loop /mnt/decrypted-image/dislocker.file /mnt/decrypted-filesystem

you should now be able to see your regular Windows files in /mnt/decrypted-filesystem

testdisk has to be run with the disk as a parameter or it gets confused and you won’t be successful:

testdisk /mnt/decrypted-image/dislocker.file

Use testdisk to copy deleted files to /mnt/server/wherever:
Choose the Disk
Choose NONE as the partition type (I know, I know, just go with it)
Advanced
It should show NTFS
now Choose List
It should chug for a bit and then show your drive listing, if so, you’re good to proceed
Arrow right to Undelete
Press A to select all files
Press c to copy them
Select your destination (/mnt/server/wherever) and wait for it to copy

The recovered files are probably kinda underwhelming and disheartening, don’t freak out yet, go to the next phase of recovery below:

Recover LOTS MORE files! photorec is a lot better:

photorec /mnt/decrypted-image/dislocker.file

copy files to /mnt/server/wherever:
photorec /mnt/decrypted/dislocker.file
Choose the disk
Select the Partition (NTFS) Filesystem
choose Other FAT/NTFS/HFS+/ReiserFS
Choose free space or whole partition, your case may vary
Navigate to the directory you want to save files into
Press C when correct
WAIT. For a Very Long Time… 500GB spinning rust took about 36 hours over wifi , the wifi was not the bottleneck here, it takes a lot of overhead to reassemble the files.

Backup the regular files from disk:
copy the normal files out:
rsync -avx --progress /mnt/decrypted-filsystem /mnt/server/directory

You will want wired ethernet here, wifi chokes hard on sustained throughput (220MB/min vs. 1.5GB/min, do the math on how big your drive is and how long it will take)

Reset Windows password on Bitlocker drive

I was not able to reset the password using chgntpw or 0phtcrack on a Windows 8 box, but it can be done with a Windows boot CD (from Ventoy even!)

This does come with a bunch of caveats though…

  1. You will have to decrypt the drive. This takes a long time, SSD is your friend here.
  2. By decrypting the drive, you WILL (probably) lose any chance of recovering anything from the free space on the disk because the freespace is encrypted too, and will be decrypted, but the leftover data will very likely not be there. In theory, the bitlocker is whole disk, so when it decrypts every block, you should be able to recover, but if you can’t, it’s too late!
  • Boot up to the Windows 10 installer screen
  • DON’T GO THROUGH THE SETUP, LEAVE IT ON THE STARTUP SCREEN
  • press Shift + F10
  • At that command prompt run:

cd d:\windows\system32
move utilman.exe utilman.exe.bak
copy cmd.exe utilman.exe
wpeutil reboot

Note: once it starts back up, you have about 1 minute to do the next step or the utility will get replace and you have to do the commands above again (ask me how I know)

At the login screen, click the Utility manager in the corner, you should get another command prompt within your normal system now.

Run: net user [ENTER]

to see the usernames

To reset a password, assuming your username is brad, run:

net user brad my_new_password

To set up a new admin user, ignoring any local users:

net user bob /add
net localgroup administrators bob /add

exit

You should now be able to log in using the credentials/password you set above. You may have to reboot once for it to take effect. If you added a new admin user, log in as that user, and you can use the manage local users utilities to reset any user passwords on the box.

Flatten out a directory

find /dir1 -mindepth 2 -type f -exec mv -i ‘{}’ /dir1 ‘;’

take everything scattered throughout subdirectories and put them somewhere else in one big directory

sometimes you need this.

How to populate a ruby/erubis/erb template from a command line

Template test.erb:

# DESCRIPTORS

account      = “<%= account %>”

ownerorg     = “<%= org %>”

application  = “<%= application %>”

region       = “<%= region %>”

environment  = “<%= environment %>”

service      = “<%= service %>”

node_name_id = “<%= taxonomy %>”

version   = “<%= version %>”

# Populate with values:

erb key=value key=value template.erb >> output.file

erb account=12 org=23 application=34 region=45 environment=56 service=67 taxonomy=89 version=fred test.erb >> myfile.out

# DESCRIPTORS

account      = “12”

ownerorg     = “23”

application  = “34”

region       = “45”

environment  = “56”

service      = “67”

node_name_id = “89”

version   = “fred”

Cloud Engineer Resume

This may or may not sum up the resume’s we get nowadays:

Flobert Unpronouncable

“Computer engineer with a general-wide focus on cloud computing technologies; specifically, on virtualization, networking, storage, security, automation,

infrastructure as code, private and public cloud offerings. Directly and indirectly involved on the design, implementation, and support of virtual infrastructure

platforms for internal, external and virtual clients, aimed generally at different entities accounting for high-availability, disaster recovery, and scalability. Currently

working on a variety of internal/external/virtual learning and development initiatives by planning and supporting diverse training events for new and existing cloud

engineering practitioners on areas of interest like networking, security, cloud migration, virtualization, containerization, automation, and public cloud

platforms.”

