Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
SCALPEL(1)		  Digital Forensics Solutions		    SCALPEL(1)

NAME
       scalpel	- Recover files	or data	fragments from a disk image using file
       type-specific patterns

SYNOPSIS
       scalpel [-b] [-c	<config	file>] [-d] [-e] [-h]  [-i  <file>]  [-n]  [-o
       <dir>] [-O] [-p]	[-q <clustersize>] [-r]	[-V] [-v] [FILES]...

DESCRIPTION
       Recover	files  from  a disk image or raw block device based on headers
       and footers specified by	the user.

       -b     Carve files even if defined  footers  aren't  discovered	within
	      maximum  carve  size  for	file type [foremost 0.69 compat	mode].
	      This option may help when	fragmentary evidence  is  useful,  but
	      will increase the	number of false	positives.

       -c file
	      Chooses which configuration file to use. If this option is omit-
	      ted,  then  "scalpel.conf" in the	current	directory is used. The
	      format for the configuration file	is described  in  the  default
	      configuration  file  "scalpel.conf".  See	the CONFIGURATION FILE
	      section below for	more information.

       -d     Generate header/footer database.	This option forces Scalpel  to
	      discover	all  headers and footers and write header/footer loca-
	      tions to a text file.  Since certain optimizations are  bypassed
	      when  all	 footers  must be discovered, performance will suffer.
	      This option does not affect the set of files that	are carved.

       -e     Do nested	header/footer matching,	to deal	with structured	 files
	      that  may	 contain  embedded files of the	same type.  Applicable
	      only to FORWARD /	NEXT patterns.

       -h     Show a help screen and exit.

       -i file
	      file is used as a	list of	input files to examine.	Each  line  in
	      the specified file should	contain	a single filename.

       -o directory
	      Recovered	  files	  are  written	to  the	 directory  directory.
	      Scalpel requires that this directory be either empty or not  ex-
	      ist.  The	directory will be created if necessary.

       -n     Don't add	extensions to extracted	files.

       -o     Set  output directory for	carved files.  Scalpel will only write
	      carved files to an empty output directory.  "scalpel-output"  in
	      the current directory is the default if this option is not spec-
	      ified.

       -O     Don't  organize  carved files by type. By	default, scalpel orga-
	      nizes carved files into subdirectories, by type.

       -p     Perform an image file preview.  When this	option	is  specified,
	      the  audit log indicates which files would have been carved, but
	      no files are actually carved.  This  option  also	 supports  in-
	      place file carving.

       -q     Carve  files  only  when	the  header is cluster-aligned.	If you
	      aren't interested	in carving files embedded  within  other  file
	      types,  this  option should be used, as it significantly reduces
	      the false	positive rate.

       -r     Find only	first of overlapping  headers/footers  [foremost  0.69
	      compat mode].  This option is rarely needed.

       -V     Show copyright information and exit.

       -v     Enables  verbose	mode. This causes copious amounts of debugging
	      information to be	output.

CONFIGURATION FILE
       The configuration file is used to control the types  of	files  Scalpel
       will attempt to carve.  A sample	configuration file, "scalpel.conf", is
       included	 with this distribution. For each file type, the configuration
       file describes the file's extension, whether the	header and footer  are
       case  sensitive,	the minimum and	maximum	file sizes, and	the header and
       footer for the file. Minimum carve sizes	 and  footer  fields  are  op-
       tional,	but  the header, maximum size, case sensitivity, and extension
       fields are required.

       Any line	in the configuration file that begins with  a  pound  sign  is
       considered  a  comment and ignored. Please see the documentation	in the
       sample configuration file for more information.

AUTHORS
       Written by Golden G. Richard III	and Lodovico Marziale.	The first ver-
       sion of Scalpel was based on foremost 0.69, which was written  by  Spe-
       cial  Agent Kris	Kendall	and Special Agent Jesse	Kornblum of the	United
       States Air Force	Office of Special Investigations.

BUGS
       It is currently not possible to carve block devices directly using  the
       Windows version of Scalpel.  This may be	addressed in a future release.

REPORTING BUGS
       When submitting a bug report, please include a description of the prob-
       lem, how	you found it, and your contact information.

       Send bug	reports	to:
       scalpel@digitalforensicssolutions.com

COPYRIGHT
       This  is	 free  software.   There  is  NO  warranty;  not even for MER-
       CHANTABILITY or FITNESS FOR A PARTICULAR	PURPOSE.

SEE ALSO
       More information	on Scalpel appears in  the  README  file,  distributed
       with the	Scalpel	source code.

Digital	Forensics Solutions    v2.0 - April 2011		    SCALPEL(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=scalpel&sektion=1&manpath=FreeBSD+Ports+15.0>

home | help