GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
SCALPEL(1) Digital Forensics Solutions SCALPEL(1)

scalpel - Recover files or data fragments from a disk image using file type-specific patterns

scalpel [-b] [-c <config file>] [-d] [-e] [-h] [-i <file>] [-n] [-o <dir>] [-O] [-p] [-q <clustersize>] [-r] [-V] [-v] [FILES]...

Recover files from a disk image or raw block device based on headers and footers specified by the user.

-b
Carve files even if defined footers aren't discovered within maximum carve size for file type [foremost 0.69 compat mode]. This option may help when fragmentary evidence is useful, but will increase the number of false positives.

-c file
Chooses which configuration file to use. If this option is omitted, then "scalpel.conf" in the current directory is used. The format for the configuration file is described in the default configuration file "scalpel.conf". See the CONFIGURATION FILE section below for more information.

-d
Generate header/footer database. This option forces Scalpel to discover all headers and footers and write header/footer locations to a text file. Since certain optimizations are bypassed when all footers must be discovered, performance will suffer. This option does not affect the set of files that are carved.

-e
Do nested header/footer matching, to deal with structured files that may contain embedded files of the same type. Applicable only to FORWARD / NEXT patterns.

-h
Show a help screen and exit.

-i file
file is used as a list of input files to examine. Each line in the specified file should contain a single filename.

-o directory
Recovered files are written to the directory directory. Scalpel requires that this directory be either empty or not exist. The directory will be created if necessary.

-n
Don't add extensions to extracted files.

-o
Set output directory for carved files. Scalpel will only write carved files to an empty output directory. "scalpel-output" in the current directory is the default if this option is not specified.

-O
Don't organize carved files by type. By default, scalpel organizes carved files into subdirectories, by type.

-p
Perform an image file preview. When this option is specified, the audit log indicates which files would have been carved, but no files are actually carved. This option also supports in-place file carving.

-q
Carve files only when the header is cluster-aligned. If you aren't interested in carving files embedded within other file types, this option should be used, as it significantly reduces the false positive rate.

-r
Find only first of overlapping headers/footers [foremost 0.69 compat mode]. This option is rarely needed.

-V
Show copyright information and exit.

-v
Enables verbose mode. This causes copious amounts of debugging information to be output.

The configuration file is used to control the types of files Scalpel will attempt to carve. A sample configuration file, "scalpel.conf", is included with this distribution. For each file type, the configuration file describes the file's extension, whether the header and footer are case sensitive, the minimum and maximum file sizes, and the header and footer for the file. Minimum carve sizes and footer fields are optional, but the header, maximum size, case sensitivity, and extension fields are required.

Any line in the configuration file that begins with a pound sign is considered a comment and ignored. Please see the documentation in the sample configuration file for more information.

Written by Golden G. Richard III and Lodovico Marziale. The first version of Scalpel was based on foremost 0.69, which was written by Special Agent Kris Kendall and Special Agent Jesse Kornblum of the United States Air Force Office of Special Investigations.

It is currently not possible to carve block devices directly using the Windows version of Scalpel. This may be addressed in a future release.

When submitting a bug report, please include a description of the problem, how you found it, and your contact information.

Send bug reports to:
scalpel@digitalforensicssolutions.com

This is free software. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

More information on Scalpel appears in the README file, distributed with the Scalpel source code.
v2.0 - April 2011 Digital Forensics Solutions
Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.