# - - # # - Scalpel configuration file: - # # sudo gedit /etc/scalpel/scalpel.conf # sudo vim /etc/scalpel/scalpel.conf # - - # # - Paste this file content in scalpel.conf file - # # - - # # - - # # - 1 - # # - Install scalpel - # # sudo apt-get install scalpel; # # - 2 - # # - Destination of recovery Data: - # # - Make parents directory as needed - # # sudo mkdir -p /mnt/tst/scalpel; # # - 3 - # # - Edit scalpel configuration file: - # # sudo gedit /etc/scalpel/scalpel.conf # sudo vim /etc/scalpel/scalpel.conf # # - 4 - # # - See origen of Data to recover: - # # sudo fdisk -l; # sudo blkid; # # - 5 - # # - Run the recovery process: - # # sudo scalpel -c /etc/scalpel/scalpel.conf "/dev/sdb1" -o "/mnt/tst/scalpel/" # - - # # Scalpel configuration file # This configuration file controls the # types and sizes of files that are carved by Scalpel. Currently, # Scalpel can read Foremost 0.69 configuration files, but Scalpel # configuration files may not be backwards-compatible with Foremost. # In particular, maximum file carve size under Foremost 0.69 is 4GB, # while in the current version of Scalpel, it's 16EB (16 exabytes). # For each file type, the configuration file # describes the file's extension, whether the header and footer are # case sensitive, the maximum file size, and the header and footer for # the file. The footer field is optional, but header, size, case # sensitivity, and extension are required. Any line that begins with a # '#' is considered a comment and ignored. Thus, to skip a file type # just put a '#' at the beginning of that line # Headers and footers are decoded before use. To specify a value in # hexadecimal use \x[0-f][0-f] and for octal use \[0-3][0-7][0-7]. # Spaces can be represented by \s. Example: "\x4F\123\I\sCCI" decodes # to "OSI CCI". # To match any single character (aka a wildcard) use # a '?'. If you need to search for the '?' character, you will need to # change the 'wildcard' line *and* every occurrence of the old # wildcard character in the configuration file. ' # # Note: ?' is equal to 0x3f and \063. # # If you want files carved without filename extensions, # use "NONE" in the extension column. # The REVERSE keyword after a footer causes a search # backwards starting from [size] bytes beyond the location of the header # This is useful for files like PDFs that may contain multiple copies of # the footer throughout the file. When using the REVERSE keyword you will # extract bytes from the header to the LAST occurence of the footer (and # including the footer in the carved file). # # The NEXT keyword after a footer results in file carves that # include the header and all data BEFORE the first occurence of the # footer (the footer is not included in the carved file). If no # occurrence of the footer is discovered within maximum carve size bytes # from the header, then a block of the disk image including the header # and with length equal to the maximum carve size is carved. Use NEXT # when there is no definitive footer for a file type, but you know which # data should NOT be included in a carved file--e.g., the beginning of # a subsequent file of the same type. # # FORWARD_NEXT is the default carve type and this keyword may be # included after the footer, but is not required. For FORWARD_NEXT # carves, a block of data including the header and the first footer # (within the maximum carve size) are carved. If no footer appears # after the header within the maximum carve size, then no carving is # performed UNLESS the -b command line option is supplied. In this case, # a block of max carve size bytes, including the header, is carved and a # notation is made in the Scalpel log that the file was chopped. # To redefine the wildcard character, change the setting below and all # occurences in the formost.conf file. # #wildcard ? # case size header footer #extension sensitive # #--------------------------------------------------------------------- # EXAMPLE WITH NO SUFFIX #--------------------------------------------------------------------- # # Here is an example of how to use the no extension option. Any files # beginning with the string "FOREMOST" are carved and no file extensions # are used. No footer is defined and the max carve size is 1000 bytes. # # NONE y 1000 FOREMOST # #--------------------------------------------------------------------- # GRAPHICS FILES #--------------------------------------------------------------------- # # # AOL ART files # art y 150000 \x4a\x47\x04\x0e \xcf\xc7\xcb # art y 150000 \x4a\x47\x03\x0e \xd0\xcb\x00\x00 # # GIF and JPG files (very common) # gif y 5000000 \x47\x49\x46\x38\x37\x61 \x00\x3b # gif y 5000000 \x47\x49\x46\x38\x39\x61 \x00\x3b # jpg y 200000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9 # # # PNG # png y 20000000 \x50\x4e\x47? \xff\xfc\xfd\xfe # # # BMP (used by MSWindows, use only if you have reason to think there are # BMP files worth digging for. This often kicks back a lot of false # positives # # bmp y 100000 BM??