Overview
Magicrescue is a forensic tool designed for recovering deleted files from storage media by searching for file signatures and magic bytes. It works on raw disk images, individual files, or mounted filesystems to locate recoverable data without relying on filesystem structures. The tool uses pattern matching to identify file types and carve them from unallocated space. Essential for digital forensics, incident response, and data recovery after accidental deletion or malicious activity.
Installation
Linux (Debian/Ubuntu)
sudo apt-get update
sudo apt-get install magicrescue
magicrescue --version # Verify installation
Linux (RHEL/CentOS/Fedora)
sudo yum install magicrescue
# Or on newer systems
sudo dnf install magicrescue
macOS
brew install magicrescue
magicrescue --version
Build from Source
# Download and compile
git clone https://github.com/jbj/magicrescue.git
cd magicrescue
./configure
make
sudo make install
Windows (WSL2)
wsl bash -c 'sudo apt-get install magicrescue'
Command Syntax
Basic Structure
magicrescue [options] [-d <directory>] [-f <filter>] <input_file|device>
Core Options
| Option | Description |
|---|
-d <directory> | Output directory for recovered files |
-f <filter> | File type filter (jpeg, gif, png, zip, etc.) |
-r | Search recursively through files |
-b <blocksize> | Block size for filesystem analysis (default 4096) |
-o <offset> | Start searching at byte offset |
-n | Don’t write files, just report findings |
-v | Verbose output |
-V | Very verbose (debug information) |
File Type Filters
# Image formats
magicrescue -f jpeg /dev/sda1
magicrescue -f gif /dev/sda1
magicrescue -f png /dev/sda1
magicrescue -f bmp /dev/sda1
# Archive formats
magicrescue -f zip /dev/sda1
magicrescue -f gzip /dev/sda1
magicrescue -f rar /dev/sda1
magicrescue -f 7z /dev/sda1
# Document formats
magicrescue -f pdf /dev/sda1
magicrescue -f msoffice /dev/sda1
# Video formats
magicrescue -f mpeg /dev/sda1
magicrescue -f avi /dev/sda1
List Available Filters
# View all supported file types
magicrescue --help-filters
# List with descriptions
magicrescue -h | grep -A 50 "filters"
Basic File Recovery
Recover from Disk Image
# Recover all files from forensic image
magicrescue -d /tmp/recovered /evidence/disk_image.dd
# Recovery with progress
magicrescue -d /tmp/recovered -v /evidence/disk_image.dd
Recover Specific File Types
# Recover only JPEG images
magicrescue -d /tmp/recovered_images -f jpeg /evidence/disk_image.dd
# Recover PDFs
magicrescue -d /tmp/recovered_docs -f pdf /evidence/disk_image.dd
# Recover multiple types
magicrescue -d /tmp/recovered -f jpeg -f png -f gif /evidence/disk_image.dd
Recover from Live Filesystem
# Create forensic image first
sudo dd if=/dev/sda1 of=/evidence/partition.dd bs=4M
# Then recover from image
magicrescue -d /tmp/recovered /evidence/partition.dd
Recover from Mounted Partition
# Direct recovery from mounted filesystem
sudo magicrescue -d /tmp/recovered -r /mnt/evidence/mount_point
# With filter
sudo magicrescue -d /tmp/recovered -f jpeg -r /mnt/evidence/mount_point
Advanced Recovery Techniques
Targeted Recovery with Offset
# Start recovery from specific byte offset
magicrescue -o 1048576 -d /tmp/recovered /evidence/disk_image.dd
# Skip first 10GB, recover remainder
magicrescue -o 10737418240 -d /tmp/recovered /evidence/disk_image.dd
# Recover segment of disk
magicrescue -o 1000000000 -d /tmp/recovered -n /evidence/disk_image.dd # dry-run first
Selective Directory Output
# Organize by file type in subdirectories
# Create custom output structure
mkdir -p /tmp/recovered/{images,documents,archives,video}
# Recover images to subdirectory
magicrescue -d /tmp/recovered/images -f jpeg /evidence/disk_image.dd
magicrescue -d /tmp/recovered/images -f png /evidence/disk_image.dd
# Recover documents
magicrescue -d /tmp/recovered/documents -f pdf /evidence/disk_image.dd
