x32x01
  • by x32x01 ||
Scalpel was created with as an improvement of Foremost 0.69. We have talked about Foremost earlier. It is a data recovering tool. Foremost's earlier versions have some issue when it get some CPU heavy jobs. Scalpel bypasses it. Foremost can recover permanently deleted data easily like Foremost.

Scalpel comes pre-installed with Kali Linux. It is one of the best forensics tool comes packaged with Kali Linux.
Scalpel - Recover Permanently Deleted Files
In foremost we need to specify the file types we want to recover on each time we use it. But in scalpel we can modify the scalpel configuration file to specify it which type of files we want to recover.

Configuring Scalpel on Kali Linux
The configuration file is located on /etc/scalpel/scalpel.conf , We can open this by using following command:
Code:
sudo mousepad /etc/scalpel/scalpel.conf

The screenshot of the command is following:
scalpel configuration.jpg
Here we can see the configuration file of scalpel. We can scroll down and we can see there are lots of file types.
files in scaplpel configuration.png
In the configuration file we can see that every line is started from '#'. # is used to inactive, this is used for comment if we remove the # it will be uncommented. We need to un-# (removing those #) those file types if we need to recover these type of files. That means we need to have a clear idea which type of files we are looking for. If we don't know any specific file types then we can un-# all the file types.

For an example we are going to remove hashes from gif and jpg files and in this tutorial we are going to recover some gif and jpg images.

So we removed those hashes (#) and save the file, as shown in the following screenshot:
scalpel configuration saved.png
Just saved (Ctrl+S) and closed it. Now we are ready to rock.

Using Scalpel to Recover Files on Kali Linux
First we check for help options of scalpel to know more about it. We just need to apply following command to see the help of scalpel:
Code:
scalpel -h

The following screenshot shows the output of the above command:
Scalpel help menu.jpg
We need to read the lines they are very easy to understand.

We have just run format of a USB drive on our Windows system and it contains lots of gif and jpg images on it. After formatting it got blank. Now we try to recover those images.

We strongly warn to not use this on directly on a disk. First we need to make a bit to bit clone a disk then we can use these kind of recovery tools on the cloned disk images. This is the way to save the real evidence.

We can use Guymager tool to clone an entire disk. Guymager is really very helpful. Here we have a cloned that USB drive in dd file format named KaliLinuxIn.dd (in our Desktop).
desktop.png
Here we run Scalpel to recover GIF and JPG images by using following command:
Code:
scalpel -o recovered/ KaliLinuxIn.dd
scalpel recovery of files.png
On the above screenshot we can see that the recovery process is completed. By using the -o flag we specified the output folder. So in our desktop a new folder is created named "recovered".

We can see the output folder named "recovered" on our desktop.
output folder on desktop.png
Now we can go inside the folder and check for our recovered files. In this article for an example we just recovered only images files.
recovered images.png
In the output directory we also got a audit.txt file that stores the information of the recovered files.

This is how we can recover deleted files on Linux using scalpel.

While Foremost and Scalpel both can recover files from a storage but Scalpel returned more files than Foremost and Scalpel is very fast. Foremost also have some advantages that Foremost got more accuracy then Scalpel.

Unfortunately, the filenames returned by both tools are not the original filenames and in some instances, there may be duplicates of recovered files as many files may be fragmented and appear to be separate files.

Try both of these tools and please comment down which tool is more useful. We are curious know. Please tell us in the comment section.

Love our super easy articles ? Don't wanna miss new articles? follow our Subscription for free to get updates on E-mail. We also post articles on GitHub and Twitter. Make sure to follow us there.
For anything problem please let us know in the comment section. We always be there to help everyone. We read each and every comment and we always reply.
 

Similar Threads

x32x01
Replies
0
Views
36
x32x01
x32x01
x32x01
Replies
0
Views
28
x32x01
x32x01
x32x01
Replies
0
Views
111
x32x01
x32x01
x32x01
Replies
0
Views
108
x32x01
x32x01
x32x01
Replies
0
Views
386
x32x01
x32x01
TAGs: Tags
recover permanently deleted files

Register & Login Faster

Forgot your password?

Latest Resources

Forum Statistics

Threads
517
Messages
518
Members
44
Latest Member
Zodiac
Back
Top