Magicrescue

Overview

Magicrescue is a forensic tool designed for recovering deleted files from storage media by searching for file signatures and magic bytes. It works on raw disk images, individual files, or mounted filesystems to locate recoverable data without relying on filesystem structures. The tool uses pattern matching to identify file types and carve them from unallocated space. Essential for digital forensics, incident response, and data recovery after accidental deletion or malicious activity.

Installation

Linux (Debian/Ubuntu)

sudo apt-get update
sudo apt-get install magicrescue
magicrescue --version  # Verify installation

Linux (RHEL/CentOS/Fedora)

sudo yum install magicrescue
# Or on newer systems
sudo dnf install magicrescue

macOS

brew install magicrescue
magicrescue --version

Build from Source

# Download and compile
git clone https://github.com/jbj/magicrescue.git
cd magicrescue
./configure
make
sudo make install

Windows (WSL2)

wsl bash -c 'sudo apt-get install magicrescue'

Command Syntax

Basic Structure

magicrescue [options] [-d <directory>] [-f <filter>] <input_file|device>

Core Options

Option	Description
-d <directory>	Output directory for recovered files
-f <filter>	File type filter (jpeg, gif, png, zip, etc.)
-r	Search recursively through files
-b <blocksize>	Block size for filesystem analysis (default 4096)
-o <offset>	Start searching at byte offset
-n	Don’t write files, just report findings
-v	Verbose output
-V	Very verbose (debug information)

File Type Filters

Supported File Formats

# Image formats
magicrescue -f jpeg /dev/sda1
magicrescue -f gif /dev/sda1
magicrescue -f png /dev/sda1
magicrescue -f bmp /dev/sda1

# Archive formats
magicrescue -f zip /dev/sda1
magicrescue -f gzip /dev/sda1
magicrescue -f rar /dev/sda1
magicrescue -f 7z /dev/sda1

# Document formats
magicrescue -f pdf /dev/sda1
magicrescue -f msoffice /dev/sda1

# Video formats
magicrescue -f mpeg /dev/sda1
magicrescue -f avi /dev/sda1

List Available Filters

# View all supported file types
magicrescue --help-filters

# List with descriptions
magicrescue -h | grep -A 50 "filters"

Basic File Recovery

Recover from Disk Image

# Recover all files from forensic image
magicrescue -d /tmp/recovered /evidence/disk_image.dd

# Recovery with progress
magicrescue -d /tmp/recovered -v /evidence/disk_image.dd

Recover Specific File Types

# Recover only JPEG images
magicrescue -d /tmp/recovered_images -f jpeg /evidence/disk_image.dd

# Recover PDFs
magicrescue -d /tmp/recovered_docs -f pdf /evidence/disk_image.dd

# Recover multiple types
magicrescue -d /tmp/recovered -f jpeg -f png -f gif /evidence/disk_image.dd

Recover from Live Filesystem

# Create forensic image first
sudo dd if=/dev/sda1 of=/evidence/partition.dd bs=4M

# Then recover from image
magicrescue -d /tmp/recovered /evidence/partition.dd

Recover from Mounted Partition

# Direct recovery from mounted filesystem
sudo magicrescue -d /tmp/recovered -r /mnt/evidence/mount_point

# With filter
sudo magicrescue -d /tmp/recovered -f jpeg -r /mnt/evidence/mount_point

Advanced Recovery Techniques

Targeted Recovery with Offset

# Start recovery from specific byte offset
magicrescue -o 1048576 -d /tmp/recovered /evidence/disk_image.dd

# Skip first 10GB, recover remainder
magicrescue -o 10737418240 -d /tmp/recovered /evidence/disk_image.dd

# Recover segment of disk
magicrescue -o 1000000000 -d /tmp/recovered -n /evidence/disk_image.dd  # dry-run first

Selective Directory Output

# Organize by file type in subdirectories
# Create custom output structure
mkdir -p /tmp/recovered/{images,documents,archives,video}

# Recover images to subdirectory
magicrescue -d /tmp/recovered/images -f jpeg /evidence/disk_image.dd
magicrescue -d /tmp/recovered/images -f png /evidence/disk_image.dd

# Recover documents
magicrescue -d /tmp/recovered/documents -f pdf /evidence/disk_image.dd
magicrescue -d /tmp/recovered/documents -f msoffice /evidence/disk_image.dd

Multi-Stage Recovery

# Stage 1: Identify what's recoverable (dry-run)
magicrescue -d /tmp/test_recovery -n -v /evidence/disk_image.dd > recovery_report.txt

# Stage 2: Selective recovery based on findings
magicrescue -d /tmp/final_recovery -f jpeg /evidence/disk_image.dd
magicrescue -d /tmp/final_recovery -f gif /evidence/disk_image.dd
magicrescue -d /tmp/final_recovery -f png /evidence/disk_image.dd

Forensic Investigation Workflows

Photo and Media Recovery

# Recover all image formats
magicrescue -d /tmp/images -f jpeg /evidence/phone.dd
magicrescue -d /tmp/images -f png /evidence/phone.dd
magicrescue -d /tmp/images -f gif /evidence/phone.dd

# Recover video files
magicrescue -d /tmp/videos -f mpeg /evidence/phone.dd
magicrescue -d /tmp/videos -f avi /evidence/phone.dd

# Recover thumbnails/cache
magicrescue -d /tmp/thumbnails -f bmp /evidence/phone.dd

Document Recovery Investigation

# Recover Office documents
magicrescue -d /tmp/recovered_docs -f msoffice /evidence/user_drive.dd

# Recover PDFs (potentially modified or malicious)
magicrescue -d /tmp/recovered_docs -f pdf /evidence/user_drive.dd

# Recover archives (may contain hidden data)
magicrescue -d /tmp/recovered_docs -f zip /evidence/user_drive.dd
magicrescue -d /tmp/recovered_docs -f gzip /evidence/user_drive.dd

Malware Investigation

# Recover executable files (if available)
magicrescue -d /tmp/malware -f elf /evidence/infected_drive.dd

# Recover potentially obfuscated archives
magicrescue -d /tmp/malware -f zip /evidence/infected_drive.dd
magicrescue -d /tmp/malware -f gzip /evidence/infected_drive.dd

# Recover temporary cache/hidden files
magicrescue -d /tmp/malware -f pdf /evidence/infected_drive.dd

Deleted Web Activity Recovery

# Recover cached images from browser
magicrescue -d /tmp/cache_images -f jpeg /evidence/disk_image.dd
magicrescue -d /tmp/cache_images -f gif /evidence/disk_image.dd
magicrescue -d /tmp/cache_images -f png /evidence/disk_image.dd

# Recover archived web content
magicrescue -d /tmp/web_archives -f zip /evidence/disk_image.dd

Performance Optimization

Large Disk Image Processing

# Background processing with nice
nice -n 15 magicrescue -d /tmp/recovered /evidence/large_image.dd &

# Monitor progress
watch -n 5 'ls /tmp/recovered | wc -l'

# Process with output redirection
magicrescue -d /tmp/recovered /evidence/disk_image.dd > recovery.log 2>&1 &

Parallel Recovery of Multiple Types

# Terminal 1: Recover images
magicrescue -d /tmp/recovered/images -f jpeg /evidence/disk_image.dd &

# Terminal 2: Recover documents (different file types)
magicrescue -d /tmp/recovered/docs -f pdf /evidence/disk_image.dd &

# Wait for both to complete
wait

Memory-Efficient Processing

# Process with reduced resource usage
ionice -c3 magicrescue -d /tmp/recovered /evidence/disk_image.dd

# Combined with nice for balanced recovery
nice -n 10 ionice -c3 magicrescue -d /tmp/recovered /evidence/disk_image.dd

Output and Verification

Recovered File Organization

# View recovered files by type
ls -lah /tmp/recovered/ | head -20

# Count recovered files
find /tmp/recovered -type f | wc -l

# List largest recovered files
find /tmp/recovered -type f -exec ls -lh {} \; | sort -k5 -h | tail -20

Verify Recovered Files

# Check file integrity with magic number verification
file /tmp/recovered/*

# Calculate checksums for integrity verification
sha256sum /tmp/recovered/* > recovery_checksums.txt

# Verify all recovered files have correct magic bytes
for file in /tmp/recovered/*; do
  echo "File: $file - $(file $file)"
done

Create Recovery Report

# Document recovery session
cat > recovery_report.txt << EOF
Recovery Date: $(date)
Source Image: /evidence/disk_image.dd
Recovery Tool: magicrescue $(magicrescue --version)
Output Directory: /tmp/recovered
Total Files Recovered: $(find /tmp/recovered -type f | wc -l)
EOF

