Recover Deleted Files With Scalpel

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Submitted by falko (Contact Author) (Forums) on Tue, 2009-03-24 11:49. :: Linux

Recover Deleted Files With Scalpel

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 12/03/2009

Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery. This short article shows how you can use Scalpel to recover deleted files.

I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

Please note that there's no guarantee that Scalpel will succeed in recovering your files, but at least there's a chance.

 

2 Installing Scalpel

On Debian and Ubuntu, Scalpel can be installed as follows:

apt-get install scalpel

 

3 Using Scalpel

Take a look at

man scalpel

to learn how to use Scalpel.

Before we can use Scalpel, we must define some file types that Scalpel should search for in /etc/scalpel/scalpel.conf. By default, all file types are commented out. In this example, I want to search for deleted PDF files, so I uncomment the following lines:

vi /etc/scalpel/scalpel.conf

[...]
        pdf     y       5000000 %PDF  %EOF\x0d  REVERSE
        pdf     y       5000000 %PDF  %EOF\x0a  REVERSE
[...]

Scalpel can be used as follows to try to recover the files:

scalpel /dev/sda1 -o output

-o defines the directory where Scalpel will place the recovered files - in this case the directory is named output and is a subdirectory of the directory where we are running the scalpel command from; the directory must not exist because otherwise scalpel will refuse to start.

(If you don't know what partition to search, take a look at

mount

server1:~# mount
/dev/sda1 on / type ext3 (rw,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
nfsd on /proc/fs/nfsd type nfsd (rw)
server1:~#

)

After Scalpel has finished, you will find a folder called output in the directory from where you called Scalpel:

ls -la

server1:~# ls -la
total 36
drwxr-xr-x  5 root root 4096 2009-03-12 17:53 .
drwxr-xr-x 21 root root 4096 2009-02-16 13:10 ..
drwx------  2 root root 4096 2009-02-16 13:15 .aptitude
-rw-------  1 root root  377 2009-02-16 13:32 .bash_history
-rw-r--r--  1 root root  412 2004-12-15 23:53 .bashrc
drwxr-xr-x  2 root root 4096 2009-02-16 13:17 .debtags
drwxr-xr--  3 root root 4096 2009-03-12 17:53 output
-rw-r--r--  1 root root  140 2007-11-19 18:57 .profile
-rw-------  1 root root 3480 2009-03-12 17:06 .viminfo
server1:~#

ls -l output

server1:~# ls -l output
total 8
-rw-r--r-- 1 root root  386 2009-03-12 19:10 audit.txt
drwxr-xr-x 2 root root 4096 2009-03-12 19:10 pdf-0-0
server1:~#

The audit.txt contains a summary of what Scalpel has done:

cat output/audit.txt

server1:~# cat output/audit.txt

Scalpel version 1.60 audit file
Started at Thu Mar 12 19:01:50 2009
Command line:
scalpel /dev/sda1 -o output

Output directory: /root/output
Configuration file: /etc/scalpel/scalpel.conf

Opening target "/dev/sda1"

The following files were carved:
File              Start                 Chop            Length          Extracted From
00000000.pdf   5712642048               NO           437138             sda1


Completed at Thu Mar 12 19:10:33 2009
server1:~#

And the pdf-0-0/ subdirectory contains the jpg files that Scalpel has recovered:

ls -l output/pdf-0-0/

server1:~# ls -l output/pdf-0-0/
total 432
-rw-r--r-- 1 root root 437138 2009-03-12 19:10 00000000.pdf
server1:~#

Before you run Scalpel the next time from the same directory, you must either delete/rename the current output/ directory (because Scalpel will not start if the output directory is already existing) or use specify another output directory.

 

4 Links


Copyright © 2009 Falko Timme
All Rights Reserved.
add comment | view as pdf view as pdf | Display a printer-friendly version of this page. print |
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
scalpel conf
Submitted by wilfrieds (not registered) on Fri, 2009-07-24 19:37.

Am a bit confused by all the hex.

Say I want to recover JPG files that are all in subdirectories on the disk, can I just write a line in the conf file saying :

         jpg       y        200000000       %JPG

 Will this find all jpg files in all subdirs or only the jpg files that end in JPG (capitals)

reply | view as pdf view as pdf
necessary to mount partition
Submitted by Jacek Mendinka (not registered) on Thu, 2009-03-26 13:31.

Hi, is it necessary to mount the partition to be scanned?

reply | view as pdf view as pdf
Re: necessary to mount partition
Submitted by Anonymous (not registered) on Fri, 2009-04-24 19:18.
shouldn't be needed, no.
reply | view as pdf view as pdf
Sponsored Links: Unified Communications: Thoughts, Strategies and Predictions
Join the discussion.
www.seamlessenterprise.com

IP Convergence
Integrate your wireless and wireline networks.
Learn how from the experts at Sprint.
www.seamlessenterprise.com

Wireless & Wireline Integration
Thoughts, strategies and solutions: join the discussion
www.seamlessenterprise.com

Unified Communications 2009
Join the Discussion. Now.
www.seamlessenterprise.com

Red Hat Virtual Experience - a free virtual event. Dec. 9th