magicrescue -d /tmp/recovered/documents -f msoffice /evidence/disk_image.dd
Multi-Stage Recovery
# Stage 1: Identify what's recoverable (dry-run)
magicrescue -d /tmp/test_recovery -n -v /evidence/disk_image.dd > recovery_report.txt
# Stage 2: Selective recovery based on findings
magicrescue -d /tmp/final_recovery -f jpeg /evidence/disk_image.dd
magicrescue -d /tmp/final_recovery -f gif /evidence/disk_image.dd
magicrescue -d /tmp/final_recovery -f png /evidence/disk_image.dd
Forensic Investigation Workflows
# Recover all image formats
magicrescue -d /tmp/images -f jpeg /evidence/phone.dd
magicrescue -d /tmp/images -f png /evidence/phone.dd
magicrescue -d /tmp/images -f gif /evidence/phone.dd
# Recover video files
magicrescue -d /tmp/videos -f mpeg /evidence/phone.dd
magicrescue -d /tmp/videos -f avi /evidence/phone.dd
# Recover thumbnails/cache
magicrescue -d /tmp/thumbnails -f bmp /evidence/phone.dd
Document Recovery Investigation
# Recover Office documents
magicrescue -d /tmp/recovered_docs -f msoffice /evidence/user_drive.dd
# Recover PDFs (potentially modified or malicious)
magicrescue -d /tmp/recovered_docs -f pdf /evidence/user_drive.dd
# Recover archives (may contain hidden data)
magicrescue -d /tmp/recovered_docs -f zip /evidence/user_drive.dd
magicrescue -d /tmp/recovered_docs -f gzip /evidence/user_drive.dd
Malware Investigation
# Recover executable files (if available)
magicrescue -d /tmp/malware -f elf /evidence/infected_drive.dd
# Recover potentially obfuscated archives
magicrescue -d /tmp/malware -f zip /evidence/infected_drive.dd
magicrescue -d /tmp/malware -f gzip /evidence/infected_drive.dd
# Recover temporary cache/hidden files
magicrescue -d /tmp/malware -f pdf /evidence/infected_drive.dd
Deleted Web Activity Recovery
# Recover cached images from browser
magicrescue -d /tmp/cache_images -f jpeg /evidence/disk_image.dd
magicrescue -d /tmp/cache_images -f gif /evidence/disk_image.dd
magicrescue -d /tmp/cache_images -f png /evidence/disk_image.dd
# Recover archived web content
magicrescue -d /tmp/web_archives -f zip /evidence/disk_image.dd
Large Disk Image Processing
# Background processing with nice
nice -n 15 magicrescue -d /tmp/recovered /evidence/large_image.dd &
# Monitor progress
watch -n 5 'ls /tmp/recovered | wc -l'
# Process with output redirection
magicrescue -d /tmp/recovered /evidence/disk_image.dd > recovery.log 2>&1 &
Parallel Recovery of Multiple Types
# Terminal 1: Recover images
magicrescue -d /tmp/recovered/images -f jpeg /evidence/disk_image.dd &
# Terminal 2: Recover documents (different file types)
magicrescue -d /tmp/recovered/docs -f pdf /evidence/disk_image.dd &
# Wait for both to complete
wait
Memory-Efficient Processing
# Process with reduced resource usage
ionice -c3 magicrescue -d /tmp/recovered /evidence/disk_image.dd
# Combined with nice for balanced recovery
nice -n 10 ionice -c3 magicrescue -d /tmp/recovered /evidence/disk_image.dd
Output and Verification
Recovered File Organization
# View recovered files by type
ls -lah /tmp/recovered/ | head -20
# Count recovered files
find /tmp/recovered -type f | wc -l
# List largest recovered files
find /tmp/recovered -type f -exec ls -lh {} \; | sort -k5 -h | tail -20
Verify Recovered Files
# Check file integrity with magic number verification
file /tmp/recovered/*
# Calculate checksums for integrity verification
sha256sum /tmp/recovered/* > recovery_checksums.txt
# Verify all recovered files have correct magic bytes
for file in /tmp/recovered/*; do
echo "File: $file - $(file $file)"
done
Create Recovery Report
# Document recovery session
cat > recovery_report.txt << EOF
Recovery Date: $(date)
Source Image: /evidence/disk_image.dd
Recovery Tool: magicrescue $(magicrescue --version)
Output Directory: /tmp/recovered
Total Files Recovered: $(find /tmp/recovered -type f | wc -l)
