Recover Deleted Files With Scalpel

Version 1.0
Author: Falko Timme

Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery. This short article shows how you can use Scalpel to recover deleted files.

I do not issue any guarantee that this will work for you!

1 Preliminary Note

Please note that there's no guarantee that Scalpel will succeed in recovering your files, but at least there's a chance.

2 Installing Scalpel

On Debian and Ubuntu, Scalpel can be installed as follows:

apt-get install scalpel

3 Using Scalpel

Take a look at

man scalpel

to learn how to use Scalpel.

Before we can use Scalpel, we must define some file types that Scalpel should search for in /etc/scalpel/scalpel.conf. By default, all file types are commented out. In this example, I want to search for deleted PDF files, so I uncomment the following lines:

vi /etc/scalpel/scalpel.conf

[...]
        pdf     y       5000000 %PDF  %EOF\x0d  REVERSE
        pdf     y       5000000 %PDF  %EOF\x0a  REVERSE
[...]

Scalpel can be used as follows to try to recover the files:

scalpel /dev/sda1 -o output

-o defines the directory where Scalpel will place the recovered files - in this case the directory is named output and is a subdirectory of the directory where we are running the scalpel command from; the directory must not exist because otherwise scalpel will refuse to start.

(If you don't know what partition to search, take a look at

mount

server1:~# mount
/dev/sda1 on / type ext3 (rw,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
nfsd on /proc/fs/nfsd type nfsd (rw)
server1:~#

)

After Scalpel has finished, you will find a folder called output in the directory from where you called Scalpel:

ls -la

server1:~# ls -la
total 36
drwxr-xr-x  5 root root 4096 2009-03-12 17:53 .
drwxr-xr-x 21 root root 4096 2009-02-16 13:10 ..
drwx------  2 root root 4096 2009-02-16 13:15 .aptitude
-rw-------  1 root root  377 2009-02-16 13:32 .bash_history
-rw-r--r--  1 root root  412 2004-12-15 23:53 .bashrc
drwxr-xr-x  2 root root 4096 2009-02-16 13:17 .debtags
drwxr-xr--  3 root root 4096 2009-03-12 17:53 output
-rw-r--r--  1 root root  140 2007-11-19 18:57 .profile
-rw-------  1 root root 3480 2009-03-12 17:06 .viminfo
server1:~#

ls -l output

server1:~# ls -l output
total 8
-rw-r--r-- 1 root root 386 2009-03-12 19:10 audit.txt
drwxr-xr-x 2 root root 4096 2009-03-12 19:10 pdf-0-0
server1:~#

The audit.txt contains a summary of what Scalpel has done:

cat output/audit.txt

server1:~# cat output/audit.txt

Scalpel version 1.60 audit file
Started at Thu Mar 12 19:01:50 2009
Command line:
scalpel /dev/sda1 -o output

Output directory: /root/output
Configuration file: /etc/scalpel/scalpel.conf

Opening target "/dev/sda1"

The following files were carved:
File Start Chop Length Extracted From
00000000.pdf 5712642048 NO 437138 sda1

Completed at Thu Mar 12 19:10:33 2009
server1:~#

And the pdf-0-0/ subdirectory contains the jpg files that Scalpel has recovered:

ls -l output/pdf-0-0/

server1:~# ls -l output/pdf-0-0/
total 432
-rw-r--r-- 1 root root 437138 2009-03-12 19:10 00000000.pdf
server1:~#

Before you run Scalpel the next time from the same directory, you must either delete/rename the current output/ directory (because Scalpel will not start if the output directory is already existing) or use specify another output directory.

4 Links

Scalpel: http://www.digitalforensicssolutions.com/Scalpel/

view as pdf | print

Share this page:

15 Comment(s)

Add comment

Comments

By: Anonymous

shouldn't be needed, no.

By: Jacek Mendinka

Hi, is it necessary to mount the partition to be scanned?

By: wilfrieds

Am a bit confused by all the hex.

Say I want to recover JPG files that are all in subdirectories on the disk, can I just write a line in the conf file saying :

jpg y 200000000 %JPG

Will this find all jpg files in all subdirs or only the jpg files that end in JPG (capitals)

By: Anonymous

Nope!

Under Windows a jpg file must end in .jpg, or else Windows won't know what programme to use to open it. In Linux however the terminations are optional. Linux identifies filetype by looking at the first few characters contained within the file. If you look at the contents of a bmp file the first 2 characters are BM, but with other file types which are stored in binary format, such as zip files the signature may contain non-printable characters - hence the hexadecimal signatures in scalpel.conf.

By: Comrad

Why the output I get is

/media/johnwalker/58bc0754-1b7f-4875-a90e-4983f06bc78a/: 100.0% |*******************| 4.0 KB 00:00 ETAProcessing of image file complete. Cleaning up...
Done.
Scalpel is done, files carved = 0, elapsed = 0 seconds.

even though mounted volume is 54 GB? And program finishes work in a second. What I am doing wrong?

By: Anonymous

You need to run it against '/dev/[device]', not '/media/[device]'. Like it says, run 'mount' and you'll see which one it is in the list.

By: Netroware

The link to scalpel seems to have died... anyone have a mirror of it?

By:

Scalpel has been integrated into Sleuthkit, the git repository can be found here: https://github.com/sleuthkit/scalpel

Cheers
LGM

By:

Scalpel has been incorporated in Sleuthkit, so where the above tutorial says to install scalpel using:

apt-get install scalpel

instead run:

apt-get install sleuthkit

which will install scalpel as well as a number of other useful tools, see: https://github.com/sleuthkit

By: Gowri

Is it possible to detect specific file name, Please tell me how to recover my file. myfilename.Keystore is my file name can you tell me how to recover it.

By: jayalakshmi

Unable to recover files from scalpel in centos 6.0 while trying to recover .odt files after editing the scalpel.conf file.

Receiving errors as follows

ERROR: Couldn't open configuration file:

scalpel.conf -- No such file or directory

Scalpel was unable to read a needed file and will abort.

By: anonymous

$ scalpel /dev/sdb1 -o output

Scalpel version 2.1

Written by Golden G. Richard III and Lodovico Marziale.

ERROR: Couldn't open configuration file:

scalpel.conf -- No such file or directory

Scalpel was unable to read a needed file and will abort.

Unexpected error while reading search spec file.

By: anony

quote:

ERROR: Couldn't open configuration file:

scalpel.conf -- No such file or directory

Scalpel was unable to read a needed file and will abort.

You must specify a configuration file with the -c option.

Copy the file "/etc/scalpel/scalpel.conf"

somewhere... example: "/root/.config/scalpel/scalpel_002.conf"

and change its content as you like.

Then give...

scalpel -c /WHERE/THE/NEW/CONF/FILE/IS THE-REST-OF-THE-COMMAND

example...

scalpel -c /root/.config/scalpel/scalpel_002.conf -o /mnt/hd/files/scalpel-output /mnt/hd/iso/some-disk.iso

By: mainmeat

is this able to recover .xls files?

I have tried to change the conf file but I think my hex headers are still wrong?

Anyone have any luck with .xls?

cheers

By: Benjamin Hampe

How do i use this to search for *.h/*.hpp/*.c/*.cpp files? I saw *.txt but with PGP? Or UTF-8 encoded text-files?

Log in or Sign up

On this page