scalpel

Carve files from image

$ scalpel -o [output_dir] [disk.img]

$ scalpel -c [scalpel.conf] -o [output] [disk.img]

$ sudo scalpel -o [output] [/dev/sda]

$ scalpel -p -o [output] [disk.img]

scalpel [options] image

scalpel is a file carving tool that recovers files based on file headers, footers, and data structures. It's faster and more memory-efficient than foremost.
The tool extracts files from disk images or devices regardless of filesystem state, useful for data recovery and forensics.

-o dir

Output directory.

Configuration file.

Block size in bytes.

Preview mode (no extraction).

Skip block alignment.

Verbose output.

Find only matching files.

scalpel.conf

Configuration file defining file types to carve by specifying headers, footers, maximum sizes, and case sensitivity for each file signature.

Configuration defines supported types. Fragmented files may not recover. Requires sufficient output space. Large images are slow.

scalpel was developed by Golden G. Richard III as a rewrite of foremost focused on performance. It's used in digital forensics for recovering deleted files from disk images.

foremost(1), photorec(1), testdisk(1), dd(1)