Sunday, March 29, 2009

Scalpel - Recover lost file

Scalpel is a fast file carver that reads a database of header and footerdefinitions and extracts matching files from a set of image files or rawdevice files. Scalpel is filesystem-independent and will carve files fromFATx, NTFS, ext2/3, or raw partitions. It is useful for both digitalforensics investigation and file recovery

Step 1: Install scalpel
# yum install scalpel

Step 2: Define the file type you wish to recover by uncommenting it.
# vim /etc/scalpel.conf

Step 3: Recover the file
# scalpel /dev/mapper/VolGroup00-LogVol00 -o output

  1. Make sure you do not have a directory output or scalpel will not work.
  2. Scalpel search by partition and not directory. So don't specify directory. It simply cannot work
  3. to know which partition yo have, type # mount

Article: For more information, see Recover Deleted Files With Scalpel by HowToForge

No comments: