Recover Deleted Files With Scalpel

Version 1.0
Author: Falko Timme

Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery. This short article shows how you can use Scalpel to recover deleted files.

I do not issue any guarantee that this will work for you!


1 Preliminary Note

Please note that there's no guarantee that Scalpel will succeed in recovering your files, but at least there's a chance.


2 Installing Scalpel

On Debian and Ubuntu, Scalpel can be installed as follows:

apt-get install scalpel


3 Using Scalpel

Take a look at

man scalpel

to learn how to use Scalpel.

Before we can use Scalpel, we must define some file types that Scalpel should search for in /etc/scalpel/scalpel.conf. By default, all file types are commented out. In this example, I want to search for deleted PDF files, so I uncomment the following lines:

vi /etc/scalpel/scalpel.conf

        pdf     y       5000000 %PDF  %EOF\x0d  REVERSE
        pdf     y       5000000 %PDF  %EOF\x0a  REVERSE

Scalpel can be used as follows to try to recover the files:

scalpel /dev/sda1 -o output

-o defines the directory where Scalpel will place the recovered files - in this case the directory is named output and is a subdirectory of the directory where we are running the scalpel command from; the directory must not exist because otherwise scalpel will refuse to start.

(If you don't know what partition to search, take a look at


server1:~# mount
/dev/sda1 on / type ext3 (rw,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
nfsd on /proc/fs/nfsd type nfsd (rw)


After Scalpel has finished, you will find a folder called output in the directory from where you called Scalpel:

ls -la

server1:~# ls -la
total 36
drwxr-xr-x  5 root root 4096 2009-03-12 17:53 .
drwxr-xr-x 21 root root 4096 2009-02-16 13:10 ..
drwx------  2 root root 4096 2009-02-16 13:15 .aptitude
-rw-------  1 root root  377 2009-02-16 13:32 .bash_history
-rw-r--r--  1 root root  412 2004-12-15 23:53 .bashrc
drwxr-xr-x  2 root root 4096 2009-02-16 13:17 .debtags
drwxr-xr--  3 root root 4096 2009-03-12 17:53 output
-rw-r--r--  1 root root  140 2007-11-19 18:57 .profile
-rw-------  1 root root 3480 2009-03-12 17:06 .viminfo

ls -l output

server1:~# ls -l output
total 8
-rw-r--r-- 1 root root  386 2009-03-12 19:10 audit.txt
drwxr-xr-x 2 root root 4096 2009-03-12 19:10 pdf-0-0

The audit.txt contains a summary of what Scalpel has done:

cat output/audit.txt

server1:~# cat output/audit.txt

Scalpel version 1.60 audit file
Started at Thu Mar 12 19:01:50 2009
Command line:
scalpel /dev/sda1 -o output

Output directory: /root/output
Configuration file: /etc/scalpel/scalpel.conf

Opening target "/dev/sda1"

The following files were carved:
File              Start                 Chop            Length          Extracted From
00000000.pdf   5712642048               NO           437138             sda1

Completed at Thu Mar 12 19:10:33 2009

And the pdf-0-0/ subdirectory contains the jpg files that Scalpel has recovered:

ls -l output/pdf-0-0/

server1:~# ls -l output/pdf-0-0/
total 432
-rw-r--r-- 1 root root 437138 2009-03-12 19:10 00000000.pdf

Before you run Scalpel the next time from the same directory, you must either delete/rename the current output/ directory (because Scalpel will not start if the output directory is already existing) or use specify another output directory.


Share this page:

9 Comment(s)

Add comment


From: Anonymous

shouldn't be needed, no.

From: Jacek Mendinka

Hi, is it necessary to mount the partition to be scanned?

From: wilfrieds

Am a bit confused by all the hex.

Say I want to recover JPG files that are all in subdirectories on the disk, can I just write a line in the conf file saying :

         jpg       y        200000000       %JPG

 Will this find all jpg files in all subdirs or only the jpg files that end in JPG (capitals)

From: Anonymous


Under Windows a jpg file must end in .jpg, or else Windows won't know what programme to use to open it.  In Linux however the terminations are optional. Linux identifies filetype by looking at the first few characters contained within the file. If you look at the contents of a bmp file the first 2 characters are BM, but with other file types which are stored in binary format, such as zip files the signature may contain non-printable characters - hence the hexadecimal signatures in scalpel.conf.


From: Comrad

Why the output I get is

 /media/johnwalker/58bc0754-1b7f-4875-a90e-4983f06bc78a/: 100.0% |*******************|    4.0 KB    00:00 ETAProcessing of image file complete. Cleaning up...
Scalpel is done, files carved = 0, elapsed = 0 seconds.

even though mounted volume is 54 GB? And program finishes work in a second. What I am doing wrong?

From: Anonymous

You need to run it against '/dev/[device]', not '/media/[device]'. Like it says, run 'mount' and you'll see which one it is in the list.

From: Netroware

The link to scalpel seems to have died... anyone have a mirror of it?



 Scalpel has been integrated into Sleuthkit, the git repository can be found here: 



Scalpel has been incorporated in Sleuthkit, so where the above tutorial says to install scalpel using:

apt-get install scalpel

 instead run:

 apt-get install sleuthkit

which will install scalpel as well as a number of other useful tools, see: