Scalpel...............................
Nate Drake wields the command line tool scalpel to recover deleted files.
Nate Drake doesn’t panic much, especially with the file recovery tool Scalpel to hand.
Those readers lucky enough to have been designated their Family’s Tech Support Liaison may be aware of their loved ones tendency to store what we euphemistically call Schrödinger’s Data. This term is used to describe personal files such as photographs, calendars and documents that are apparently absolutely essential to their wellbeing, but paradoxically aren’t important enough to back up. The end result is that if an essential file is deleted by accident, there doesn’t seem to be any easy way to recover it.
In reality, most reasonably IT literate people know that many computers don’t erase files fully and many can be recovered using specialist tools, long after the Recycle bin has been emptied. One such tool, beloved by family Tech Support gurus and Law Enforcement alike, is named scalpel.
Scalpel is a command line utility, which uses a technique called file carving to try to recover deleted data from a disk image, partition or drive. In this guide, we’ll explore how to master its basics.
Scalpel is very robust and works with pretty much any type of device or filesystem. During testing we were able to recover deleted PNG and PDF files both from a 512MB flash drive and a Virtualbox VDI (Virtual Disk Image). However, if the files you want to recover are on your system hard drive itself, we recommend booting your computer from a live DVD or CD. For this article we used a live instance of Ubuntu 17.04. Scalpel is available in Ubuntu’s repositories, so you can install it via Terminal with minimal fuss.
Surgical carving
While scalpel is a precision tool, it doesn’t concern itself with filesystems, but sequentially analyses blocks of data on a drive, disk image or within swap files. If you’d like an in-depth analysis of scalpel’s exact workings, the whitepaper is available from http://bit.ly/2v32FA1. In brief however, it’s enough to know that scalpel is based on the older data recovery tool foremost, which was designed for law enforcement investigations. Like its predecessor, scalpel uses file carving for simple data recovery.
This technique involves using a built-in database of data headers and footers for specific file types such as PNG images or PDFs. These headers and footers consist of strings of bytes at predictable offsets, and files can be retrieved or carved from raw disk images without affecting the underlying file system. Scalpel is and was designed to do this much more efficiently than foremost.
On first run, scalpel checks its configuration file, which is usually located in /etc/scalpel/scalpel.conf. By default, no files are selected, but you can follow the steps in the guide ( belowright) to edit this file, which enables you… to indicate which kind you want to recover. Scalpel then will perform two sequential passes over your target disk, processing data in 10MB chunks. Each chunk is first searched for file headers. Once this is complete the second pass looks for corresponding footers. Scalpel also populates a set of work
queues that regulate file carving operations. Any recovered files are placed in an output directory you specify along with a log of scalpel’s progress.
Duplicate approach
When law enforcement agents seize a drive for analysis, they usually make a forensic image of it for analysis purposes. Their primary reason for doing this is so they won’t be accused of planting evidence after the fact. But it also means that if anything goes wrong during the recovery process, they can make another copy of the drive and try again. When it comes to trying to recover your data, there’s also a risk that if you’re not sure what you’re doing, not only might you fail to recover your files, but you may also make it harder for a professional to do so too.
Linux, as ever, has a couple of neat solutions to this. The first is to use your built-in disk utility to create an image of the target drive, such as a USB stick. This is a block-by-block copy of all the data on a partition. Scalpel can analyse images just as easily as actual drives: simply run scalpel <imagename> , for example scalpel /root/Desktop/Image1.img .
Your second option is to use Kali Linux, which is designed with forensics in mind. Not only does Kali come with scalpel preinstalled, but on first boot you can choose to boot into Forensic mode, which will prevent the OS from mounting the hard drive and automatically mounting removable media such as USB sticks.
Botched operations
Provided you’ve made a copy of the partition or volume you’re analysing, then there’s little that can go wrong with scalpel. The tool’s ability to recover files will depend on a number of factors, including what kind of file system your target drive uses. Systems that use journaling often keep copies of the same data in several places, which makes file recovery more feasible.
If the file headers or footers have been overwritten or the target drive was encrypted, then you may not be able to restore the deleted files. This, of course, is good news for those readers who value their privacy because now you know of a way to make sure your drives defy simplistic forensic analysis such as this. During our tests we ran the shred command on two PDFs stored on a USB stick. Scalpel was unable to recover either of these. However, they may be recoverable with more advanced tools available in The Sleuth Kit ( see boxout, below left).
This tutorial has focused on the version of scalpel (1.6) that’s available via Ubuntu’s repositories, but there are some advantages to installing the most recent version. Scalpel2.0 includes support for multithreading for quicker execution on multicore CPUs, as well as better recognition of file types that may themselves contain files. You can easily download and extract the ZIP file from GitHub ( https://github.com/ machn1k/Scalpel-2.0/archive/master.zip), but you’ll need to install the tre regular expression library to run scalpel. Make sure you have the tools autoconf, automake, gettext, libtool and autopoint preinstalled, then run the script autogen.sh in the directory Scalpel-2.0-master/tre-0.7.5-win32. You can then run ./configure , make , then sudo make install both for tre and scalpel2.0.