LinuxCommandLibrary

scalpel

TLDR

Carve files from image

$ scalpel -o [output_dir] [disk.img]
copy
Use custom config
$ scalpel -c [scalpel.conf] -o [output] [disk.img]
copy
Carve from device
$ sudo scalpel -o [output] [/dev/sda]
copy
Preview without carving
$ scalpel -p -o [output] [disk.img]
copy

SYNOPSIS

scalpel [options] image

DESCRIPTION

scalpel is a file carving tool that recovers files based on file headers, footers, and data structures. It's faster and more memory-efficient than foremost.
The tool extracts files from disk images or devices regardless of filesystem state, useful for data recovery and forensics.

PARAMETERS

-o dir

Output directory.
-c file
Configuration file.
-b num
Block size in bytes.
-p
Preview mode (no extraction).
-e
Skip block alignment.
-v
Verbose output.
-r
Find only matching files.

CAVEATS

Configuration defines supported types. Fragmented files may not recover. Requires sufficient output space. Large images are slow.

HISTORY

scalpel was developed by Golden G. Richard III as a rewrite of foremost focused on performance. It's used in digital forensics for recovering deleted files from disk images.

SEE ALSO

foremost(1), photorec(1), testdisk(1), dd(1)

Copied to clipboard