Scalpel

Description

Scalpel is an open source data carving tool.

Usage

Syntax

scalpel [-b] [-c <config file>] [-d] [-e] [-h] [-i <file>]
[-n] [-o <outputdir>] [-O] [-p] [-q <clustersize>] [-r]
[-v] [-V] <imgfile> [<imgfile>] ...

Options

-b  Carve files even if defined footers aren't discovered within
    maximum carve size for file type [foremost 0.69 compat mode].
-c  Choose configuration file.
-d  Generate header/footer database; will bypass certain optimizations
    and discover all footers, so performance suffers.  Doesn't affect
    the set of files carved.  **EXPERIMENTAL**
-e  Do nested header/footer matching, to deal with structured files that may
    contain embedded files of the same type.  Applicable only to
    FORWARD / NEXT patterns.
-h  Print this help message and exit.
-i  Read names of disk images from specified file.  Note that minimal parsing of
    the pathnames is performed and they should be formatted to be compliant C
    strings; e.g., under Windows, backslashes must be properly quoted, etc.
-n  Don't add extensions to extracted files.
-o  Set output directory for carved files.
-O  Don't organize carved files by type. Default is to organize carved files
    into subdirectories.
-p  Perform image file preview; audit log indicates which files
    would have been carved, but no files are actually carved.  Useful for
    indexing file or data fragment locations or supporting in-place file
    carving.
-q  Carve only when header is cluster-aligned.
-r  Find only first of overlapping headers/footers [foremost 0.69 compat mode].
-V  Print copyright information and exit.
-v  Verbose mode.

Example

Edit the conf file to recover what you want to . 

cyborg@cyborg:~$ sudo gedit /etc/scalpel/scalpel.conf

scalpel_conf Scalpel

Here we want to recover jpeg files, to do this , remove the hashtag # from the line .

Start Scalpel

cyborg@cyborg:~$ sudo scalpel -c /etc/scalpel/scalpel.conf -o recovered_files /dev/sdb1
Scalpel version 2.0
Written by Golden G. Richard III and Lodovico Marziale.
Multi-core CPU threading model enabled.
Initializing thread group data structures.
Creating threads...
Thread creation completed.

Opening target "/dev/sdb1"

Image file pass 1/2.
/dev/sdb1:   4.5% |*                                    |  680.0 MB    09:35 ETA
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?