Scalpel
Scalpel is a high-performance file carving tool that recovers deleted files from raw data using configurable file type signatures.
Installation
Linux/Ubuntu
sudo apt install scalpelFrom Source
git clone https://github.com/sleuthkit/scalpel
cd scalpel
./configure && make && sudo make installBasic Commands
| Command | Description |
|---|---|
scalpel -i device.img -o output | Carve files from image |
scalpel -i device.img -o output -c scalpel.conf | Use custom config |
scalpel -i device.img -p pattern_list | Define patterns inline |
scalpel -h | Display help |
scalpel -V | Show version |
Configuration File Patterns
# /etc/scalpel/scalpel.conf format
# [file_type]
# extension = ext
# header = hex_signature
# footer = hex_signature_end
# maxlen = max_bytes
[jpg]
extension = jpg
header = FF D8 FF E0
footer = FF D9
[png]
extension = png
header = 89 50 4E 47 0D 0A 1A 0A
footer = 49 45 4E 44 AE 42 60 82
[pdf]
extension = pdf
header = 25 50 44 46
footer = 25 25 45 4F 46
[zip]
extension = zip
header = 50 4B 03 04
footer = 50 4B 05 06Carving Operations
# Standard carving with default config
scalpel -i disk.img -o carved_files
# Use custom configuration
scalpel -i disk.img -c custom.conf -o output
# Carve specific file types
# Edit scalpel.conf to enable only needed types
# Verbose output with progress
scalpel -i disk.img -o output -vv
# Search all file types (slow)
scalpel -i disk.img -o output -A