linux poison RSS
linux poison Email

Recover Deleted Files using Scalpel under Ubuntu Linux

If you have accidentally deleted files from your hard drive, don't panic! You can easily recover deleted files whether you are using a Windows PC (NTFS) or Linux OS. You can undelete files with almost guaranteed success. The most important thing is to act as soon as you realize that the files are lost.

When a file is deleted from your computer it is not really deleted. It is simply removed from the database of files in the folder. Even though you can no longer see the file in the folder, its contents still exist 100% intact at this point.

Scalpel based on Foremost an open source application developed to recover deleted information, Scalpel is significantly more Fast and efficient by reading database of header and footer definitions and extracts matching files or data fragments from a set of image files or raw device files. Scalpel is file-system-independent and can recover files from FATx, NTFS, ext2/3, HFS+, or raw partitions. It is useful for both digital forensics investigation and file recovery.

Scalpel is a standalone tool file system. It is available on Linux and Mac OS, but can also be used in Windows, although it is necessary to compile it.

Scalpel Installation:
Ubuntu user can install Scalpel by using following command:
apt-get install scalpel
Using Scalpel:
Important note: The default configuration file, "/etc/scalpel/scalpel.conf", has all supported file patterns commented out--you must edit this file before running Scalpel to activate some patterns.  Resist the urge to simply un-comment all file carving patterns; this wastes time and will generate a huge number of false positives.  Instead, un-comment only the patterns for the file types you need.

After that go to the terminal and follow the syntax :
sudo scalpel /dev/sda1 -o ouput_directory
For input you can specify your device name (/dev/sda1) or a directory name,
Output directory is the directory where you want to restore your deleted files. It should be empty before running the command, otherwise you will get an error. You can also input the deleted filename directly by using -i option.  look at the scalpel man pages for detail


The time taken by scalpel to recover your deleted files depends upon the total disk space that you are tying to scan and the amount of deleted data in your machine and the speed of your system.




4 comments:

Post a Comment

Related Posts with Thumbnails