  • buzzword

  • fragment

  • Place I worked at for a week in the 80’s

  • recipe for salsa

  • buzzword

  • incomplete senten

  • tuned carb on ’67 Impala

  • Atention to detial!

  • Punctuation( ,optional( @misused]}

  • Place I was fired from the day I started

  • Angular!

  • Buzzword buzzword

  • Something that happened within 30 feet of me and I’m claiming credit

  • 22 Years experience with AWS!

  • Windows 9 Experience

  • Buzzword buzzword buzzword buzzword

  • Lenox certiffied

Splitting big mp3’s into smaller pieces:

Splitting big mp3’s into smaller pieces:

mp3splt -a -t 15.1 -o Saint\ Death\ -\ Mark\ Dawson-@n -d Saint\ Death\ -\ Mark\ Dawson Saint\ Death\ -\ Mark\ Dawson.mp3

mp3splt -a -t 5.10 -o Lesson_01-@n -d Lesson_01 Lesson_01.mp3

The -a tells mp3splt to auto-adjust the split point with silence detection.

The -t 5.10 tells it to make the files 5 minutes and 10 seconds long since the file is a little over 30 minutes long. (This length may vary a bit due to the -a option).

The -o Lesson_01-@n tells it to name the files as Lesson_01 followed by a track number.

The -d Lesson_01 tells it to put the files in a directory called Lesson_01.

last is input file.mp3

So: mp3splt -a -t 5.10 -o outputfilename-@n -d OutputDirectory InputFilename.mp3

Plot lines no longer allowed:

  • Car won’t start
  • “You don’t understand!”
  • Just play along.
  • “Hide your wrongdoing, no one will ever find out, just keep spinning bigger and bigger lies!” Said every Disney live action kids show ever.
  • Stupid adults
  • Are we done here?/Can I go now?/Can I go home? (just admit that you’re guilty right now)
  • Cops/Military/Doctors that don’t listen to anything ever ever ever
  • Exploding cars/every car accident = fireball of doom
  • Showering at midnight at abandoned campground/mental facility/dorm, you know, like ya do.
  • Maniacal laughing. Constantly. For No. Reason. At. All. Somebody just shoot the fucker.
  • Girls that can’t wink should not try.
  • No one blows kisses, do not try.
  • No eating apples on screen, please. It’s not medieval, and it’s not fun to listen to.
  • Close-miking of anyone eating anything. Do not.
  • “No, no, really, it’s nothing…” from people that should damn well be reporting this shit asap.
  • Professional __________ that know shit about ___________
  • Outright dismissal of clear evidence, and just moving on like no one is going to notice.
  • Stupid dads that can’t change a diaper or wipe a nose or anything beyond grunt
  • Stupid dads that can’t fix anything ever
  • Water does not shoot straight up from a drain. Ever.
  • Don’t check if he’s dead, just assume everything goes as planned.
  • Super-Ultra eyeballs that can see a bulge in a pocket from across town, or spot someone in a crowd from 5 blocks away
  • Super-Ultra hearing so that one guy on the opposite end of a crowded stadium can speak normally, yet address thousands of people. In 1200 B.C.
  • “Look! There he is!” 300 yards away in a crowd. Seriously?
  • Snipers with handguns shooting things miles away
  • Snipers shooting with the barrel hanging out the window
  • Anyone with a handgun hitting anything beyond 50 feet while running
  • Security footage with obvious moves/pans/scans/zooms
  • Asking questions and getting no answers at all or utterly random responses like everyone is crazy
  • Zoom! Enhance!!
  • Ook Ook! Pretty nurse!! Grunt. Grunt. No answer question. Zog rather die. Ok, stepped on nail. With dick. Light bulb in ass cuz I fell on it.
  • For the love of God, WATCH THE ROAD!!! Especially through the intersection with the trucks!
  • Doctors being risky and edgy and almost losing their license every single day
  • Next of kin being in the room during surgery micro-managing the surgeon

bash tip: collapse or parse a big text doc into individual sorted words from columns

