Recover Deleted Files With Scalpel

Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery.
This article explain how to use scalpel to recover deleted files.
on a debian or ubuntu install scalpel.
$ sudo aptitude install scalpel
In the config file scalpel.conf you have to define some file types that scalpel will search, in our example we will check for pdf files, so we uncomment these lines:
$ sudo vi /etc/scalpel/scalpel.conf
pdf y 5000000 %PDF %EOF\x0d REVERSE
pdf y 5000000 %PDF %EOF\x0a REVERSE
First of all make sure that the output directory does not exist, so to recover data from the sda1 partition, we can use scalpel as following:
$ sudo scalpel /dev/sda1 -o output
And the result is stored into the output directory with a full audit file.


Author: Ali MEZGANI

My name is MEZGANI Ali. I was born back in 1978 in Rabat Morocco. My interests are Debian Linux , programming , science and music.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s