Recover deleted files and folders using scalpel (A Filesystem Recovery Tool) on linux

by

Share this page:Share on Google+332Share on Facebook51Share on Reddit1Tweet about this on Twitter7Share on LinkedIn3Share on StumbleUpon0

Scalpel based on Foremost an open source application developed to recover deleted information, Scalpel is significantly more Fast and efficient by reading database of header and footer definitions and extracts matching files or data fragments from a set of image files or raw device files. Scalpel is file-system-independent and can recover files from FATx, NTFS, ext2/3/4, HFS+, or raw partitions. It is useful for both digital forensics investigation and file recovery.
Scalpel is a standalone tool file system. It is available on Linux and Mac OS, but can also be used in Windows, although it is necessary to compile it.

How to install scalpel recovery tool on Ubuntu 12.04/12.10/13.04/13.10 and Mint 13/14/15

To install scalpel open terminal and enter following commands:

# sudo apt-get install scalpel
Scalpel installation on Ubuntu and linux Mint

Scalpel installation on Ubuntu and linux Mint

Installing Scalpel in CentOS 5.x/6.x and Fedora 15/16/17/18/19/

To install scalpel recovery tool on Centos or Fedora linux, you need to first enable epel repository and type following command:

# yum install scalpel

How to use scalpel recovery tool

Before we can use Scalpel, we must define some file types that Scalpel should search for in /etc/scalpel/scalpel.conf. By default, all file types are commented out. In this example, I want to search for deleted jpg files, so I uncomment the following lines:

# GIF and JPG files (very common)
        gif     y       5000000         \x47\x49\x46\x38\x37\x61        \x00\x3b
        gif     y       5000000         \x47\x49\x46\x38\x39\x61        \x00\x3b
        jpg     y       200000000       \xff\xd8\xff\xe0\x00\x10        \xff\xd9
Scalpel config file

Scalpel config file

Go to terminal and type following syntax. The ‘/dev/sda6‘ is a location of a device from where the file is already deleted.

# sudo scalpel /dev/sda6 -o /home/rasho/Desktop/output/

Sample output:

Sample Scalpel output

Sample Scalpel output

See also:Photorec recovery deleted files on RHEL/CentOS/Fedora and Ubuntu/Mint linux

 

Share this page:Share on Google+332Share on Facebook51Share on Reddit1Tweet about this on Twitter7Share on LinkedIn3Share on StumbleUpon0