Scalpel based on Foremost an open source application developed to recover deleted information, Scalpel is significantly more Fast and efficient by reading database of header and footer definitions and extracts matching files or data fragments from a set of image files or raw device files. Scalpel is file-system-independent and can recover files from FATx, NTFS, ext2/3/4, HFS+, or raw partitions. It is useful for both digital forensics investigation and file recovery.
Scalpel is a standalone tool file system. It is available on Linux and Mac OS, but can also be used in Windows, although it is necessary to compile it.
How to install scalpel recovery tool on Ubuntu 12.04/12.10/13.04/13.10 and Mint 13/14/15
To install scalpel open terminal and enter following commands:
# sudo apt-get install scalpel
Installing Scalpel in CentOS 5.x/6.x and Fedora 15/16/17/18/19/
To install scalpel recovery tool on Centos or Fedora linux, you need to first enable epel repository and type following command:
# yum install scalpel
How to use scalpel recovery tool
Before we can use Scalpel, we must define some file types that Scalpel should search for in /etc/scalpel/scalpel.conf. By default, all file types are commented out. In this example, I want to search for deleted jpg files, so I uncomment the following lines:
# GIF and JPG files (very common) gif y 5000000 \x47\x49\x46\x38\x37\x61 \x00\x3b gif y 5000000 \x47\x49\x46\x38\x39\x61 \x00\x3b jpg y 200000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9
Go to terminal and type following syntax. The ‘/dev/sda6‘ is a location of a device from where the file is already deleted.
# sudo scalpel /dev/sda6 -o /home/rasho/Desktop/output/