Diary of a computer geek

My Dad came to me asking me if I could crack a password for a word document he was trying to edit. He had created a form template and needed to edit it but could not remember the password he used. If all you have is a password set to disable editing of a word document it is pretty easy to remove it.

1. Open the file and save as html file
2. Open the html file in notepad or similar text editor
3. Look for and delete two lines <w:DocumentProtection>Forms</w:DocumentProtection> and <w:UnprotectPassword>B6339E98</w:UnprotectPassword>
   
   The UnprotectPassword will be a random combination of letters and numbers, depending on what the password to the document is.
4. Save the file.
5. Now you can open it in word, you may see an error. But the file will open and you can now edit it. So now re-save it as whatever file extension you want and you are good to go.

Doing this messed up the page size settings of the document, but that is easy to fix. It saved my Dad from having to recreate the document from scratch.

This is using Ghost Solution Suite 2.5, which is ghost 11.5, to image a hard drive that is encrypted by PGP encryption. But there is a good chance these same steps will work with other encryption software.

If you want to bypass all my troubleshooting that it took for me to get this to work then click here to go straight to the solution.

July 5, 2011

This adventure began late last week. I need to figure out how to image our encrypted hard drives in a manner that keeps the encryption intact. I’m not going to wait hours for a drive to decrypt just so I can image it and then have it spend another few hours, or however long, to re-encrypt it. The plan is to get this to work so that I can pull an image of each of our laptops every time we have huge software changes. I’m not sure what’s going to qualify as large enough changes to make me go through this, but I’ll figure it out when I get there. After I get this process to work properly I’ll just use the ghost client on the machines to back up the user files every 2 weeks or so.

Well last week I started my experiment with ghosting one of our unused encrypted laptops. It took me forever to realize that I can’t use the windows client to pull or push an image because ghost doesn’t like that I have to enter the password before the computer will finish booting up. Even though I was standing at the laptop when the client forced a reboot and typed the password in right when it prompted for it, it wouldn’t go into the WindowsPE environment. I thought I was being too slow at first, but that wasn’t the case.

I created a boot disk with the right NIC drivers on it for these laptops and had it boot to the CD. I finally got it imaging and then noticed it was splitting the image into the default 2GB chunks. With these laptops being 500GBs, that just isn’t going to work. I kept thinking of spanning, not splitting, so it then took me awhile to find the correct switch to add to the settings /facepalm. I finally got it to pull the image, it took 4 or 5 hours to do it and the next day I turned around and pushed the image back out to it – I’m using the ghostcast server on one of my servers since I don’t have a large enough external hard drive for a 500GB image and I don’t feel like buying one right now.

I came in this morning and rebooted the machine to see if the image worked. Well it prompted me for my encryption password but then it won’t boot into windows so I need to run the repair command. But I can’t do that until I decrypt the drive because the repair boot disk won’t see the hard drive until I do. So now I get to yank the hard drive out and hook it up to another laptop in order to decrypt it, that will take 12-24 hrs.

But, there is one more thing I will try before I become stumped. I used the split=0 switch, but not the switch to force a sector-by-sector copy (-ia). I thought I read in the documentation or in their forum that it would detect whether it needed to be sector-by-sector, but I don’t know how to find out and it didn’t work. The last time I had to decrypt a drive by hooking it up to another laptop as an external it took at least 20 hrs to finish. I’ll start that process shortly and try to image it again tomorrow.

If anybody has any advice please feel free to share it.

To be continued….

Continued:

Well I tried imaging it again after waiting 20 hrs for it to decrypt, then 20 more hours for it to encrypt itself again. The image failed. I tried using both the -split=0 and -ia switches and did see an error where it was saying something about -split=0 not being used properly or whatever. So now I have to decrypt it again (20 hrs), run the fixboot command, and let it encrypt itself again (20 hrs). Then I will try imaging one more time only using the -ia switch for sector-by-sector copy. I will report back once this has been attempted. I will figure this out, damn it.

October 11, 2011

So 3 months have past since I last spent much time trying to figure this out. I’m too stubborn to admit defeat and let something like this go without exhausting all resources first. I just knew there had to be a way to get it to work. I came across a KB article on Symantec’s website that sounded like exactly what I needed to do. Why this was never mentioned in any forum posts about PGP (or encryption in general) and Symantec Ghost (that I found anyway) is beyond me. I only ever saw mention of sector-by-sector copying and if you read my original post, then you know how well that worked out. I just realized the new article that  I found also refers to the -IR switch, which is a raw disk image, as sector-by-sector. What the hell? Let’s be a little more confusing please /sarcasm.

