"Fossies" - the Fresh Open Source Software archive 
Member "scalpel-2.0/man/scalpel.1" of archive scalpel-2.0.tar.gz:
Table of Contents
scalpel - Recover files or data fragments from a disk image using file
type-specific patterns
scalpel [-b] [-c <config file>] [-d] [-e] [-h]
[-i <file>] [-n] [-o <dir>] [-O] [-p] [-q <clustersize>] [-r] [-V] [-v] [FILES]...
Recover
files from a disk image or raw block device based on headers and footers
specified by the user.
- -b
- Carve files even if defined footers aren’t discovered
within maximum carve size for file type [foremost 0.69 compat mode]. This
option may help when fragmentary evidence is useful, but will increase
the number of false positives.
- -c file
- Chooses which configuration file
to use. If this option is omitted, then "scalpel.conf" in the current directory
is used. The format for the configuration file is described in the default
configuration file "scalpel.conf". See the CONFIGURATION FILE section below
for more information.
- -d
- Generate header/footer database. This option forces
Scalpel to discover all headers and footers and write header/footer locations
to a text file. Since certain optimizations are bypassed when all footers
must be discovered, performance will suffer. This option does not affect
the set of files that are carved.
- -e
- Do nested header/footer matching, to
deal with structured files that may contain embedded files of the same
type. Applicable only to FORWARD / NEXT patterns.
- -h
- Show a help screen
and exit.
- -i file
- file is used as a list of input files to examine. Each
line in the specified file should contain a single filename.
- -o directory
- Recovered files are written to the directory directory. Scalpel requires
that this directory be either empty or not exist. The directory will be
created if necessary.
- -n
- Don’t add extensions to extracted files.
- -o
- Set output
directory for carved files. Scalpel will only write carved files to an
empty output directory. "scalpel-output" in the current directory is the
default if this option is not specified.
- -O
- Don’t organize carved files by
type. By default, scalpel organizes carved files into subdirectories, by
type.
- -p
- Perform an image file preview. When this option is specified,
the audit log indicates which files would have been carved, but no files
are actually carved. This option also supports in-place file carving.
- -q
- Carve files only when the header is cluster-aligned. If you aren’t interested
in carving files embedded within other file types, this option should be
used, as it significantly reduces the false positive rate.
- -r
- Find only
first of overlapping headers/footers [foremost 0.69 compat mode]. This option
is rarely needed.
- -V
- Show copyright information and exit.
- -v
- Enables verbose
mode. This causes copious amounts of debugging information to be output.
The configuration file is used to control the types
of files Scalpel will attempt to carve. A sample configuration file, "scalpel.conf",
is included with this distribution. For each file type, the configuration
file describes the file’s extension, whether the header and footer are case
sensitive, the minimum and maximum file sizes, and the header and footer
for the file. Minimum carve sizes and footer fields are optional, but the
header, maximum size, case sensitivity, and extension fields are required.
Any line in the configuration file that begins with a pound sign is considered
a comment and ignored. Please see the documentation in the sample configuration
file for more information.
Written by Golden G. Richard III and Lodovico
Marziale. The first version of Scalpel was based on foremost 0.69, which
was written by Special Agent Kris Kendall and Special Agent Jesse Kornblum
of the United States Air Force Office of Special Investigations.
It
is currently not possible to carve block devices directly using the Windows
version of Scalpel. This may be addressed in a future release.
When submitting a bug report, please include a description of the problem,
how you found it, and your contact information.
Send bug reports to:
scalpel@digitalforensicssolutions.com
This is free software. There
is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
More information on Scalpel appears in the README file,
distributed with the Scalpel source code.
Table of Contents