Recovering deleted files with Scalpel

The Knife

© Lead Image © Akhilesh Sharma,

© Lead Image © Akhilesh Sharma,

Article from Issue 155/2013

The Scalpel file carver helps users restore what they thought were lost files.

You just need to delete the pesky backup files for the project, and then you're off for home. However, rm *~ can quickly be mistyped as rm * ~, thus deleting all the files from the current directory. But, perhaps all is not lost: Deleted data usually is not dumped directly into a black hole. The operating system typically only deletes the metadata, such as file name, owner, and location. The user data is kept on the storage medium until it is overwritten.

Linux has a number of file carvers, which are programs designed for restoring such data. These tools analyze a disk for byte patterns that match the file headers and footers and interpret everything between the two as belonging to the file. This approach works as long as the header and footer are clear, the file is not fragmented, and the file was not encrypted.

When a footer is missing or not recognized, the carver just writes everything to the recovery file until it encounters the next header. Therefore, besides fragmented files and those with poorly discernible ends, those that contain other files – such as text documents with embedded graphics – also cause problems. If you use a file carver, you should not expect miracles but just hope for the best.


Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Recovering Deleted Files

    Modern filesystems make forensic file recovery much more difficult. Tools like Foremost and Scalpel identify data structures and carve files from a hard disk image.

  • OCFA

    Automate the forensics process with the Dutch police department's Open Computer Forensics Architecture.

  • Caine

    Caine is a Linux distribution based on Ubuntu 10.04 for forensic scientists and security-conscious administrators. Poised to do battle against IT ne’er-do-wells, Caine has a comprehensive selection of software, a user-friendly GUI, and responsive support.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95


njobs Europe
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia