SCALPEL(1) Digital Forensics Solutions SCALPEL(1)NAMEscalpel - Recover files or data fragments from a disk image using file
type-specific patterns
SYNOPSISscalpel [-b] [-c <config file>] [-d] [-e] [-h] [-i <file>] [-n] [-o
<dir>] [-O] [-p] [-q <clustersize>] [-r] [-V] [-v] [FILES]...
DESCRIPTION
Recover files from a disk image or raw block device based on headers
and footers specified by the user.
-b Carve files even if defined footers aren't discovered within
maximum carve size for file type [foremost 0.69 compat mode].
This option may help when fragmentary evidence is useful, but
will increase the number of false positives.
-c file
Chooses which configuration file to use. If this option is omit‐
ted, then "scalpel.conf" in the current directory is used. The
format for the configuration file is described in the default
configuration file "scalpel.conf". See the CONFIGURATION FILE
section below for more information.
-d Generate header/footer database. This option forces Scalpel to
discover all headers and footers and write header/footer loca‐
tions to a text file. Since certain optimizations are bypassed
when all footers must be discovered, performance will suffer.
This option does not affect the set of files that are carved.
-e Do nested header/footer matching, to deal with structured files
that may contain embedded files of the same type. Applicable
only to FORWARD / NEXT patterns.
-h Show a help screen and exit.
-i file
file is used as a list of input files to examine. Each line in
the specified file should contain a single filename.
-o directory
Recovered files are written to the directory directory.
Scalpel requires that this directory be either empty or not
exist. The directory will be created if necessary.
-n Don't add extensions to extracted files.
-o Set output directory for carved files. Scalpel will only write
carved files to an empty output directory. "scalpel-output" in
the current directory is the default if this option is not spec‐
ified.
-O Don't organize carved files by type. By default, scalpel orga‐
nizes carved files into subdirectories, by type.
-p Perform an image file preview. When this option is specified,
the audit log indicates which files would have been carved, but
no files are actually carved. This option also supports in-
place file carving.
-q Carve files only when the header is cluster-aligned. If you
aren't interested in carving files embedded within other file
types, this option should be used, as it significantly reduces
the false positive rate.
-r Find only first of overlapping headers/footers [foremost 0.69
compat mode]. This option is rarely needed.
-V Show copyright information and exit.
-v Enables verbose mode. This causes copious amounts of debugging
information to be output.
CONFIGURATION FILE
The configuration file is used to control the types of files Scalpel
will attempt to carve. A sample configuration file, "scalpel.conf", is
included with this distribution. For each file type, the configuration
file describes the file's extension, whether the header and footer are
case sensitive, the minimum and maximum file sizes, and the header and
footer for the file. Minimum carve sizes and footer fields are
optional, but the header, maximum size, case sensitivity, and extension
fields are required.
Any line in the configuration file that begins with a pound sign is
considered a comment and ignored. Please see the documentation in the
sample configuration file for more information.
AUTHORS
Written by Golden G. Richard III and Lodovico Marziale. The first ver‐
sion of Scalpel was based on foremost 0.69, which was written by Spe‐
cial Agent Kris Kendall and Special Agent Jesse Kornblum of the United
States Air Force Office of Special Investigations.
BUGS
It is currently not possible to carve block devices directly using the
Windows version of Scalpel. This may be addressed in a future release.
REPORTING BUGS
When submitting a bug report, please include a description of the prob‐
lem, how you found it, and your contact information.
Send bug reports to:
scalpel@digitalforensicssolutions.com
COPYRIGHT
This is free software. There is NO warranty; not even for MER‐
CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
SEE ALSO
More information on Scalpel appears in the README file, distributed
with the Scalpel source code.
Digital Forensics Solutions v2.0 - April 2011 SCALPEL(1)