Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   44335 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

SCALPEL(1)		  Digital Forensics Solutions		    SCALPEL(1)

NAME
       scalpel	- Recover files or data fragments from a disk image using file
       type-specific patterns

SYNOPSIS
       scalpel [-b] [-c <config file>] [-d] [-e] [-h]  [-i  <file>]  [-n]  [-o
       <dir>] [-O] [-p] [-q <clustersize>] [-r] [-V] [-v] [FILES]...

DESCRIPTION
       Recover	files  from  a disk image or raw block device based on headers
       and footers specified by the user.

       -b     Carve files even if defined  footers  aren't  discovered	within
	      maximum  carve  size  for file type [foremost 0.69 compat mode].
	      This option may help when fragmentary evidence  is  useful,  but
	      will increase the number of false positives.

       -c file
	      Chooses which configuration file to use. If this option is omit‐
	      ted, then "scalpel.conf" in the current directory is  used.  The
	      format  for  the	configuration file is described in the default
	      configuration file "scalpel.conf".  See the  CONFIGURATION  FILE
	      section below for more information.

       -d     Generate	header/footer database.	 This option forces Scalpel to
	      discover all headers and footers and write  header/footer	 loca‐
	      tions  to a text file.  Since certain optimizations are bypassed
	      when all footers must be discovered,  performance	 will  suffer.
	      This option does not affect the set of files that are carved.

       -e     Do  nested header/footer matching, to deal with structured files
	      that may contain embedded files of the  same  type.   Applicable
	      only to FORWARD / NEXT patterns.

       -h     Show a help screen and exit.

       -i file
	      file  is	used as a list of input files to examine. Each line in
	      the specified file should contain a single filename.

       -o directory
	      Recovered	 files	are  written  to  the	directory   directory.
	      Scalpel  requires	 that  this  directory	be either empty or not
	      exist.  The directory will be created if necessary.

       -n     Don't add extensions to extracted files.

       -o     Set output directory for carved files.  Scalpel will only	 write
	      carved  files to an empty output directory.  "scalpel-output" in
	      the current directory is the default if this option is not spec‐
	      ified.

       -O     Don't  organize  carved files by type. By default, scalpel orga‐
	      nizes carved files into subdirectories, by type.

       -p     Perform an image file preview.  When this option	is  specified,
	      the  audit log indicates which files would have been carved, but
	      no files are actually carved.  This  option  also	 supports  in-
	      place file carving.

       -q     Carve  files  only  when	the  header is cluster-aligned. If you
	      aren't interested in carving files embedded  within  other  file
	      types,  this  option should be used, as it significantly reduces
	      the false positive rate.

       -r     Find only first of overlapping  headers/footers  [foremost  0.69
	      compat mode].  This option is rarely needed.

       -V     Show copyright information and exit.

       -v     Enables  verbose	mode. This causes copious amounts of debugging
	      information to be output.

CONFIGURATION FILE
       The configuration file is used to control the types  of	files  Scalpel
       will attempt to carve.  A sample configuration file, "scalpel.conf", is
       included with this distribution. For each file type, the	 configuration
       file  describes the file's extension, whether the header and footer are
       case sensitive, the minimum and maximum file sizes, and the header  and
       footer  for  the	 file.	Minimum	 carve	sizes  and  footer  fields are
       optional, but the header, maximum size, case sensitivity, and extension
       fields are required.

       Any  line  in  the  configuration file that begins with a pound sign is
       considered a comment and ignored. Please see the documentation  in  the
       sample configuration file for more information.

AUTHORS
       Written by Golden G. Richard III and Lodovico Marziale.	The first ver‐
       sion of Scalpel was based on foremost 0.69, which was written  by  Spe‐
       cial  Agent Kris Kendall and Special Agent Jesse Kornblum of the United
       States Air Force Office of Special Investigations.

BUGS
       It is currently not possible to carve block devices directly using  the
       Windows version of Scalpel.  This may be addressed in a future release.

REPORTING BUGS
       When submitting a bug report, please include a description of the prob‐
       lem, how you found it, and your contact information.

       Send bug reports to:
       scalpel@digitalforensicssolutions.com

COPYRIGHT
       This is free software.	There  is  NO  warranty;  not  even  for  MER‐
       CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

SEE ALSO
       More  information  on  Scalpel  appears in the README file, distributed
       with the Scalpel source code.

Digital Forensics Solutions    v2.0 - April 2011		    SCALPEL(1)

Vote for polarhome