Solution:

1. Use a ghost boot CD or usb drive to get into the WindowsPE environment.
2. After it boots up and pops the Ghost GUI up, close that so you’re at the black command prompt.
3. From here I had to go back a couple directories by typing cd.. to find the directory the ghost executable lives in. I think it’s Ghost32.exe.
4. The switches you need to use are -IR, -FRO, and -SPLIT=0. So type ghost32.exe -IR -FRO -SPLIT=0 and hit enter. Now go through the normal steps to select the disk to image and the place to save it.

You are going to need a removable hard drive or the ability to ghostcast from a server that has enough space for the image to be the entire size of the hard disk, even if the disk only has 50GB of information on it. Since the image is a raw disk image (the -IR switch) it is imaging the entire disk. You can use the -SPLIT switch to chop the image into smaller bits, but that doesn’t make the image any easier to manage with hard disks being so large these days. Unless you need to chop the image into files that will fit on DVDs or Blu-Rays, I don’t see that being useful. Or maybe you have small usb hard drives to split the image onto, I suppose that’s helpful.

I pulled an image and turned around and pushed it back out and it worked perfectly. I rebooted the laptop this afternoon and it was like nothing happened – encryption and everything is intact. It looks like, based off the switch descriptions linked below, that the only difference between raw disk image and sector-by-sector is that the raw disk image ignores the partition table. Funny how the KB article still refers to it as sector-by-sector, yet their own switch description page does not.

Sources:

1. Ghost and PGP – Norton Community
2. Symantec KB Article TECH104163
3. Switches: Alphabetical list of switches

I was given the task of trying to figure out how to boot a spanned DD image file as a virtual machine in the software of my choice.  It was an old image of a Windows 2000 machine that was spanned in 650MB blocks, a total of 10 files.  I originally tried converting each segment into the VirtualBox VDI file just to see if I could get something usable, but that wasn’t successful. I looked online for 40-45 minutes trying to figure out how to merge all the segments into one file.  I had no luck at all with that, but I did get another idea because of a previous assignment in this class (computer forensics).

What I ended up doing was mounting the spanned image on my machine as another “disk” on my computer.  I then used ProDiscover Basic to capture an image of the “disk” – essentially capturing an image of an image. I then used Virtualbox’s command line tool to convert the new DD image file into their virtual hard drive file, a VDI.

Software used: Mount Image Pro, ProDiscover Basic, and VirtualBox.  Mount Image Pro is only a trial version, but it will work perfectly for this.  This is meant for students of my class who already have access to a demo version of ProDiscover Basic. There may be free alternatives out there that can do the same thing and can probably be swapped out easily for those steps.

Here are my steps, with lovely screenshots.

Open Mount Image Pro, click the mount button, click on add image. Browse to where your image is located and select the first file in the span and click open.

After you click on the Mount Disk button a window will pop up where you can select some options. The only way I got this to work was telling it to mount as physical and logical. I left the other 3 options as default.

After it has mounted you may see in the window that there are multiple partitions.You’ll want to pay attention to the As column and in this case, the one called PHYSICALDRIVE2 in my example.

Now open ProDiscover Basic, cancel the prompt to start a new case if that comes up, go to the action menu and click on capture image.  In this box you’ll want to select PHYSICALDRIVE2 as the source drive, choose the destination to save the file, and most importantly, choose the UNIX style DD format.  Click OK and walk away for a few minutes while it captures the image.

After the image has been captured the next step is to use the VirtualBox command line tool to convert it into a VDI file.  I find this to be easiest if you move or copy the DD file into your VirtualBox program files directory (C:\Program Files\Oracle\VirtualBox is the default path).  If you don’t put the file in that directory you’ll have to type out the entire path so the tool knows what file to convert.

Open a command prompt. Change the directory so you are in your VirtualBox installation directory by typing:

cd c:\program files\oracle\virtualbox

Now comes the command to convert the file into VDI format.

vboxmanage convertfromraw filename.dd newfilename.vdi

Hit enter and let it do its thing.  Once it returns a blank line it’s done.

Now you can cut and paste the DD and the VDI files into whatever directory you want.  Open VirtualBox and go through the prompts to create a new machine like you would any other time. Instead of having VirtualBox create a new disk you’ll just tell it to use an existing disk and choose the VDI file.