# - - # # - 1 - # # - Install scalpel - # sudo apt-get install scalpel; # - - # # - Scalpel's Manual - # https://sourceforge.net/p/scalpel/wiki/Manual/ # - Video - # https://www.youtube.com/watch?v=5Z9JsBazOdw http://theevilbit.blogspot.com/2013/01/backtrack-forensics-scalpel.html # - - # Scalpel, and other carvers like it, work by searching every byte on your drive for headers and footers that can identify a contiguous set of bytes as belonging to a specific kind of file. The configuration file found in '/etc/scalpel/scalpel.conf' contains this information and can be edited to search for nearly anything. Scalpel can analyze some example files for you, generating the header/footer information but I opted for the manual approach. All I did was open a few different files in vim, decided what was common to all in the beginning and end of the file, and came up with these configuration lines to be added to 'scalpel.conf'. Notice that I've made the sizes of Open Office odt's and Thunderbird files rather large (20MB and 100MB) which suited my case. Make sure you set these to reasonable numbers for your own files or your recovery location will fill and the carving process will crash. This is quite easy to do when carving a large drive which has led a long and varied life. # - - # # - 2 - # # - Code - # # - - # #--------------------------------------------------------------------- # - - # # - sudo gedit /etc/scalpel/scalpel.conf - # # - sudo vim /etc/scalpel/scalpel.conf - # # - - # # # Added to end of /etc/scalpel/scalpel.conf # #--------------------------------------------------------------------- # OPENOFFICE FILES #--------------------------------------------------------------------- odt y 20000000 PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.textPK META-INF/manifest.xmlPK???????????????????? ods y 10000000 PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.spreadsheetPK META-INF/manifest.xmlPK???????????????????? odp y 10000000 PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.presentationPK META-INF/manifest.xmlPK???????????????????? # odg y 10000000 PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.graphicsPK META-INF/manifest.xmlPK???????????????????? # odc y 10000000 PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.chartPK META-INF/manifest.xmlPK???????????????????? # odf y 10000000 PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.formulaPK META-INF/manifest.xmlPK???????????????????? # odi y 10000000 PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.imagePK META-INF/manifest.xmlPK???????????????????? # odm y 10000000 PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.text-masterPK META-INF/manifest.xmlPK???????????????????? # sxw y 10000000 PK????????????????????????????mimetypeapplication/vnd.sun.xml.writerPK META-INF/manifest.xmlPK???????????????????? #--------------------------------------------------------------------- # THUNDERBIRD FILES #--------------------------------------------------------------------- # msf y 10000000 //\s?<\s<(a=c)>\s//\s(f=iso-8859-1) //\s?<\s<(a=c)>\s//\s(f=iso-8859-1) NEXT # actual Local Folder data files, no way to tell end so grab 100MB NONE y 100000000 From????????????????????????????X-Mozilla-Status:\s?????X-Mozilla-Status2: NEXT # - - # # # Added more extensions to the file /etc/scalpel/scalpel.conf # # - - # [...] pdf y 5000000 %PDF %EOF\x0d REVERSE pdf y 5000000 %PDF %EOF\x0a REVERSE # GIF and JPG files (very common) gif y 5000000 \x47\x49\x46\x38\x37\x61 \x00\x3b gif y 5000000 \x47\x49\x46\x38\x39\x61 \x00\x3b jpg y 200000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9 [...] # - - # # - 3 - # # - Now that the scalpel configuration file is set up to find odt's & ods' it's time to carve. - # # - First find out what the device name of interest is: - # # - Code - # sudo fdisk -l; sudo blkid; In my case I wanted to search /dev/sdb1 which was a usb external hard drive (Another drive). Now run scalpel adding the '-b' flag so that it will even recover a file if it's missing a footer. This will recover junk but I REALLY wanted my files back, regardless of condition. DO NOT RECOVER THE FILES TO THE SAME PARTITION THAT IS BEING SEARCHED or you risk overwriting files before they are analysed or even falling into a recursive loop. This violates a primary rule of forensics, NEVER MOUNT THE DRIVE TO BE ANALYSED. # - - # # - Code - # # - Make parents directory as needed - # sudo mkdir -p /mnt/tst/scalpel; sudo scalpel -c /etc/scalpel/scalpel.conf "/dev/sdb1" -o "/mnt/tst/scalpel/" Note: Scalpel was not able to identify the configuration file on my machine, so I had to mention it explicitly using ā€˜-cā€™ option. It might not be required for everyone. ā€œ/dev/sdb1ā€³ is the device that had my files. The recovery process would take few hours depending upon the size of your device. For instance, it took one hour and 15 minutes to recover PHP files on a device that sized around 250GB. mkdir ~/Desktop/scalpel_recovered_files/ sudo scalpel /dev/sdb1 -b -o ~/Desktop/scalpel_recovered_files/ # - - # # - More Documentation - # Backtrack Forensics: scalpel Forensics -> Forensic Carving Tools /usr/local/bin/scalpel Scalpel is a very similar tool to foremost, it will data carve files, based on their header and footer information, it's also file system independent. It can work on drives directly or on image files. Usage: The biggest difference to foremost is that we need to edit the scalpel.conf file (/etc/scalpel/scalpel.conf), and uncomment lines (remove #) that specifies the file type we would like to recover. Few of the many options: -c Choose configuration file. -n Don't add extensions to extracted files. -o Set output directory for carved files. -O Don't organize carved files by type. Default is to organize carved files into subdirectories. -v Verbose mode. scalpel -c /etc/scalpel/scalpel.conf -o output2/ Desktop/forensics/11-carve-fat/11-carve-fat.dd