Computer Help and Support

w0nderer

(1,937 posts)

8. A little

Thu Aug 20, 2015, 02:06 PM

Aug 2015

I've used scalpel a little (still do)

Unless you are looking for a File Format (ff) not in the conf file already
forget about the footer

http://www.linux-magazine.com/Online/Features/Recovering-Deleted-Files-with-Scalpel
has an ok intro into how to add file formats

Scalpel is now (i believe) a part of "the sleuth kit" (tsk) http://forensicswiki.org/wiki/The_Sleuth_Kit
http://www.sleuthkit.org/

which can use autopsy
http://www.sleuthkit.org/autopsy/desc.php

-----------------------
now...____FROM MY UNDERSTANDING____ (didn't verify this with src code) YMMV maintain backups
the footer controls the end of the filecarving
ie....header is the intro part of a file and footer the end

hit header for mp3
start copy to recovered mp3
hit footer for mp3...stop copy

as the one page above shows on how to do headers...you can also do footers (hexdump em) find a pattern, put it in
----
something better?
any tool is as good as the user, scalpel is pretty good, especially with tsk and autopsy

for windows winhex (with the expensive forensic licence) is good, so is encasa

for linux
google filecarving or forensic distribution (depending on purpose)
if you need to snag out an area between inode ranges ifile and ffile from tsk can help

at this point i'm assuming you have copied the area or are mounting it ReadOnly
if this still is a live file system...depending on circumstances you could be way out of luck

hope this helps

Cannot edit, recommend, or reply in locked discussions

Edit history

Please sign in to view edit histories.

Recommendations

0 members have recommended this reply (displayed in chronological order):

23 replies

= new reply since forum marked as read

Highlight:

Anyone here ever use Scalpel to recover deleted files ? [View all] eppur_se_muova Aug 2015 OP

Nope - never heard of it left-of-center2012 Aug 2015 #1

That's kind of how I found out about scalpel ... eppur_se_muova Aug 2015 #2

You're on Linux? gvstn Aug 2015 #3

I've been searching the Web already ... eppur_se_muova Aug 2015 #4

Your problem is exactly like mine--complete destruction of the file table. gvstn Aug 2015 #5

TestDisk/PhotoRec is what got me the 850K (or so) nameless files. eppur_se_muova Aug 2015 #6

Good Luck. gvstn Aug 2015 #7

A little w0nderer Aug 2015 #8

Thanks, looks like some useful info in that article. eppur_se_muova Aug 2015 #9

:-) slackware based w0nderer Aug 2015 #10

Well, "compile from source" drives me nuts. eppur_se_muova Sep 2015 #11

compile from source shouldn't be done WHEN you have to rescue w0nderer Sep 2015 #12

Yeah, I'm aware of the situation in that last sentence. Not average user stuff. eppur_se_muova Sep 2015 #13

is this a linux box or a mac os x box? w0nderer Sep 2015 #14

Autopsy is now supported by CAINE -- interface is fairly easy. eppur_se_muova Nov 2017 #20

Do you know generally about the file format a2liberal Sep 2015 #15

Thanks, that's how I seem to have found some of my files ... eppur_se_muova Sep 2015 #16

Awesome! a2liberal Sep 2015 #17

Spam deleted by MIR Team Bernadest Jan 2017 #18

data recovery tools for iPhone Vamksery Feb 2018 #22

welc gopiscrap Feb 2018 #23

No clue from me, but have you tried Ars Technica forums? They have helped me a lot. fleabiscuit Jan 2017 #19

Spam deleted by MIR Team wbcrogdin Dec 2017 #21