Start with list.txt like:

server7858   server7858   server7858   server7858   server7861   server7860   server8310   server8310   server7863   server8311

server7859   server7859   server7859   server7859   server8781   server8676   server8677   server8677   server8679   server8782

Which has duplicates and long lines and crap. Run this:

rm list2.txt

rm list3.txt

for word in `cat list.txt`; do echo $word ; done |sort |uniq >> list2.txt

sed -ibak -e ‘s/ //g’ list2.txt

cat list2.txt |sort|uniq > list3.txt

vi list3.txt

ta da!

if you need word counts and such, pipe it through wc before running uniq

If you need to collapse multi line (multi-line multiline) data like this:

fldcvisla8524:

packages.MQSeriesServer.installdate: 1439579830

fldcvfsla13746:

packages.MQSeriesServer.installdate: 1486575523

Into:

Continue reading “bash tip: collapse or parse a big text doc into individual sorted words from columns”

Add user and password to NGINX proxy

Go to:

http://aspirine.org/htpasswd_en.html

In the left box (#1) enter a username and password that you want to use like:

willb179   MonkeyBiscuits123

In the right box (#2) click Generate htpasswd content

It will generate a line like this:

willb179:$apr1$l9.OI9au$uZaO8fsnfhrNHI7V.Tr52.

Send this encrypted line via Slack or email (the “willb179:$apr1$l9.OI9au$uZaO8fsnfhrNHI7V.Tr52.”)

Remember the password you used!

generate passwords automagically, so users can submit encrypted passwords themselves

vi /etc/nginx/htpasswd

service nginx restart

**** MAKE SURE THE USER ISN’T ALREADY IN THERE!! If you have duplicates, you will get a constant string of 401 Unauthorized because it picks the FIRST one in the list and you’ll pull your hair out.

NGINX Config for password protected reverse proxy:

proxy.conf:


proxy_redirect off;


proxy_set_header Host $host;


proxy_set_header X-Real-IP $remote_addr;


proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


client_max_body_size 50m;


client_body_buffer_size 128k;


proxy_connect_timeout 90;


proxy_send_timeout 90;


proxy_read_timeout 90;


proxy_buffers 32 4k;

nxinx.conf.erb


# For more information on configuration, see:


#   * Official English Documentation:
http://nginx.org/en/docs/



user nginx;


worker_processes auto;


error_log /var/log/nginx/error.log;


pid /run/nginx.pid;



# Load dynamic modules. See /usr/share/nginx/README.dynamic.


include /usr/share/nginx/modules/*.conf;



events {

    worker_connections 1024;


}



http {

    log_format  main  ‘$remote_addr – $remote_user [$time_local] “$request” ‘

                      ‘$status $body_bytes_sent “$http_referer” ‘

                      ‘”$http_user_agent” “$http_x_forwarded_for”‘;


    access_log  /var/log/nginx/access.log  main;


    sendfile            on;

    tcp_nopush          on;

    tcp_nodelay         on;

    keepalive_timeout   65;

    types_hash_max_size 2048;


    include             /etc/nginx/mime.types;

    default_type        application/octet-stream;


    # Load modular configuration files from the /etc/nginx/conf.d directory.

    # See http://nginx.org/en/docs/ngx_core_module.html#include

    # for more information.

    include /etc/nginx/conf.d/*.conf;


    server {

        listen       80 default_server;

        listen       [::]:80 default_server;

        server_name  _;

        root         /usr/share/nginx/html;


        # Load configuration files for the default server block.

        include /etc/nginx/default.d/*.conf;



    location / {


        auth_basic “Restricted”; #For Basic Auth


        auth_basic_user_file /etc/nginx/htpasswd; #For Basic Auth


        include conf.d/proxy.conf;


        proxy_pass http://127.0.0.1:8080;


    }

    }


}

Local:

openssl passwd -apr1

Enter password you want twice when prompted, it will generate an apr1 encrypted password

Add:

username:$apr1encryptedpassword

Chef:

nginx.rb



include_recipe ‘yum-epel::default’


package ‘nginx’



[‘htpasswd’].each do |f|

  cookbook_file “/etc/nginx/#{f}” do

    source f

    owner ‘nginx’

    group ‘nginx’

    mode ‘0644’

  end


end



cookbook_file ‘/etc/nginx/conf.d/proxy.conf’ do

  source ‘proxy.conf’

  owner ‘nginx’

  group ‘nginx’

  mode ‘0644’


end



# Use nginx.conf template


template ‘nginx.conf’ do

  path ‘/etc/nginx/nginx.conf’

  source ‘nginx.conf.erb’

  mode ‘0644’

  owner ‘nginx’

  group ‘nginx’


end



service ‘nginx’ do

  action [:enable, :start]


end



require ‘mixlib/shellout’


selinuxstatus = Mixlib::ShellOut.new(‘getenforce’)


selinuxstatus.run_command



puts ‘SELinux Status is: ‘ + selinuxstatus.stdout


selinuxstate = selinuxstatus.stdout


puts ‘error messages’ + selinuxstatus.stderr


selinuxstatus.error!



