NAME¶
scalpel - Recover files using a header/footer database
SYNOPSIS¶
scalpel [
-b] [
-c <file>] [
-d] [
-h]
[
-i <file>] [
-m <blocksize>] [
-n] [
-o <dir>] [
-O] [
-p] [
-r] [
-s
<num>] [
-t] [
-u] [
-V] [
-v] [
FILES]...
DESCRIPTION¶
Recover files from a disk image or raw block device based on headers and footers
specified by the user.
- -b
- Carve files even if defined footers aren't discovered within maximum carve
size for file type [foremost 0.69 compat mode]
- -c file
- Chooses which configuration file to use. If this option is omitted, then
"scalpel.conf" in the current directory is used. The format for
the configuration file is described in the default configuration file
"scalpel.conf". See the CONFIGURATION FILE section below
for more information.
- -d
- Generate header/footer database; will bypass certain optimizations and
discover all footers, so performance suffers. Doesn't affect the set of
files carved. **EXPERIMENTAL**
- -m
- Generate/update carve coverage blockmap file. The first 32bit unsigned int
in the file identifies the block size. Thereafter each 32bit unsigned int
entry in the blockmap file corresponds to one block in the image file.
Each entry counts how many carved files contain this block. Requires more
memory and disk. **EXPERIMENTAL**
- -h
- Show a help screen and exit.
- -i file
- file is used as a list of input files to examine. Each line in the
specified file should contain a single filename.
- -o directory
- Recovered files are written to the directory directory. Scalpel
requires that this directory be either empty or not exist. The directory
will be created if necessary.
- -O
- Don't organize carved files by type. Default is to organize carved files
into subdirectories to make previewing of large numbers of carved files
easier.
- -p
- Perform image file preview; audit log indicates which files would have
been carved, but no files are actually carved.
- -q clustersize
- Carve only when header is cluster-aligned.
- -r
- Find only first of overlapping headers/footers [foremost 0.69 compat mode]
- -s number
- Skips number bytes in each input file before beginning the search
for file headers and footers.
- -t
- Set directory for coverage blockmap. **EXPERIMENTAL**
- -u
- Use carve coverage blockmap when carving. Carve only sections of the image
whose entries in the blockmap are 0. These areas are treated as contiguous
regions. **EXPERIMENTAL**
- -V
- Show copyright information and exit.
- -v
- Enables verbose mode. This causes copious amounts of debugging information
to be output.
CONFIGURATION FILE¶
The configuration file is used to control the types of files Scalpel will
attempt to carve. A sample configuration file, "scalpel.conf", is
included with this distribution. For each file type, the configuration file
describes the file's extension, whether the header and footer are case
sensitive, the maximum file size, and the header and footer for the file. The
footer field is optional, but the header, size, case sensitivity, and
extension fields are required.
Important note: The default configuration file has all supported file patterns
commented out--you must edit this before before running Scalpel.
Any line in the configuration file that begins with a pound sign is considered a
comment and ignored.
Headers and footers are decoded before use. To specify a value in hexadecimal
use \x[0-f][0-f], and for octal use \[1-9][1-9][1-9]. Spaces can be
represented by \s. Example: "\x4F\123\I\sCCI" decodes to "OSI
CCI".
To match any single character (aka a wildcard) use a '?'. If you need to search
for the '?' character, you will need to change the 'wildcard' line *and* every
occurrence of the old wildcard character in the configuration file, including
those appearing in hex and octal values. '?' is equal to \x3f and \063.
AUTHORS¶
Written by Golden G. Richard III. The first version of Scalpel was based on
foremost 0.69, which was written by Special Agent Kris Kendall and Special
Agent Jesse Kornblum of the United States Air Force Office of Special
Investigations.
BUGS AND LIMITATIONS¶
It is currently not possible to carve physical block devices directly using the
Windows version of Scalpel. This is a limitation that will be removed in a
future release of Scalpel.
REPORTING BUGS¶
When submitting a bug report, please include a description of the problem, how
you found it, and your contact information.
Send bug reports to:
golden@digitalforensicssolutions.com
COPYRIGHT¶
This is free software. There is NO warranty; not even for MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.
SEE ALSO¶
More information on Scalpel appears in the README file, distributed with the
Scalpel source code.