Skip to content

Advanced file recovery [Linux]

Read the basic file recovery article and still cant recover the file you need? Want to recover off something more exotic? (like EXT, mac or even Xbox 360 hdds) This guide is for you then.

The method I am going to teach in this post is called file carving and I will be using a program called Scalpel in Linux as opposed to foremost which I have used in previous guides. Scalpel is a complete rewrite of foremost to be much faster.

File carving is where a program will look for a header and footer for each type file it is looking for in a huge chunk of data (that means you can search a disk image or a block device like /dev/sdb1 to search the device directly)

***NOTE: DO NOT RUN THIS ON THE DEVICE YOUR RUNNING YOUR OS OFF, RECOVERING FILES TO OR ARE CURRENTLY USING YOU MY LOSE THE FILES YOU ARE TRYING TO RECOVER***

I am using xubuntu on my netbook and my post will be based on my experience, but should work in most distro’s

  • Use your Linux distribution’s package manager to install scalpel
    • sudo apt-get install scalpel
    • Enter your password when prompted
  • Open the Scapel config file and uncomment the file types you are looking for
    • sudo nano /etc/scalpel/scalpel.conf
    • When you are done press ctrl-O and press enter to save, exit with ctrl-X.
  • get the block device of your usb device by plugging in your device and opening the mtab file
    • cat /etc/mtab
    • the last entry should be your device (in my case it is /dev/sdb1)
  • Create a folder in your home directory to recover your files too and enter it
    • mkdir -p ~/recovery
    • cd ~/recovery
  • Start analysing your drive with Scalpel
    • sudo scalpel -o . /dev/sdX(sdb1 in my case)
    • wait for scalpel to complete (this may take longer than Recuva on windows)
  • Files you are looking for should be in the recovery directory

I was trying this method on an old SD card and it not only recovered the test photos I deleted but photos from many years ago. This tool is very powerful, I have used it to recover music off an old Xbox 360 hard drive.

There are ways to improve this, a lot of people in the computer forensics field create there own custom scalpel configs which find evidence in files with matching header and footers, for example, in the iPhone forensics book by o’reilly the author created a config to find amr files which contain voicmail messages stored on the phone, http://my.safaribooksonline.com/book/networking/forensic-analysis/9780596153588/forensic-recovery/data_carving_using_foremost

Post a Comment

Your email is never published nor shared.