Newsletter:

Email
Search:
Search
News Features Blogs White Papers Archives Special Editions DigiSub
Desktop Development Hardware Security Server Programming Operating Systems Software
Networking Administration
Encryption Firewall forensics IDS intrusion detec... media sharing Portspoof privacy
wireless
Login Home Online Features Recovering Dele...
Recovering Deleted Files with Scalpel
Scalpel File Carver
By Falko Benthin
The Scalpel file carver helps users restore what they thought were lost
files.
You just need to delete the pesky backup files for the project, and then
youre off for home. However, rm *~ can quickly be mistyped as rm * ~,
thus deleting all the files from the current directory. But, perhaps all is not
lost: Deleted data usually is not dumped directly into a black hole. The
operating system typically only deletes the metadata, such as file name,
owner, and location. The user data is kept on the storage medium until it
is overwritten.
Linux has a number of file carvers, which are programs designed for
restoring such data. These tools analyze a disk for byte patterns that
match the file headers and footers and interpret everything between the
two as belonging to the file. This approach works as long as the header
and footer are clear, the file is not fragmented, and the file was not
encrypted.
When a footer is missing or not recognized, the carver just writes
everything to the recovery file until it encounters the next header.
Therefore, besides fragmented files and those with poorly discernible
ends, those that contain other files such as text documents with
embedded graphics also cause problems. If you use a file carver, you
should not expect miracles but just hope for the best.
File Scalpel
The Scalpel file carver can detect many different file types. It does not
matter which filesystem the disk has been formatted with: Scalpel uses a
database with headers and footers for various file types to trace files.
Issue
166/2014
Content
Order
Print
Issue
Subscribe
Buy this issue as a PDF
Digital
Issue:
Price
$9.99
(incl. VAT)
Tag Cloud
Administration
CommunityDesktop
Events Hardware Kernel
Linux Mobile
Recovering Deleted Files with Scalpel Linux Magazine http://www.linux-magazine.com/Online/Features/R...
1 de 5 11-08-2014 11:16
Many distributions have older versions of Scalpel in their repositories that
do the job well but do not have the full functionality of the current version
2.0, such as regular expressions for headers and footers, multithreading,
asynchronous input and output, or GPU-accelerated file carving (if
NVidias CUDA SDK is installed). If you want to use these features, you
must build Scalpel from the source code (see the Installation box).
In former times, file carvers scanned disks for header and footer patterns
and wrote all the results to a new medium, which required plenty of
storage. Scalpel, however, just checks a disk twice to put together all the
necessary information.
The first time you run Scalpel, it looks for headers and stores its findings
in a database; then, it identifies the footers. In doing so, Scalpel always
takes into account that a header is always followed by a footer, which
nicely accelerates the search. Now you have an index with the positions
of the headers and footers, which forms the basis for the second run.
This time, Scalpel matches the headers and footers and writes the files it
found directly to a new location from memory without having to access
the disk again.
Before Scalpel embarks on a search for lost data, it reads the
scalpel.conf configuration file, which can contain the minimum and
maximum sizes of the files, including headers and footers, in addition to
file types to search for. Specifying the file type results in file bloat if the
footer is missing. Before you start carving, you should make some
individual settings that restrict the search to a minimum number of file
types and sizes from the outset.
Saving the Sandman
Next, Ill give some examples of bailouts. Scenario 1 involves a
household without TV with at least one young child. The father has
accidentally deleted the childs favorite Sandmann episodes, which
were recorded from ARD Mediathek over several days. Deprived of the
show, the child expresses disappointment in the usual loud and
unmistakable way.
The scalpel.conf file does not have an entry for the MP4 format, but the
existing long-since viewed files show an encouraging consistency in
Programming Red Hat
Software Ubuntu Web
Development Windows free
software
News
Heartbleed Bleeds On
According to a report, many
potential victims of the
Heartbleed attack have patched
their systems, but few have
cleaned up the crime scene to
protect themselves from the
effects of a previous intrusion.
Drone Brain Goes Open
Source
DARPA and NICTA release the
code for the ultra-secure
microkernel system used in
aerial drones.
Password Management
Services Vulnerable to
Attack
Should you trust an online
service to store your online
passwords?
New Raspberry Pi Adds
Two USB Ports
New B+ board lets you build cool
things without the complication
of a powered USB hub.
Microsoft Grabs No-IP.com
Domains
Redmond rushes in to root out
alleged malware haven.
Firefox Steps into 3D
New initiative will bring futuristic
virtual reality effects to the web
surfing experience.
New Trojan Targets Online
Banking
Dyreza malware launches a
man-in-the-middle attack that
compromises SSL.
HP Rolls Out Massive
Cloud Network
New cloud combines worldwide
access with local attention to
Recovering Deleted Files with Scalpel Linux Magazine http://www.linux-magazine.com/Online/Features/R...
2 de 5 11-08-2014 11:16
terms of the headers (Figure 1).
Figure 1: If Scalpel does not know the headers and footers for a file type, you
can create them manually in scalpel.conf.
Dad now feeds the data to scalpel.conf. The first item in the new entry
(Figure 2) is the file extension that should receive potential matches.
Figure 2: You can add custom headers and footers to scalpel.conf. Minimum
and maximum file sizes can act as additional criteria.
The y indicates whether Scalpel distinguishes between uppercase and
lowercase in the header and footer. This is followed by the minimum and
maximum file sizes the MP4s usually occupy between 30 and 70MB.
Finally, the header is given. A footer cannot be specified, because it
always turns out differently.
Then, dad starts the rescue operation at the command line with:
$ scalpel -c scalpel.conf -o sandmann_recovered /dev/
sdd1
During this operation, Scalpel really does scratch six files back off the
disk. Because of the lack of footer information, they are all exactly
70,000,000 bytes long and contain a lost Sandmann sequence with a
more or less large chunk of junk data at the end (Figure 3). Cheers for
dad!
Figure 3: Success! Six files are restored. Because an unambiguous footer was
data security.
New Attack Targets
Wireless Logins
A first cousin of the recent
Heartbleed attack affects
EAP-based wireless and
peer-to-peer authentication.
Geeks Petition for Free
Lenovo BIOS
FOSS community acts to protect
freedom of choice for laptop
devices.
What:
Where:
Country:
United Kingdom
Recovering Deleted Files with Scalpel Linux Magazine http://www.linux-magazine.com/Online/Features/R...
3 de 5 11-08-2014 11:16
missing, Scalpel played it safe and used the max file size.
Save my LaTeX
Scenario 2: The USB stick with your humanities term paper in TeX has
died because of a physical defect in the boot sector. However, you took
the business of writing this paper seriously and tagged each file at the
beginning and end with %filename.tex and %filename.tex End. This
practice hugely increases your chances of seeing the contents again.
The recovery procedure is similar to that described above. In
scalpel.conf, you can comment out all the lines except the one that
describes the headers and footers of your well-documented paper:
tex y 300:50000 /%.{1,20}\.tex/ /%.{1,20}\.tex\sEnd/
This regular expression tells Scalpel to search for data fragments that
start with %.{1,20}\.tex and end with %.{1,20}\.tex\sEnd. The term .{1,20}
stands for at least 1 and a maximum of 20 characters. The dot that
follows stands for characters before the tex suffix, and the \s in the footer
means a space. Although regular expressions support the quantifiers *,
+, ?, and expressions like [:alnum:], experience shows that Scalpel
cannot do much with them.
Next, to copy the contents of the broken USB stick to the stick.dd.img
file, use dd and run the following command:
$ scalpel -c scalpel.conf -o lost_texfiles stick.dd.i
mg
In this test, Scalpel needed just four seconds to scan a 2GB image file
and restore all the TeX files.
Conclusions
Scalpel cannot replace a backup, but it can come to the rescue in many
cases. Do not expect miracles, however; fragmented files or physical
storage faults make it difficult to detect file ends and push Scalpel to its
limits. In this case, the rescued files will often prove to be useless.
Info
[1] Scalpel download
Related content
Scalpel
The Scalpel file carver helps users restore what they thought were lost
files.
more
Recovering Deleted Files
Modern filesystems make forensic file recovery much more difficult.
Tools like Foremost and Scalpel identify data structures and carve files
from a hard disk image.
more
Recovering Deleted Files with Scalpel Linux Magazine http://www.linux-magazine.com/Online/Features/R...
4 de 5 11-08-2014 11:16
Geeks Petition for Free
Lenovo BIOS
3 comments 2 months ago
Graham Nicholls
Scumbaggery of the 1st
order. How dare they tell me
ownCloud
3 comments 14 days ago
Rodney We've been
using ownCloud for a long
time and it keeps getting
Free Software in Europe
1 comment 2 months ago
Dirk Dupont Thanks to
open source (OK, open
source is not the same as
Welcome
1 comment 2 months ago
hotshot Well said Joe.
When it comes to free it
pays to remember there is
ALSO ON LINUX MAGAZINE
Comments Community Login
Sort by Best Share

Start the discussion

WHAT'S THIS?
Favorite

About Us
Write for Us
Contact
Manage Subscription
2014 Linux New Media USA, LLC Glossary
Recovering Deleted Files with Scalpel Linux Magazine http://www.linux-magazine.com/Online/Features/R...
5 de 5 11-08-2014 11:16