How to recover deleted files with Scalpel (Ubuntu)


This time I'll share a little about recovering the deleted files. There are times when we by mistake delete any file or we do it intentionally later realize that we require that data. There is also the use of data recovery software for digital forensic interest to dig up information about data ever erased / formatted. There are lots of good links that can point us to the tools or methods to recover files deleted / formatted. One very useful link is this (http://www.forensicswiki.org/wiki/Main_Page)

For this time I will discuss about Scalpel data recovery software. There are even some links that mention that Scalpel is one of the best data recovery software. Scalpel can be run on various operating systems like Linux, Windows, MacOS. File systems on which Scalpel can perform recovery, also vary ranging from FATx, NTFS, Ext2, Ext3, HFS+ partitions to raw data. So lets do a quick demonstrations on how to install Scalpel data recovery, configure and recover some files.

NOTE: For the following scenarios/environments, I am using Ubuntu Linux OS 10.04, I will try to perform data recovery on my flash disk located at /dev/sdb1. All commands below are executed through the shell/terminal

1. Install Scalpel from repository

$ sudo apt-get install scalpel 
2. Once the Scalpel is installed, we must change the Scalpel configuration in /etc/scalpel/scalpel.conf.
$ sudo nano /etc/scalpel/scalpel.conf 
By default, all the lines are commented with # in the configuration file, therefore, we must apply the settings first. In scalpel.conf, there are few lines which contain the file types that we can recover. For example gpg, doc, avi, doc, etc. We just need to remove the # sign from the beginning of these lines in order to uncomment them. 3. After that please run the Scalpel. (As root)
# scalpel /dev/sdb1 -o /home/digit/RECOVERY/ 
=> /dev/sdb1 is the location of the device where the files are already deleted.
=> /home/digit/RECOVERY is the place to accommodate the files that will be recovered from /dev/sdb1. /dev/sdb1 could also be the location of the folder where the data that we will recover.

Below are examples of progress while recovering my files located at /dev/sdb1 (my flash drive):
# scalpel /dev/sdb1 -o /home/digit/RECOVERY/ 

Scalpel version 1.60 
Written by Golden G. Richard III, based on Foremost 0.69. 

Opening target "/dev/sdb1" 

Image file pass 1/2.
/dev/sdb1: 100.0% |*************************************|    3.7 GB    00:00 ETAAllocating work queues...
Work queues allocation complete. Building carve lists...
Carve lists built.  Workload:
art with header "\x4a\x47\x04\x0e" and footer "\xcf\xc7\xcb" --> 0 files
art with header "\x4a\x47\x03\x0e" and footer "\xd0\xcb\x00\x00" --> 0 files
gif with header "\x47\x49\x46\x38\x37\x61" and footer "\x00\x3b" --> 3 files
gif with header "\x47\x49\x46\x38\x39\x61" and footer "\x00\x3b" --> 52 files
jpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 814 files
png with header "\x50\x4e\x47\x3f" and footer "\xff\xfc\xfd\xfe" --> 216 files
bmp with header "\x42\x4d\x3f\x3f\x00\x00\x00" and footer "" --> 6 files
tif with header "\x49\x49\x2a\x00" and footer "" --> 505 files
tif with header "\x4d\x4d\x00\x2a" and footer "" --> 127 files
avi with header "\x52\x49\x46\x46\x3f\x3f\x3f\x3f\x41\x56\x49" and footer "" --> 3 files
mov with header "\x3f\x3f\x3f\x3f\x6d\x6f\x6f\x76" and footer "" --> 2 files
mov with header "\x3f\x3f\x3f\x3f\x6d\x64\x61\x74" and footer "" --> 5 files
mpg with header "\x00\x00\x01\xba" and footer "\x00\x00\x01\xb9" --> 141 files
mpg with header "\x00\x00\x01\xb3" and footer "\x00\x00\x01\xb7" --> 18 files
fws with header "\x46\x57\x53" and footer "" --> 86 files
doc with header "\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00" and footer "\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00" --> 166 files
doc with header "\xd0\xcf\x11\xe0\xa1\xb1" and footer "" --> 166 files
pst with header "\x21\x42\x4e\xa5\x6f\xb5\xa6" and footer "" --> 0 files
ost with header "\x21\x42\x44\x4e" and footer "" --> 0 files
dbx with header "\xcf\xad\x12\xfe\xc5\xfd\x74\x6f" and footer "" --> 0 files
idx with header "\x4a\x4d\x46\x39" and footer "" --> 0 files
htm with header "\x3c\x68\x74\x6d\x6c" and footer "\x3c\x2f\x68\x74\x6d\x6c\x3e" --> 3 files
pdf with header "\x25\x50\x44\x46" and footer "\x25\x45\x4f\x46\x0d" --> 146 files
pdf with header "\x25\x50\x44\x46" and footer "\x25\x45\x4f\x46\x0a" --> 30 files
mail with header "\x41\x4f\x4c\x56\x4d" and footer "" --> 0 files
pgd with header "\x50\x47\x50\x64\x4d\x41\x49\x4e\x60\x01" and footer "" --> 0 files
pgp with header "\x99\x00" and footer "" --> 65161 files
pgp with header "\x95\x01" and footer "" --> 31799 files
pgp with header "\x95\x00" and footer "" --> 53117 files
pgp with header "\xa6\x00" and footer "" --> 33084 files
txt with header "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x47\x50" and footer "" --> 0 files
rpm with header "\xed\xab" and footer "" --> 28898 files
wav with header "\x52\x49\x46\x46\x3f\x3f\x3f\x3f\x57\x41\x56\x45" and footer "" --> 0 files
dat with header "\x72\x65\x67\x66" and footer "" --> 4 files
dat with header "\x43\x52\x45\x47" and footer "" --> 0 files
zip with header "\x50\x4b\x03\x04" and footer "\x3c\xac" --> 22573 files
java with header "\xca\xfe\xba\xbe" and footer "" --> 187 files
Carving files from image.
Image file pass 2/2.
/dev/sdb1:   2.6% |                                     |  100.0 MB  2:31:56 ETA
Tadaaa ..... Successful. :) Good luck. May be useful. :)

By: Digit Oktavianto