scalpel

scalpel [-c config_file] [-o output_directory] [options] <image_file(s)>

-c <config_file>
    Specifies the path to the scalpel.conf configuration file.

-o <output_directory>
    Sets the output directory where carved files will be placed.

-v
    Enables verbose output, showing more details during the carving process.

-V
    Displays the version information of Scalpel and exits.

-s <bytes>
    Skips the specified number of bytes from the beginning of the input file.

-e <bytes>
    Stops carving after processing the specified number of bytes from the input file.

-b <size>
    Sets the block size in bytes for reading the input file (default is 512 bytes).

-p
    Enables preview mode; lists files that would be carved but does not save them.

-t <threads>
    Specifies the number of concurrent threads to use for carving, enhancing performance.

Scalpel is an open-source, powerful file carving utility primarily used in digital forensics and data recovery. It operates by scanning disk images or raw device files for specific file headers and footers, which are defined in a user-configurable file named scalpel.conf.

Originally developed as an enhanced version of foremost, scalpel introduces significant performance improvements, including multithreading and asynchronous I/O, making it much faster for large datasets. It can recover a wide variety of file types, such as images (JPG, PNG), documents (PDF, DOCX), archives (ZIP, RAR), and multimedia files, even if their file system entries have been deleted or corrupted.

The tool outputs recovered files into a specified directory, organizing them into subdirectories based on their identified file types. This systematic approach helps in managing potentially thousands of recovered files. Its effectiveness heavily relies on the accuracy and comprehensiveness of its configuration file, which dictates the signatures and characteristics of the files it should search for.

Scalpel's effectiveness depends on distinct file headers and footers; heavily fragmented files may not be perfectly recovered.

Carving large disk images can consume significant processing time and generate a very large output directory, requiring substantial disk space.

Incorrect or incomplete signatures in the scalpel.conf file can lead to poor recovery results or missed files.

The scalpel.conf file is critical for Scalpel's operation. It's a plain-text file where users define the characteristics of files to be recovered, including their extensions, case sensitivity, unique header byte sequences, maximum file sizes, and optional footer byte sequences. Each line in the configuration typically represents a different file type. Without a properly configured file, Scalpel cannot identify and carve specific data types effectively.

Upon successful carving, Scalpel creates a new directory (as specified by the -o option) with a timestamped subdirectory inside. Within this subdirectory, it generates further subdirectories for each file type found (e.g., jpg, pdf, doc), where the recovered files are stored. An audit.txt file is also created in the main output directory, providing a log of the carving process, including command-line arguments, start/end times, and a summary of recovered files.

Scalpel was developed by Golden G. Richard III at the Naval Postgraduate School. It emerged as a successor to the earlier foremost utility, aiming to address its performance limitations, especially with very large disk images.

Its key innovation was the introduction of multithreading and asynchronous I/O, which dramatically improved carving speed. Since its initial release, Scalpel has become a widely adopted and respected tool in the digital forensics community for its efficiency and ability to recover diverse data types.

foremost(1), dd(1), strings(1), grep(1)