1SCALPEL(1)                Digital Forensics Solutions               SCALPEL(1)
2
3
4

NAME

6       scalpel  - Recover files or data fragments from a disk image using file
7       type-specific patterns
8
9

SYNOPSIS

11       scalpel [-b] [-c <config file>] [-d] [-e] [-h]  [-i  <file>]  [-n]  [-o
12       <dir>] [-O] [-p] [-q <clustersize>] [-r] [-V] [-v] [FILES]...
13
14

DESCRIPTION

16       Recover  files  from  a disk image or raw block device based on headers
17       and footers specified by the user.
18
19
20       -b     Carve files even if defined  footers  aren't  discovered  within
21              maximum  carve  size  for file type [foremost 0.69 compat mode].
22              This option may help when fragmentary evidence  is  useful,  but
23              will increase the number of false positives.
24
25
26       -c file
27              Chooses which configuration file to use. If this option is omit‐
28              ted, then "scalpel.conf" in the current directory is  used.  The
29              format  for  the  configuration file is described in the default
30              configuration file "scalpel.conf".  See the  CONFIGURATION  FILE
31              section below for more information.
32
33
34       -d     Generate  header/footer database.  This option forces Scalpel to
35              discover all headers and footers and write  header/footer  loca‐
36              tions  to a text file.  Since certain optimizations are bypassed
37              when all footers must be discovered,  performance  will  suffer.
38              This option does not affect the set of files that are carved.
39
40
41       -e     Do  nested header/footer matching, to deal with structured files
42              that may contain embedded files of the  same  type.   Applicable
43              only to FORWARD / NEXT patterns.
44
45
46       -h     Show a help screen and exit.
47
48
49       -i file
50              file  is  used as a list of input files to examine. Each line in
51              the specified file should contain a single filename.
52
53
54       -o directory
55              Recovered  files  are  written  to  the   directory   directory.
56              Scalpel  requires  that  this  directory  be either empty or not
57              exist.  The directory will be created if necessary.
58
59
60       -n     Don't add extensions to extracted files.
61
62
63       -o     Set output directory for carved files.  Scalpel will only  write
64              carved  files to an empty output directory.  "scalpel-output" in
65              the current directory is the default if this option is not spec‐
66              ified.
67
68
69       -O     Don't  organize  carved files by type. By default, scalpel orga‐
70              nizes carved files into subdirectories, by type.
71
72
73       -p     Perform an image file preview.  When this option  is  specified,
74              the  audit log indicates which files would have been carved, but
75              no files are actually carved.  This  option  also  supports  in-
76              place file carving.
77
78
79       -q     Carve  files  only  when  the  header is cluster-aligned. If you
80              aren't interested in carving files embedded  within  other  file
81              types,  this  option should be used, as it significantly reduces
82              the false positive rate.
83
84
85       -r     Find only first of overlapping  headers/footers  [foremost  0.69
86              compat mode].  This option is rarely needed.
87
88
89       -V     Show copyright information and exit.
90
91
92       -v     Enables  verbose  mode. This causes copious amounts of debugging
93              information to be output.
94
95

CONFIGURATION FILE

97       The configuration file is used to control the types  of  files  Scalpel
98       will attempt to carve.  A sample configuration file, "scalpel.conf", is
99       included with this distribution. For each file type, the  configuration
100       file  describes the file's extension, whether the header and footer are
101       case sensitive, the minimum and maximum file sizes, and the header  and
102       footer  for  the  file.  Minimum  carve  sizes  and  footer  fields are
103       optional, but the header, maximum size, case sensitivity, and extension
104       fields are required.
105
106       Any  line  in  the  configuration file that begins with a pound sign is
107       considered a comment and ignored. Please see the documentation  in  the
108       sample configuration file for more information.
109
110

AUTHORS

112       Written by Golden G. Richard III and Lodovico Marziale.  The first ver‐
113       sion of Scalpel was based on foremost 0.69, which was written  by  Spe‐
114       cial  Agent Kris Kendall and Special Agent Jesse Kornblum of the United
115       States Air Force Office of Special Investigations.
116
117

BUGS

119       It is currently not possible to carve block devices directly using  the
120       Windows version of Scalpel.  This may be addressed in a future release.
121
122

REPORTING BUGS

124       When submitting a bug report, please include a description of the prob‐
125       lem, how you found it, and your contact information.
126
127       Send bug reports to:
128       scalpel@digitalforensicssolutions.com
129

COPYRIGHT

131       This is free software.   There  is  NO  warranty;  not  even  for  MER‐
132       CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
133
134

SEE ALSO

136       More  information  on  Scalpel  appears in the README file, distributed
137       with the Scalpel source code.
138
139Digital Forensics Solutions    v2.0 - April 2011                    SCALPEL(1)