Scalpel utiliza una técnica llamada In-Place File Carving. El File Carving es una conocida técnica para recuperar archivos borrados que consiste en identificar una secuencia de caracteres que algunos archivos utilizan en su comienzo y en su final. Por ejemplo, un archivo JPEG utiliza la secuencia “\xff\xd8\xff\xe0\x00\x10″ en su comienzo, y la secuencia “\xff\xd9″ en su final.
Installing Scalpel in RHEL/CentOS and Fedora
To install scalpel recovery tool, you need to first enable epel repository. Once it enabled, you can do ‘yum‘ to install it as shown.
# yum install scalpel
Sample Output
Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos.01link.hk * epel: mirror.nus.edu.sg * epel-source: mirror.nus.edu.sg Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package scalpel.i686 0:2.0-1.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================================================================== Package Arch Version Repository Size ========================================================================================================================================================== Installing: scalpel i686 2.0-1.el6 epel 50 k Transaction Summary ========================================================================================================================================================== Install 1 Package(s) Total download size: 50 k Installed size: 108 k Is this ok [y/N]: y Downloading Packages: scalpel-2.0-1.el6.i686.rpm | 50 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : scalpel-2.0-1.el6.i686 1/1 Verifying : scalpel-2.0-1.el6.i686 1/1 Installed: scalpel.i686 0:2.0-1.el6 Complete!
Once scalpel is installed you need to do text editing. By default scalpel utility has its own configuration file in ‘/etc‘ directory and full path is “/etc/scalpel/scalpel.conf” or “/etc/scalpel.conf“. You can notice that everything is commented out (#). So before running scalpel you need to uncomment the file format that you need to recover. However uncomment the entire file is time consuming and will generate a huge false results.
Let say for example I want to recover only ‘.jpg‘ files, so simply uncomment ‘.jpg‘ file section for the scalpel configuration file.
# GIF and JPG files (very common)
gif y 5000000 \x47\x49\x46\x38\x37\x61 \x00\x3b
gif y 5000000 \x47\x49\x46\x38\x39\x61 \x00\x3b
jpg y 200000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9
Go to terminal and type following syntax. The ‘/dev/sda1‘ is a location of a device from where the file is already deleted.
$ sudo scalpel /dev/sda1-o output
The ‘-o‘ switch indicates a output directory, where you want to restore your deleted files. Make sure that this directory is empty before running any command otherwise it will give you an error. The output of the above command is.
Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/dev/sda1" Image file pass 1/2. /dev/sda1: 6.1% |***** | 6.6 GB 39:16 ETA
As you see, the scalpel is now performing its process and it will take time to recovery your deleted file depending upon the disk space that you are trying to scan and the speed of the machine.
0 comentarios:
Publicar un comentario