Tutorial News Comments FAQ Related Articles

How to Install Scalpel in Linux - Recovery Tool

{{postValue.id}}

To Recover Deleted Files/Folders in Linux

Scalpel is a tool that runs in the entire hard drive and recovers lost file. It visits the block database and recovers the deleted files immediately. It is also an important tool in digital forensics. Installation of Scalpel is discussed in this article.

To Install Scalpel

In RHEL/CentOS and Fedora
Before installing Scalpel, Enable epel repository.

# yum install epel-release
# yum install scalpel


In Debian/Ubuntu and Linux Mint
Run the following command to update the repositories.

root@linuxhelp:~# apt-get update
Get:1 http://security.ubuntu.com wily-security InRelease [65.9 kB]
Hit http://in.archive.ubuntu.com wily InRelease      
Get:2 http://in.archive.ubuntu.com wily-updates InRelease [65.9 kB]            
Hit http://in.archive.ubuntu.com wily-backports InRelease              
Get:3 http://security.ubuntu.com wily-security/main Sources [47.5 kB]
.
.
.
Hit http://in.archive.ubuntu.com wily-backports/universe Translation-en        
Get:34 http://security.ubuntu.com wily-security/universe Translation-en [33.9 kB]
Fetched 1,684 kB in 23s (71.4 kB/s)                                            
Reading package lists... Done


Execute the following command to install scalpel

root@linuxhelp:~# apt-get install scalpel
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  scalpel
0 upgraded, 1 newly installed, 0 to remove and 238 not upgraded.
Need to get 29.3 kB of archives.
After this operation, 112 kB of additional disk space will be used.
Get:1 http://in.archive.ubuntu.com/ubuntu/ wily/universe scalpel amd64 1.60-3 [29.3 kB]
Fetched 29.3 kB in 2s (14.5 kB/s)    
Selecting previously unselected package scalpel.
(Reading database ... 179685 files and directories currently installed.)
Preparing to unpack .../scalpel_1.60-3_amd64.deb ...
Unpacking scalpel (1.60-3) ...
Processing triggers for man-db (2.7.4-1) ...
Setting up scalpel (1.60-3) ...


Now scalpel is installed successfully.

To restore deleted files

Open the configuration file in the directory ' /etc/scalpel/scalpel.conf' or ' /etc/scalpel.conf' . Uncomment the file format that you want to recover. Here, we are recovering ' .jpg' files. Uncomment ' .jpg' file section in the scalpel configuration file as shown below.

root@linuxhelp:~# vim /etc/scalpel/scalpel.conf
# GIF and JPG files (very common)
#       gif     y       5000000         x47x49x46x38x37x61        x00x3b
#       gif     y       5000000         x47x49x46x38x39x61        x00x3b
        jpg     y       200000000       xffxd8xffxe0x00x10        xffxd9


Now delete some files permanently in the hard drive.

root@linuxhelp:~# ls /mnt/pics/
index1.jpeg  index2.jpeg  index.jpeg

root@linuxhelp:~# df -h
Filesystem      Size  Used Avail Use% Mounted on
udev            476M     0  476M   0% /dev
tmpfs            99M  5.4M   94M   6% /run
/dev/sda3        28G  3.9G   22G  16% /
tmpfs           493M  160K  492M   1% /dev/shm
tmpfs           5.0M  4.0K  5.0M   1% /run/lock
tmpfs           493M     0  493M   0% /sys/fs/cgroup
/dev/sda1       453M   54M  373M  13% /boot
cgmfs           100K     0  100K   0% /run/cgmanager/fs
tmpfs            99M   48K   99M   1% /run/user/1000
/dev/sdb1       2.0G  3.1M  1.8G   1% /mnt


The ' /mnt/pics' directory contains three jpg files. These files are stored in the hard drive ' /dev/sdb1' which is mounted under /mnt mount point.
Now delete the files by running the following command.

root@linuxhelp:~# cd /mnt/pics/
root@linuxhelp:/mnt/pics# rm -rf *


Go to the terminal and type below command to recover the deleted files.

root@linuxhelp:~# scalpel /dev/sdb1 -o recover/
Scalpel version 1.60
Written by Golden G. Richard III, based on Foremost 0.69.
Opening target " /dev/sdb1" 
Image file pass 1/2.
/dev/sdb1: 100.0% |*************************************|    2.0 GB    00:00 ETAAllocating work queues...
Work queues allocation complete. Building carve lists...
Carve lists built.  Workload:
jpg with header " xffxd8xffxe0x00x10"  and footer " xffxd9"  -->  3 files
Carving files from image.
Image file pass 2/2.
/dev/sdb1: 100.0% |*************************************|    2.0 GB    00:00 ETAProcessing of image file complete. Cleaning up...
Done.
Scalpel is done, files carved = 3, elapsed = 15 seconds.


The ' -o' option denotes an output directory, where you need to restore your deleted files. Checkout that this directory is empty before executing any command or else it will display an error.
Check the recovered files in the ' recover' directory.

root@linuxhelp:~# ls recover/jpg-0-0/
00000000.jpg  00000001.jpg  00000002.jpg

Tags:
Author: 

Comments ( 0 )

No comments available

Frequently asked questions ( 5 )

Q

Good very much needed video and tool for Linux Users

A

Thanks for your appreciation

Q

It is not getting installed when I run "sudo apt-get install scalpel"

A

Please post your error so that I can provide you better assistance

Q

is there any alternative tool for it?

A

photorec you can try for

Q

What is Scalpel?

A

Scalpel is an open source file system recovery for Linux and Mac operation systems. The tool visits the block database storage and identifies the deleted files from it and recover them instantly. Apart from file recovery it is also useful for digital forensics investigation

Q

How to Recovering Deleted Files with Scalpel?

A

he Scalpel file carver helps users restore what they thought were lost files.

You just need to delete the pesky backup files for the project, and then you’re off for home. However, rm *~ can quickly be mistyped as rm * ~, thus deleting all the files from the current directory.

Back To Top!