EOF
# Add file listing
echo "=== Recovered Files ===" >> recovery_report.txt
find /tmp/recovered -type f -exec ls -lh {} \; >> recovery_report.txt
# Add checksums
echo "=== File Checksums ===" >> recovery_report.txt
find /tmp/recovered -type f -exec sha256sum {} \; >> recovery_report.txt
Common Scenarios
USB Drive Forensics
# Create image of USB drive
sudo dd if=/dev/sdb of=/evidence/usb_drive.dd bs=4M
# Recover from USB image
magicrescue -d /tmp/usb_recovered /evidence/usb_drive.dd
# Recover specific types
magicrescue -d /tmp/usb_images -f jpeg /evidence/usb_drive.dd
magicrescue -d /tmp/usb_docs -f pdf /evidence/usb_drive.dd
Hard Drive Analysis
# Create partition image
sudo dd if=/dev/sda1 of=/evidence/partition.dd bs=4M
# Recover from partition
magicrescue -d /tmp/partition_recovered /evidence/partition.dd
# Recover with verbose output for analysis
magicrescue -d /tmp/partition_recovered -v /evidence/partition.dd > analysis.log
# Image with error handling
sudo dd if=/dev/sdc of=/evidence/damaged.dd bs=1M conv=noerror,sync
# Recover despite damage
magicrescue -d /tmp/recovered -n /evidence/damaged.dd # Check what's recoverable
# Selective recovery of important data
magicrescue -d /tmp/recovered -f jpeg /evidence/damaged.dd
magicrescue -d /tmp/recovered -f pdf /evidence/damaged.dd
Integration with Forensic Workflows
Chain of Custody
# Create integrity-protected recovery log
{
echo "Recovery Session: $(date)"
echo "Operator: $USER"
echo "Source: /evidence/disk_image.dd"
echo "Hash: $(md5sum /evidence/disk_image.dd)"
echo "---"
magicrescue -d /tmp/recovered -v /evidence/disk_image.dd
} | tee recovery_chain_of_custody.log
# Sign for legal admissibility
gpg --sign recovery_chain_of_custody.log
# magicrescue - signature-based carving
magicrescue -d /tmp/recovery_magic /evidence/disk_image.dd
# Compare with other tools (like scalpel)
scalpel -c /etc/scalpel/scalpel.conf -o /tmp/recovery_scalpel /evidence/disk_image.dd
# Correlate findings
diff <(find /tmp/recovery_magic -type f | sort) \
<(find /tmp/recovery_scalpel -type f | sort)
Troubleshooting
Common Issues and Solutions
| Issue | Solution |
|---|
| ”Permission denied” | Use sudo for device access: sudo magicrescue -d /tmp/recovered /dev/sda1 |
| Slow recovery | Use background processing; may take hours on large disks |
| Low disk space | Monitor output directory: watch -n 5 'du -sh /tmp/recovered' |
| Corrupt image | Try with offset; image may have sectors with errors |
| No files recovered | Verify filter type; ensure file type exists on disk |
Verify Installation
# Check version
magicrescue --version
# List available filters
magicrescue --help | grep -i filter
# Test on small filesystem
magicrescue -d /tmp/test -f jpeg /dev/null # Should complete quickly
Best Practices
Forensic Recovery Standards
- Preserve source: Create forensic image before analysis
- Verify image integrity: Calculate and record hash values
- Selective recovery: Use filters to focus on relevant data
- Document process: Log all recovery steps and parameters
- Chain of custody: Maintain audit trail of recovery activities
- Verify results: Validate recovered files with file command
Data Preservation
# Backup original image
cp /evidence/disk_image.dd /evidence/disk_image_backup.dd
md5sum /evidence/disk_image_backup.dd > image_hash.txt
# Preserve recovery environment
echo "Recovery completed: $(date)" > recovery_metadata.txt
echo "Files recovered: $(find /tmp/recovered -type f | wc -l)" >> recovery_metadata.txt
See Also
- Scalpel: Alternative file carving tool with more file types
- Foremost: File recovery tool using magic bytes
- Photorec: Comprehensive data recovery utility
- Autopsy: GUI frontend for forensic analysis
- SANS Investigative Forensic Toolkit (SIFT): Complete forensic environment
- The Sleuth Kit: Comprehensive forensic analysis framework