# SELinux possible states are:


# Enforcing


# Disabled


# Permissive


# We only need to do this when Enforcing or Permissive


# When disabled or not installed we don’t need to do anything else



if selinuxstate.to_s == ‘Enforcing’

  execute ‘Allow nginx to proxy to connect to nifi’ do

    command ‘setsebool -P httpd_can_network_connect 1’

    action :run

  end


end



if selinuxstate.to_s == ‘Permissive’

  execute ‘Allow nginx to proxy to connect to nifi’ do

    command ‘setsebool -P httpd_can_network_connect 1’

    action :run

  end


end

htpasswd:


cloudse:$apr1$5CtzHM1B$mC51/7dwYEFgwWs91/cjz/


brad:$apr1$/1R/RT5j$Lf5/RqKRojHct0p20.zLu.

proxy.conf:


proxy_redirect off;


proxy_set_header Host $host;


proxy_set_header X-Real-IP $remote_addr;


proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


client_max_body_size 50m;


client_body_buffer_size 128k;


proxy_connect_timeout 90;


proxy_send_timeout 90;


proxy_read_timeout 90;


proxy_buffers 32 4k;

nxinx.conf.erb


# For more information on configuration, see:


#   * Official English Documentation:
http://nginx.org/en/docs/


#   * Official Russian Documentation:
http://nginx.org/ru/docs/



user nginx;


worker_processes auto;


error_log /var/log/nginx/error.log;


pid /run/nginx.pid;



# Load dynamic modules. See /usr/share/nginx/README.dynamic.


include /usr/share/nginx/modules/*.conf;



events {

    worker_connections 1024;


}



http {

    log_format  main  ‘$remote_addr – $remote_user [$time_local] “$request” ‘

                      ‘$status $body_bytes_sent “$http_referer” ‘

                      ‘”$http_user_agent” “$http_x_forwarded_for”‘;


    access_log  /var/log/nginx/access.log  main;


    sendfile            on;

    tcp_nopush          on;

    tcp_nodelay         on;

    keepalive_timeout   65;

    types_hash_max_size 2048;


    include             /etc/nginx/mime.types;

    default_type        application/octet-stream;


    # Load modular configuration files from the /etc/nginx/conf.d directory.

    # See http://nginx.org/en/docs/ngx_core_module.html#include

    # for more information.

    include /etc/nginx/conf.d/*.conf;


    server {

        listen       80 default_server;

        listen       [::]:80 default_server;

        server_name  _;

        root         /usr/share/nginx/html;


        # Load configuration files for the default server block.

        include /etc/nginx/default.d/*.conf;



    location / {


        auth_basic “Restricted”; #For Basic Auth


        auth_basic_user_file /etc/nginx/htpasswd; #For Basic Auth


        include conf.d/proxy.conf;


        proxy_pass http://127.0.0.1:8080;


    }

    }


}




Run ssh commands remotely for one or many or a list of servers

single:

ssh -o “StrictHostKeyChecking no” -t ${server} ‘sudo sed -ibak -e ‘s#https://oldchef.server.com/#https://newchef.server.com/#g’ /etc/chef/client.rb’

many:

for server in server001 server002 server007; do echo ${server} & ssh -o “StrictHostKeyChecking no” -t ${server} ‘sudo sed -ibak -e ‘s#https://oldchef.server.com/#https://newchef.server.com/#g’ /etc/chef/client.rb’ ; done

list:

Continue reading “Run ssh commands remotely for one or many or a list of servers”

Bash case switches

if [[ ${TAG_VALUE}XXX == "XXX" ]]; then

  echo "TAG_VALUE was blank, exiting!"

  exit

fi

case @option.Command@ in

  start)

    echo 'I am the first box'

    ;;

  stop)

    echo 'I am the second box'

    ;;

  restart)

    echo 'I am the third box'

    ;;

  status)

    echo 'I am the fourth box'

    ;;

  5)

    echo 'I am the fifth box'

    ;;

  *)

    echo 'I am another box higher than 5'

    ;;

esac