Swarfendor437
Sat Sep 21, 2013 9:29:34 pm
This is NOT a replacement for BACKUP, BACKUP, BACKUP! It could save your Bacon ... or it could serve it with a dash of nothing! Scalpel 2.0 :
The first time you run Scalpel, it looks for headers and stores its findings in a database; then it identifies the footers. In doing so, Scalpel always takes into account that a header is always followed by a footer, which nicely accelerates the search. Now you have an index with the positions of the headers and footers, which forms the basis for the second run. This time, Scalpel matches the headers and footers and writes the files it found directly to a new location from memory without having to access the disk again.
Before Scalpel embarks on a search for lost data, it reads the scalpel.conf configuration file, which can contain the minimum and maximum sizes of the files, including headers and footers, in addition to file types to search for. Specifying the file type results in file bloat if the footer is missing. Before you start carving, you should make some individual settings that restrict the search to a minimum number of file types and sizes from the outset.
Saving the Sandman
Example of a bailout.
Scenario involves a household without TV with at least one young child. The father has accidentally deleted the child's favourite "Sandmann" episodes, which were recorded from ARD Mediathek over several days. Deprived of the show, the child expresses disappointment in the usual loud and unmistakable way.
The scalpel.conf file does not have an entry for the MP4 format, but the existing - long-since viewed - files show an encouraging consistency in terms of headers (Figure 1).
Figure1: If Scalpel does not know the headers and footers for a file type, you can create them manually in scalpel.conf
Dad now feeds the data to scalpel.conf. The first item in the new entry (Figure 2) is the file extension that should receive potential matches. The "y" indicates whether Scalpel distinguishes between uppercase and lowercase in the header and footer. This is followed by the minimum and maximum file sizes - the MP4s usually occupy between 30 and 70MB. Finally, the header is given. A footer cannot be specified, because it always turns out differently.
Then, dad starts the rescue operation at the command line with:
Figure 2: You can add custom headers and footers to scalpel.conf.
Minimum and maximum file sizes can act as additional criteria.
During this operation, Scalpel really does scratch six files back off the disk. Because of the lack of footer information, they are all exactly 70,000,000 bytes long and contain a lost "Sandmann" sequence - with a more or less large chunk of junk data at the end (Figure 3). Cheers for dad!
Figure 3: Success! Six files are restored. Because an unambiguous footer was missing, Scalpel played it safe and used the max file size.
Conclusion.
Scalpel cannot replace a backup, but it can come to the rescue in many cases. Do not expect miracles, however; fragmented files or physical storage faults make it difficult to detect file ends and push Scalpel to its limits. In this case the "rescued" files will often prove to be useless.
Footnote: Check out this web page for information (interesting that a major Linux Magazine gave download links to a page that no longer exists! Hence the
http://www.linuxforu.com/2011/09/recove ... -in-linux/
- Code:
sudo apt-get install scalpel
The first time you run Scalpel, it looks for headers and stores its findings in a database; then it identifies the footers. In doing so, Scalpel always takes into account that a header is always followed by a footer, which nicely accelerates the search. Now you have an index with the positions of the headers and footers, which forms the basis for the second run. This time, Scalpel matches the headers and footers and writes the files it found directly to a new location from memory without having to access the disk again.
Before Scalpel embarks on a search for lost data, it reads the scalpel.conf configuration file, which can contain the minimum and maximum sizes of the files, including headers and footers, in addition to file types to search for. Specifying the file type results in file bloat if the footer is missing. Before you start carving, you should make some individual settings that restrict the search to a minimum number of file types and sizes from the outset.
Saving the Sandman
Example of a bailout.
Scenario involves a household without TV with at least one young child. The father has accidentally deleted the child's favourite "Sandmann" episodes, which were recorded from ARD Mediathek over several days. Deprived of the show, the child expresses disappointment in the usual loud and unmistakable way.
The scalpel.conf file does not have an entry for the MP4 format, but the existing - long-since viewed - files show an encouraging consistency in terms of headers (Figure 1).
Figure1: If Scalpel does not know the headers and footers for a file type, you can create them manually in scalpel.conf
Dad now feeds the data to scalpel.conf. The first item in the new entry (Figure 2) is the file extension that should receive potential matches. The "y" indicates whether Scalpel distinguishes between uppercase and lowercase in the header and footer. This is followed by the minimum and maximum file sizes - the MP4s usually occupy between 30 and 70MB. Finally, the header is given. A footer cannot be specified, because it always turns out differently.
Then, dad starts the rescue operation at the command line with:
- Code:
$ scalpel -c scalpel.conf
-o sandmann_recovered /dev/sdd1
Figure 2: You can add custom headers and footers to scalpel.conf.
Minimum and maximum file sizes can act as additional criteria.
During this operation, Scalpel really does scratch six files back off the disk. Because of the lack of footer information, they are all exactly 70,000,000 bytes long and contain a lost "Sandmann" sequence - with a more or less large chunk of junk data at the end (Figure 3). Cheers for dad!
Figure 3: Success! Six files are restored. Because an unambiguous footer was missing, Scalpel played it safe and used the max file size.
Conclusion.
Scalpel cannot replace a backup, but it can come to the rescue in many cases. Do not expect miracles, however; fragmented files or physical storage faults make it difficult to detect file ends and push Scalpel to its limits. In this case the "rescued" files will often prove to be useless.
Footnote: Check out this web page for information (interesting that a major Linux Magazine gave download links to a page that no longer exists! Hence the
- Code:
sudo apt-get install scalpel
http://www.linuxforu.com/2011/09/recove ... -in-linux/