\x00\x00\x00 # # TIFF # tif y 200000000 \x49\x49\x2a\x00 # TIFF # tif y 200000000 \x4D\x4D\x00\x2A # #--------------------------------------------------------------------- # ANIMATION FILES #--------------------------------------------------------------------- # # AVI (Windows animation and DiVX/MPEG-4 movies) # avi y 50000000 RIFF????AVI # # Apple Quicktime # These needles are based on the file command's magic. I don't # recommend uncommenting the 4th and 5th Quicktime needles unless # you're sure you need to, because they generate HUGE numbers of # false positives. # # mov y 10000000 ????moov # mov y 10000000 ????mdat # mov y 10000000 ????widev # mov y 10000000 ????skip # mov y 10000000 ????free # mov y 10000000 ????idsc # mov y 10000000 ????pckg # # MPEG Video # mpg y 50000000 \x00\x00\x01\xba \x00\x00\x01\xb9 # mpg y 50000000 \x00\x00\x01\xb3 \x00\x00\x01\xb7 # # Macromedia Flash # fws y 4000000 FWS # #--------------------------------------------------------------------- # MICROSOFT OFFICE #--------------------------------------------------------------------- # # Word documents # # # doc y 10000000 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 NEXT # doc y 10000000 \xd0\xcf\x11\xe0\xa1\xb1 # # Outlook files # pst y 500000000 \x21\x42\x4e\xa5\x6f\xb5\xa6 # ost y 500000000 \x21\x42\x44\x4e # # Outlook Express # dbx y 10000000 \xcf\xad\x12\xfe\xc5\xfd\x74\x6f # idx y 10000000 \x4a\x4d\x46\x39 # mbx y 10000000 \x4a\x4d\x46\x36 # #--------------------------------------------------------------------- # WORDPERFECT #--------------------------------------------------------------------- # # wpc y 1000000 ?WPC # #--------------------------------------------------------------------- # HTML #--------------------------------------------------------------------- # # htm n 50000 # #--------------------------------------------------------------------- # ADOBE PDF #--------------------------------------------------------------------- # # pdf y 5000000 %PDF %EOF\x0d REVERSE # pdf y 5000000 %PDF %EOF\x0a REVERSE # #--------------------------------------------------------------------- # AOL (AMERICA ONLINE) #--------------------------------------------------------------------- # # AOL Mailbox # mail y 500000 \x41\x4f\x4c\x56\x4d # # # #--------------------------------------------------------------------- # PGP (PRETTY GOOD PRIVACY) #--------------------------------------------------------------------- # # PGP Disk Files # pgd y 500000 \x50\x47\x50\x64\x4d\x41\x49\x4e\x60\x01 # # Public Key Ring # pgp y 100000 \x99\x00 # Security Ring # pgp y 100000 \x95\x01 # pgp y 100000 \x95\x00 # Encrypted Data or ASCII armored keys # pgp y 100000 \xa6\x00 # (there should be a trailer for this...) # txt y 100000 -----BEGIN\040PGP # # #--------------------------------------------------------------------- # RPM (Linux package format) #--------------------------------------------------------------------- # rpm y 1000000 \xed\xab # # #--------------------------------------------------------------------- # SOUND FILES #--------------------------------------------------------------------- # # wav y 200000 RIFF????WAVE # # Real Audio Files # ra y 1000000 \x2e\x72\x61\xfd # ra y 1000000 .RMF # #--------------------------------------------------------------------- # WINDOWS REGISTRY FILES #--------------------------------------------------------------------- # # Windows NT registry # dat y 4000000 regf # Windows 95 registry # dat y 4000000 CREG # # #--------------------------------------------------------------------- # MISCELLANEOUS #--------------------------------------------------------------------- # # zip y 10000000 PK\x03\x04 \x3c\xac # # java y 1000000 \xca\xfe\xba\xbe # #--------------------------------------------------------------------- # ScanSoft PaperPort "Max" files #--------------------------------------------------------------------- # max y 1000000 \x56\x69\x47\x46\x6b\x1a\x00\x00\x00\x00 \x00\x00\x05\x80\x00\x00 #--------------------------------------------------------------------- # PINs Password Manager program #--------------------------------------------------------------------- # pins y 8000 \x50\x49\x4e\x53\x20\x34\x2e\x32\x30\x0d # - - # #--------------------------------------------------------------------- # - - # # - sudo gedit /etc/scalpel/scalpel.conf - # # - sudo vim /etc/scalpel/scalpel.conf - # # - - # # # Added to end of /etc/scalpel/scalpel.conf # #--------------------------------------------------------------------- # OPENOFFICE FILES #--------------------------------------------------------------------- odt y 20000000 PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.textPK META-INF/manifest.xmlPK???????????????????? ods y 10000000 PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.spreadsheetPK META-INF/manifest.xmlPK???????????????????? odp y 10000000 PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.presentationPK META-INF/manifest.xmlPK???????????????????? # odg y 10000000 PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.graphicsPK META-INF/manifest.xmlPK???????????????????? # odc y 10000000 PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.chartPK META-INF/manifest.xmlPK???????????????????? # odf y 10000000 PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.formulaPK META-INF/manifest.xmlPK???????????????????? # odi y 10000000 PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.imagePK META-INF/manifest.xmlPK???????????????????? # odm y 10000000 PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.text-masterPK META-INF/manifest.xmlPK???????????????????? # sxw y 10000000 PK????????????????????????????mimetypeapplication/vnd.sun.xml.writerPK META-INF/manifest.xmlPK???????????????????? #--------------------------------------------------------------------- # THUNDERBIRD FILES #--------------------------------------------------------------------- # msf y 10000000 //\s?<\s<(a=c)>\s//\s(f=iso-8859-1) //\s?<\s<(a=c)>\s//\s(f=iso-8859-1) NEXT # actual Local Folder data files, no way to tell end so grab 100MB NONE y 100000000 From????????????????????????????X-Mozilla-Status:\s?????X-Mozilla-Status2: NEXT