Scalpel was created with as an improvement of Foremost 0.69. We have talked about Foremost earlier. It is a data recovering tool. Foremost's earlier versions have some issue when it get some CPU heavy jobs. Scalpel bypasses it. Foremost can recover permanently deleted data easily like Foremost.
Scalpel comes pre-installed with Kali Linux. It is one of the best forensics tool comes packaged with Kali Linux.
In foremost we need to specify the file types we want to recover on each time we use it. But in scalpel we can modify the scalpel configuration file to specify it which type of files we want to recover.
Configuring Scalpel on Kali Linux
The configuration file is located on /etc/scalpel/scalpel.conf , We can open this by using following command:
The screenshot of the command is following:
Here we can see the configuration file of scalpel. We can scroll down and we can see there are lots of file types.
In the configuration file we can see that every line is started from '#'. # is used to inactive, this is used for comment if we remove the # it will be uncommented. We need to un-# (removing those #) those file types if we need to recover these type of files. That means we need to have a clear idea which type of files we are looking for. If we don't know any specific file types then we can un-# all the file types.
For an example we are going to remove hashes from gif and jpg files and in this tutorial we are going to recover some gif and jpg images.
So we removed those hashes (#) and save the file, as shown in the following screenshot:
Just saved (Ctrl+S) and closed it. Now we are ready to rock.Using Scalpel to Recover Files on Kali Linux
First we check for help options of scalpel to know more about it. We just need to apply following command to see the help of scalpel:The following screenshot shows the output of the above command:
We need to read the lines they are very easy to understand.
We have just run format of a USB drive on our Windows system and it contains lots of gif and jpg images on it. After formatting it got blank. Now we try to recover those images.
We strongly warn to not use this on directly on a disk. First we need to make a bit to bit clone a disk then we can use these kind of recovery tools on the cloned disk images. This is the way to save the real evidence.
We can use Guymager tool to clone an entire disk. Guymager is really very helpful. Here we have a cloned that USB drive in dd file format named KaliLinuxIn.dd (in our Desktop).
Here we run Scalpel to recover GIF and JPG images by using following command:
On the above screenshot we can see that the recovery process is completed. By using the -o flag we specified the output folder. So in our desktop a new folder is created named "recovered".We can see the output folder named "recovered" on our desktop.
Now we can go inside the folder and check for our recovered files. In this article for an example we just recovered only images files.
In the output directory we also got a audit.txt file that stores the information of the recovered files.
This is how we can recover deleted files on Linux using scalpel.
While Foremost and Scalpel both can recover files from a storage but Scalpel returned more files than Foremost and Scalpel is very fast. Foremost also have some advantages that Foremost got more accuracy then Scalpel.
Unfortunately, the filenames returned by both tools are not the original filenames and in some instances, there may be duplicates of recovered files as many files may be fragmented and appear to be separate files.
Try both of these tools and please comment down which tool is more useful. We are curious know. Please tell us in the comment section.
Love our super easy articles? Make sure to follow us on Twitter and GitHub, we post article updates there. To join our KaliLinuxIn family, join our Telegram Group. We are trying to build a community for Linux and Cybersecurity. For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.