Recover Deleted Files With Scalpel

Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery.
This article explain how to use scalpel to recover deleted files.
on a debian or ubuntu install scalpel.
$ sudo aptitude install scalpel
In the config file scalpel.conf you have to define some file types that scalpel will search, in our example we will check for pdf files, so we uncomment these lines:
$ sudo vi /etc/scalpel/scalpel.conf
[…]
pdf y 5000000 %PDF %EOF\x0d REVERSE
pdf y 5000000 %PDF %EOF\x0a REVERSE
[…]
First of all make sure that the output directory does not exist, so to recover data from the sda1 partition, we can use scalpel as following:
$ sudo scalpel /dev/sda1 -o output
And the result is stored into the output directory with a full audit file.

Recover Deleted Files With Scalpel

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s