Recovering deleted files with Scalpel
The Knife
The Scalpel file carver helps users restore what they thought were lost files.
You just need to delete the pesky backup files for the project, and then you're off for home. However, rm *~
can quickly be mistyped as rm * ~
, thus deleting all the files from the current directory. But, perhaps all is not lost: Deleted data usually is not dumped directly into a black hole. The operating system typically only deletes the metadata, such as file name, owner, and location. The user data is kept on the storage medium until it is overwritten.
Linux has a number of file carvers, which are programs designed for restoring such data. These tools analyze a disk for byte patterns that match the file headers and footers and interpret everything between the two as belonging to the file. This approach works as long as the header and footer are clear, the file is not fragmented, and the file was not encrypted.
When a footer is missing or not recognized, the carver just writes everything to the recovery file until it encounters the next header. Therefore, besides fragmented files and those with poorly discernible ends, those that contain other files – such as text documents with embedded graphics – also cause problems. If you use a file carver, you should not expect miracles but just hope for the best.
File Scalpel
The Scalpel [1] file carver can detect many different file types. It does not matter which filesystem the disk has been formatted with: Scalpel uses a database with headers and footers for various file types to trace files.
Many distributions have older versions of Scalpel in their repositories that do the job well but do not have the full functionality of the current version 2.0, such as regular expressions for headers and footers, multithreading, asynchronous input and output, or GPU-accelerated file carving (if NVidia's CUDA SDK is installed). If you want to use these features, you must build Scalpel from the source code (see the "Installation" box).
Installation
To install Scalpel 2.0, download the source code archive [2] and unpack it into a directory. Then, change to the directory and compile the tool with ./configure
followed by make
and make install
(running the last of these as root). If the binaries do not end up in /usr/local
, you need to pass in a matching --prefix
to the configure
step. Before you delete the source files, you should copy scalpel.conf
to another location: This configuration file contains the headers and footers for the supported file types.
In former times, file carvers scanned disks for header and footer patterns and wrote all the results to a new medium, which required plenty of storage. Scalpel, however, just checks a disk twice to put together all the necessary information.
The first time you run Scalpel, it looks for headers and stores its findings in a database; then, it identifies the footers. In doing so, Scalpel always takes into account that a header is always followed by a footer, which nicely accelerates the search. Now you have an index with the positions of the headers and footers, which forms the basis for the second run. This time, Scalpel matches the headers and footers and writes the files it found directly to a new location from memory without having to access the disk again.
Before Scalpel embarks on a search for lost data, it reads the scalpel.conf
configuration file, which can contain the minimum and maximum sizes of the files, including headers and footers, in addition to file types to search for. Specifying the file type results in file bloat if the footer is missing. Before you start carving, you should make some individual settings that restrict the search to a minimum number of file types and sizes from the outset.
Saving the Sandman
Next, I'll give some examples of bailouts. Scenario 1 involves a household without TV with at least one young child. The father has accidentally deleted the child's favorite "Sandmann" episodes, which were recorded from ARD Mediathek over several days. Deprived of the show, the child expresses disappointment in the usual loud and unmistakable way.
The scalpel.conf
file does not have an entry for the MP4 format, but the existing – long-since viewed – files show an encouraging consistency in terms of the headers (Figure 1). Dad now feeds the data to scalpel.conf
. The first item in the new entry (Figure 2) is the file extension that should receive potential matches. The "y" indicates whether Scalpel distinguishes between uppercase and lowercase in the header and footer. This is followed by the minimum and maximum file sizes – the MP4s usually occupy between 30 and 70MB. Finally, the header is given. A footer cannot be specified, because it always turns out differently.
Then, dad starts the rescue operation at the command line with:
$ scalpel -c scalpel.conf -o sandmann_recovered /dev/sdd1
During this operation, Scalpel really does scratch six files back off the disk. Because of the lack of footer information, they are all exactly 70,000,000 bytes long and contain a lost "Sandmann" sequence – with a more or less large chunk of junk data at the end (Figure 3). Cheers for dad!
Save my LaTeX
Scenario 2: The USB stick with your humanities term paper in TeX has died because of a physical defect in the boot sector. However, you took the business of writing this paper seriously and tagged each file at the beginning and end with %filename.tex
and %filename.tex End
. This practice hugely increases your chances of seeing the contents again.
The recovery procedure is similar to that described above. In scalpel.conf
, you can comment out all the lines except the one that describes the headers and footers of your well-documented paper:
tex y 300:50000 /%.{1,20}\.tex/ /%.{1,20}\.tex\sEnd/
This regular expression [3] tells Scalpel to search for data fragments that start with %.{1,20}\.tex
and end with %.{1,20}\.tex\sEnd
. The term .{1,20}
stands for at least 1 and a maximum of 20 characters. The dot that follows stands for characters before the tex
suffix, and the \s
in the footer means a space. Although regular expressions support the quantifiers *
, +
, ?
, and expressions like [:alnum:]
, experience shows that Scalpel cannot do much with them.
Next, to copy the contents of the broken USB stick to the stick.dd.img
file, use dd
and run the following command:
$ scalpel -c scalpel.conf -o lost_texfiles stick.dd.img
In this test, Scalpel needed just four seconds to scan a 2GB image file and restore all the TeX files.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs