Das Werkstatt

what we do? everything.
http://das-werkstatt.com/forum/werkstatt/

Scalpel: Extract lost files from disk/card image

http://das-werkstatt.com/forum/werkstatt/viewtopic.php?f=24&t=2326

Page 1 of 1

Scalpel: Extract lost files from disk/card image

Posted: Mon May 23, 2016 2:19 am
by peter_b
I'll post a collection of extraction examples using "scalpel" data forensics tool to "carve out" files from a broken filesystem, or simply deleted files.
Thanks again to Falko Timme's HowTo: "Recover Deleted Files With Scalpel".
And another nice source for info on data rescue (on GNU/Linux) is the "Data Recovery" article on Ubuntu's community wiki.

Let's proceed:

1) Extract exact image of original medium:
Very often, I have to deal with SD cards, because they are now commonly used as recording media on digital photo cameras, as well as audio recording devices.

I take a 1:1 image of the source medium, in order to work on a copy - and leave the original medium as untouched as possible.

In case of an SD-card, this is easily possible, because the image filesize is usually <= 64GB.
When dealing with harddisks, it's very uncommon that you have the necessary free space left on your local disk to make an image copy.

This is especially important, when there is indication that the SD-card may have gone bad. For example the partition (usually FAT/FAT32) cannot be mounted anymore, because it's corrupt.

Code: Select all

$ dd if=/dev/sdX of=$OUTPUT_FILE
This reads the physical SD card medium from /dev/sdX (replace the device string with the one of the card in your reader/slot) and writes it unmodified to a file $OUTPUT_FILE. Replace "$OUTPUT_FILE" with something, e.g. that describes what disk this image is from.
In order not to confuse rescued images later on, I use a naming like this:
sdcard-$DATE-$SIZE-$ORIGINATOR_$COMMENT.img
Example:

Code: Select all

$DATE = "20160520" (Date format: "YYYYMMDD" / This lists in chronoligical order when sorted alphabetically in the file explorer)
$SIZE = "08GB"
$ORIGINATOR = "mediathek"
$COMMENT = "deleted_recordings"
Would result in the following output filename:

Code: Select all

sdcard-20160520-08GB-mediathek-deleted_recordings.img
You should now have a 1:1 copy of your SD card source to work with. Read on... :)

Re: Scalpel: Extract lost files from disk/card image

Posted: Mon May 23, 2016 2:35 am
by peter_b
2b) Configure which filetypes scalpel will search for, and extract:
By default, the configuration file of scalpel is /etc/scalpel/scalpel.conf.
Edit it (as root).

In there you can configure which files you want to search for and extract.
Common filetypes to extract are:
  • JPG
  • DOC
  • ZIP
  • WAV
  • MOV
  • AVI
The corresponding lines in the config file for jpg, wav, mov and avi look somewhat like this:

Code: Select all

pb@pb-combat:/etc/scalpel$ cat scalpel2.conf | grep -iE "(jpg|wav|mov|avi)"
# 	jpg	y	5000:100000	\xff\xd8\xff\xe0\x00\x10	\xff\xd9
 	jpg	y	200000000	\xff\xd8\xff\xe0\x00\x10	\xff\xd9
#       jpg     y       200000000       \xff\xd8\xff\xe1                \xff\xd9 

# AVI (Windows animation and DiVX/MPEG-4 movies)
  	avi	y	50000000 RIFF????AVI

# APPLE QUICKTIME
#	mov	y	10000000	????moov
#	mov	y	10000000	????mdat
#	mov	y	10000000	????widev
#	mov	y	10000000	????skip
#	mov	y	10000000	????free
#	mov	y	10000000	????idsc
#	mov	y	10000000	????pckg

# WAV format
	wav     y	200000	RIFF????WAVE
Uncomment the formats you're interested in, by removing the "#" character at the beginning of the lines.


3) Run scalpel on the disk (or image file):

The following command will have scalpel scan the image, and then carve out the files individually:

Code: Select all

$ scalpel -c /etc/scalpel/scalpel.conf -o $OUTPUT_FOLDER $SDCARD_IMAGE
NOTE: The $OUTPUT_FOLDER must not exist already. You will get an error when re-executing the command after a previous run.

Scalpel: Recover WAV files

Posted: Mon May 23, 2016 2:48 pm
by peter_b
This is a concrete scalpel configuration example, based on real-world use cases of extracting lost RIFF/WAVE files (.wav) from an SD-card, used in a digital audio-recording device.

Since a WAV file has no "footer" for scalpel to detect its proper ending, I've added a maximum filesize limit.
For regular WAV files, this is limited to 32bit signed.

The corresponding line in scalpel.conf should look like this:

Code: Select all

# WAV format
        wav     y       200000:2200000000   RIFF????WAVE
I've simply rounded "2^31" (=max. number of bytes of WAV audio data to be allocated as signed 32bit integer) to "2200000000". That looks a bit nicer, and should also cover for header and additional chunks in the RIFF container.

In case, you have a program that creates 4GB WAV files, you can set the configuration to "2^32" (rounded up) bytes as max. filesize:

Code: Select all

# WAV format
        wav     y       200000:4400000000   RIFF????WAVE
Then, truncate the carved WAV files to their correct size, using the "FFmpeg" approach, described in my "HowTo: Fix filesize of rescued/carved media files".
I've compared the results of this approach to files extracted using Restorer2000+FFmpeg, and the MD5 hashcodes of the resulting files match ;)

You'll get proper your WAV files back in proper shape :)
All times are UTC+02:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited