Man Linux: Main Page and Category List

NAME

       scalpel - Recover files using a header/footer database

SYNOPSIS

       scalpel  [-b]  [-c  <file>] [-d] [-h] [-i <file>] [-m <blocksize>] [-n]
       [-o <dir>] [-O] [-p] [-r] [-s <num>] [-t] [-u] [-V] [-v] [FILES]...

DESCRIPTION

       Recover files from a disk image or raw block device  based  on  headers
       and footers specified by the user.

       -b     Carve  files  even  if  defined footers aren’t discovered within
              maximum carve size for file type [foremost 0.69 compat mode]

       -c file
              Chooses which configuration file  to  use.  If  this  option  is
              omitted,  then  "scalpel.conf" in the current directory is used.
              The format for  the  configuration  file  is  described  in  the
              default    configuration    file    "scalpel.conf".    See   the
              CONFIGURATION FILE section below for more information.

       -d     Generate   header/footer   database;   will    bypass    certain
              optimizations  and discover all footers, so performance suffers.
              Doesn’t affect the set of files carved.  **EXPERIMENTAL**

       -m     Generate/update carve coverage blockmap file.  The  first  32bit
              unsigned  int  in the file identifies the block size. Thereafter
              each 32bit unsigned int entry in the blockmap  file  corresponds
              to  one  block  in  the  image file.  Each entry counts how many
              carved files contain this block. Requires more memory and  disk.
              **EXPERIMENTAL**

       -h     Show a help screen and exit.

       -i file
              file  is  used as a list of input files to examine. Each line in
              the specified file should contain a single filename.

       -o directory
              Recovered  files  are  written  to  the   directory   directory.
              Scalpel  requires  that  this  directory  be either empty or not
              exist.  The directory will be created if necessary.

       -O     Don’t organize carved files by  type.  Default  is  to  organize
              carved  files  into  subdirectories  to make previewing of large
              numbers of carved files easier.

       -p     Perform image file preview;  audit  log  indicates  which  files
              would have been carved, but no files are actually carved.

       -q clustersize
              Carve only when header is cluster-aligned.

       -r     Find  only  first  of overlapping headers/footers [foremost 0.69
              compat mode]

       -s number
              Skips number bytes in  each  input  file  before  beginning  the
              search for file headers and footers.

       -t     Set directory for coverage blockmap.  **EXPERIMENTAL**

       -u     Use  carve  coverage blockmap when carving.  Carve only sections
              of the image whose entries in the blockmap are 0.   These  areas
              are treated as contiguous regions.  **EXPERIMENTAL**

       -V     Show copyright information and exit.

       -v     Enables  verbose  mode. This causes copious amounts of debugging
              information to be output.

CONFIGURATION FILE

       The configuration file is used to control the types  of  files  Scalpel
       will attempt to carve.  A sample configuration file, "scalpel.conf", is
       included with this distribution. For each file type, the  configuration
       file  describes the file’s extension, whether the header and footer are
       case sensitive, the maximum file size, and the header  and  footer  for
       the  file.  The  footer  field  is optional, but the header, size, case
       sensitivity, and extension fields are required.

       Important note: The default configuration file has all  supported  file
       patterns  commented  out--you  must  edit  this  before  before running
       Scalpel.

       Any line in the configuration file that begins with  a  pound  sign  is
       considered a comment and ignored.

       Headers  and  footers  are  decoded  before  use. To specify a value in
       hexadecimal use  \x[0-f][0-f],  and  for  octal  use  \[1-9][1-9][1-9].
       Spaces  can be represented by \s. Example: "\x4F\123\I\sCCI" decodes to
       "OSI CCI".

       To match any single character (aka a wildcard) use a ’?’. If  you  need
       to search for the ’?’ character, you will need to change the ’wildcard’
       line *and* every occurrence  of  the  old  wildcard  character  in  the
       configuration  file, including those appearing in hex and octal values.
       ’?’ is equal to \x3f and \063.

AUTHORS

       Written by Golden G. Richard III.  The first  version  of  Scalpel  was
       based on foremost 0.69, which was written by Special Agent Kris Kendall
       and Special Agent Jesse Kornblum of the United States Air Force  Office
       of Special Investigations.

BUGS AND LIMITATIONS

       It  is  currently not possible to carve physical block devices directly
       using the Windows version of Scalpel.  This is a limitation  that  will
       be removed in a future release of Scalpel.

REPORTING BUGS

       When  submitting  a  bug  report,  please  include a description of the
       problem, how you found it, and your contact information.

       Send bug reports to:
       golden@digitalforensicssolutions.com

COPYRIGHT

       This  is  free  software.   There  is  NO  warranty;   not   even   for
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

SEE ALSO

       More  information  on  Scalpel  appears in the README file, distributed
       with the Scalpel source code.