# Add file listing
echo "=== Recovered Files ===" >> recovery_report.txt
find /tmp/recovered -type f -exec ls -lh {} \; >> recovery_report.txt

# Add checksums
echo "=== File Checksums ===" >> recovery_report.txt
find /tmp/recovered -type f -exec sha256sum {} \; >> recovery_report.txt

Common Scenarios

USB Drive Forensics

# Create image of USB drive
sudo dd if=/dev/sdb of=/evidence/usb_drive.dd bs=4M

# Recover from USB image
magicrescue -d /tmp/usb_recovered /evidence/usb_drive.dd

# Recover specific types
magicrescue -d /tmp/usb_images -f jpeg /evidence/usb_drive.dd
magicrescue -d /tmp/usb_docs -f pdf /evidence/usb_drive.dd

Hard Drive Analysis

# Create partition image
sudo dd if=/dev/sda1 of=/evidence/partition.dd bs=4M

# Recover from partition
magicrescue -d /tmp/partition_recovered /evidence/partition.dd

# Recover with verbose output for analysis
magicrescue -d /tmp/partition_recovered -v /evidence/partition.dd > analysis.log

Damaged Media Recovery

# Image with error handling
sudo dd if=/dev/sdc of=/evidence/damaged.dd bs=1M conv=noerror,sync

# Recover despite damage
magicrescue -d /tmp/recovered -n /evidence/damaged.dd  # Check what's recoverable

# Selective recovery of important data
magicrescue -d /tmp/recovered -f jpeg /evidence/damaged.dd
magicrescue -d /tmp/recovered -f pdf /evidence/damaged.dd

Integration with Forensic Workflows

Chain of Custody

# Create integrity-protected recovery log
{
  echo "Recovery Session: $(date)"
  echo "Operator: $USER"
  echo "Source: /evidence/disk_image.dd"
  echo "Hash: $(md5sum /evidence/disk_image.dd)"
  echo "---"
  magicrescue -d /tmp/recovered -v /evidence/disk_image.dd
} | tee recovery_chain_of_custody.log

# Sign for legal admissibility
gpg --sign recovery_chain_of_custody.log

Comparison with Other Carving Tools

# magicrescue - signature-based carving
magicrescue -d /tmp/recovery_magic /evidence/disk_image.dd

# Compare with other tools (like scalpel)
scalpel -c /etc/scalpel/scalpel.conf -o /tmp/recovery_scalpel /evidence/disk_image.dd

# Correlate findings
diff <(find /tmp/recovery_magic -type f | sort) \
     <(find /tmp/recovery_scalpel -type f | sort)

Troubleshooting

Common Issues and Solutions

Issue	Solution
”Permission denied”	Use sudo for device access: sudo magicrescue -d /tmp/recovered /dev/sda1
Slow recovery	Use background processing; may take hours on large disks
Low disk space	Monitor output directory: watch -n 5 'du -sh /tmp/recovered'
Corrupt image	Try with offset; image may have sectors with errors
No files recovered	Verify filter type; ensure file type exists on disk

Verify Installation

# Check version
magicrescue --version

# List available filters
magicrescue --help | grep -i filter

# Test on small filesystem
magicrescue -d /tmp/test -f jpeg /dev/null  # Should complete quickly

Best Practices

Forensic Recovery Standards

1. Preserve source: Create forensic image before analysis
2. Verify image integrity: Calculate and record hash values
3. Selective recovery: Use filters to focus on relevant data
4. Document process: Log all recovery steps and parameters
5. Chain of custody: Maintain audit trail of recovery activities
6. Verify results: Validate recovered files with file command

Data Preservation

# Backup original image
cp /evidence/disk_image.dd /evidence/disk_image_backup.dd
md5sum /evidence/disk_image_backup.dd > image_hash.txt

# Preserve recovery environment
echo "Recovery completed: $(date)" > recovery_metadata.txt
echo "Files recovered: $(find /tmp/recovered -type f | wc -l)" >> recovery_metadata.txt

See Also

• Scalpel: Alternative file carving tool with more file types
• Foremost: File recovery tool using magic bytes
• Photorec: Comprehensive data recovery utility
• Autopsy: GUI frontend for forensic analysis
• SANS Investigative Forensic Toolkit (SIFT): Complete forensic environment
• The Sleuth Kit: Comprehensive forensic analysis framework