±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 35110
New Yesterday: 1 Visitors: 197

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Scalpel/Foremost Question

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts

Scalpel/Foremost Question

Post Posted: Tue Jul 17, 2018 5:01 pm

I have a raw disk image. I want to use Scalpel/Foremost to recover some deleted files. I was thinking about using blkls to create an image of the unallocated clusters and then I would run Scalpel/Foremost against that. I don't want to run the tool against the full image, as I will be pulling both allocated and unallocated items matching the header/footers in the config file, and I only want the unallocated/deleted items.

I would like to cut out the step of extracting the unallocated clusters with blkls. Is it possible to incorporate blkls with scalpel without creating an image of the unallocated clusters first? Sort of like mounting it virtually so I can cut out a step of extracting GBs and GBs of unallocated space.

Basically just trying to cut out a step. If possible, could you provide me a sample command that I can reference?  


Re: Scalpel/Foremost Question

Post Posted: Tue Jul 17, 2018 9:56 pm

You don't say what file system your image is from, but you may find that "TestDisk" is a much easier way to go in many cases. It's capable of "undeleting" several file systems and can often recover most of the original file name as well.

If you still want to do file carving, "Photorec" (not just for photos) has an option to carve only unallocated space.  

Senior Member

Page 1 of 1