Scalpel: Extracting JPEGs not working

[^rooker]

[PROBLEM]
I remember I've used Scalpel in the past to recover lost images on broken SD cards used in photo cameras.
For some (yet unknown) reason, it doesn't carve JPGs out of disk images properly anymore.

The config block in /etc/scalpel/scalpel.conf that comes with Ubuntu 12.04 (precise) by default is:

Code: Select all

# GIF and JPG files (very common)
#   gif y   5000000       \x47\x49\x46\x38\x37\x61    \x00\x3b
#   gif y   5000000       \x47\x49\x46\x38\x39\x61    \x00\x3b
    jpg y   200000000     \xff\xd8\xff\xe0\x00\x10    \xff\xd9

I've opened some JPEGs I had lying around using Bless (hex editor) - and they actually started with different hex numbers:

Code: Select all

FF D8 FF E1

So I looked at Scalpel 2.0's scalpel.conf
There it had an additional line for JPEGs that started had the 0xE1 instead of 0xE0:

Code: Select all

# GIF and JPG files (very common)
# gif y     5000000      \x47\x49\x46\x38\x37\x61    \x00\x3b
# gif y     5000000      \x47\x49\x46\x38\x39\x61    \x00\x00\x3b
# jpg y     200000000    \xff\xd8\xff\xe0\x00\x10    \xff\xd9
  jpg y     200000000    \xff\xd8\xff\xe1            \xff\xd9

Enabling the second JPG line did the trick. Almost...

The resulting JPGs were only 18 KB, because they contained the "0xFF 0xD9" footer sequence not only at the end
Since Scalpel v1.60 doesn't allow minimum carve size (like Scalpel 2.0 does), I've reduced the maximum carve size to 20 MB (20 000 000), and removed the footer bytes:

Code: Select all

  jpg y     20000000    \xff\xd8\xff\xe1

A bit rough, but it worked