"Fossies" - the Fresh Open Source Software Archive
Member "scalpel-2.0/man/scalpel.1" (20 Apr 2011, 4771 Bytes) of archive /linux/misc/scalpel-2.0.tar.gz:
Section: Digital Forensics Solutions (1)
Updated: v2.0 - April 2011
scalpel - Recover files or data fragments from a disk image using file type-specific patterns
[-c <config file>]
Recover files from a disk image or raw block device based on headers
and footers specified by the user.
Carve files even if defined footers aren't discovered within
maximum carve size for file type [foremost 0.69 compat mode].
This option may help when fragmentary evidence is useful, but will
increase the number of false positives.
- -c file
Chooses which configuration file to use. If this option is omitted,
then "scalpel.conf" in the current directory is used. The format for
the configuration file is described in the default configuration
file "scalpel.conf". See the CONFIGURATION FILE
section below for more information.
Generate header/footer database. This option forces Scalpel
to discover all headers and footers and write header/footer locations
to a text file. Since certain optimizations are bypassed when all
footers must be discovered, performance will suffer. This option does
not affect the set of files that are carved.
Do nested header/footer matching, to deal with structured files that may
contain embedded files of the same type. Applicable only to
FORWARD / NEXT patterns.
Show a help screen and exit.
- -i file
file is used as a list of input files to examine. Each
line in the specified file should contain a single filename.
- -o directory
Recovered files are written to the directory
directory. Scalpel requires that this directory
be either empty or not exist. The directory will be created
Don't add extensions to extracted files.
Set output directory for carved files. Scalpel will only
write carved files to an empty output directory. "scalpel-output" in
the current directory is the default if this option is not specified.
Don't organize carved files by type. By default, scalpel
organizes carved files into subdirectories, by type.
Perform an image file preview. When this option is
specified, the audit log indicates which files would have been carved,
but no files are actually carved. This option also supports in-place
Carve files only when the header is cluster-aligned. If you
aren't interested in carving files embedded within other file types,
this option should be used, as it significantly reduces the false
Find only first of overlapping headers/footers [foremost
0.69 compat mode]. This option is rarely needed.
Show copyright information and exit.
Enables verbose mode. This causes copious amounts of debugging information
to be output.
The configuration file is used to control the types of files Scalpel
will attempt to carve. A sample configuration file, "scalpel.conf",
is included with this distribution. For each file type, the
configuration file describes the file's extension, whether the header
and footer are case sensitive, the minimum and maximum file sizes, and
the header and footer for the file. Minimum carve sizes and footer
fields are optional, but the header, maximum size, case sensitivity,
and extension fields are required.
Any line in the configuration file that begins with a pound sign is
considered a comment and ignored. Please see the documentation in
the sample configuration file for more information.
Written by Golden G. Richard III and Lodovico Marziale. The first
version of Scalpel was based on foremost 0.69, which was written by
Special Agent Kris Kendall and Special Agent Jesse Kornblum of the
United States Air Force Office of Special Investigations.
It is currently not possible to carve block devices directly using
the Windows version of Scalpel. This may be addressed in a future release.
When submitting a bug report, please include a description
of the problem, how you found it, and your contact information.
Send bug reports to:
This is free software. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
More information on Scalpel appears in the README file, distributed
with the Scalpel source code.
- CONFIGURATION FILE
- REPORTING BUGS
- SEE ALSO