Scalpel/Foremost Qu...
 
Notifications
Clear all

Scalpel/Foremost Question

2 Posts
2 Users
0 Likes
1,112 Views
(@n00bcfe)
Posts: 26
Eminent Member
Topic starter
 

I have a raw disk image. I want to use Scalpel/Foremost to recover some deleted files. I was thinking about using blkls to create an image of the unallocated clusters and then I would run Scalpel/Foremost against that. I don't want to run the tool against the full image, as I will be pulling both allocated and unallocated items matching the header/footers in the config file, and I only want the unallocated/deleted items.

I would like to cut out the step of extracting the unallocated clusters with blkls. Is it possible to incorporate blkls with scalpel without creating an image of the unallocated clusters first? Sort of like mounting it virtually so I can cut out a step of extracting GBs and GBs of unallocated space.

Basically just trying to cut out a step. If possible, could you provide me a sample command that I can reference?

 
Posted : 17/07/2018 11:01 pm
watcher
(@watcher)
Posts: 125
Estimable Member
 

You don't say what file system your image is from, but you may find that "TestDisk" is a much easier way to go in many cases. It's capable of "undeleting" several file systems and can often recover most of the original file name as well.

If you still want to do file carving, "Photorec" (not just for photos) has an option to carve only unallocated space.

 
Posted : 18/07/2018 3:56 am
Share: