Hi. I want (need) to use Scalpel to carve out 10 jpg images from a dd image. The problem is that Scalpel only carves out thumbnails and not the full size ones. Why is that?
This is my approach
I copied the jpg signature information from the config file to another file called jpg.conf. I then uncomment the signature line
To start Scalpel i use this command
sudo scalpel -c /home/……/jpg.conf /home/……./Dataset 1.001 -o /home/…./Result
Scalpel then starts to search through the dd image and only outputs thumbnails. I've tried to shorten the header signature and add new ones, but that only results in more thumbnails.
Am i doing something wrong?
Do you have to use Scalpel? If not, I'd suggest trying PhotoRec - http//
Yes i do. I prefer PhotoRec but i am working on a projekt where i am comparing carving tools, and Scalpel is one of them
How does the scalpel configuration file look like for jpegs?
My current config looks like this
jpg y 5000100000 \xff\xd8\xff\xe0 \xff\xd9
jpg y 200000000 \xff\xd8\xff\xe0 \xff\xd9
jpg y 200000000 \xff\xd8\xff\xe1 \xff\xd9
Line 1 says extract jpegs bigger than 5,000 bytes, but smaller than 100,000.
Your second line says extract jpegs but no more than 200,000,000 bytes.
The header/footers are identical and define jpeg JPEGJFIF for both lines.
Which will take precedence - line 1, 2 or both?
The third line refers to jpeg JPEGEXIF, so let's ignore it now.
I suggest try just a single line for testingjpg y 200000000 \xff\xd8\xff\xe0 \xff\xd9and if that does not return anything tryjpg y 200000000 \xff\xd8\xff \xff\xd9
JPEG images normally include a thumbnail that ends with 0xff 0xd9. Thus carving when looking for an end string will produce false results.
For my carving routine, I do not look for terminating strings, but just a new possible start string - for any file type. When possible I then verify the file and adjust it's length
Ok i will modify my config file to see if it helps.
Thanks guys! )
Hi NervsOfSteel!
You may also try other JPEG headers as well - when carving for JPEGs I usually use something like this (grep expression)
\xFF\xD8\xFF[\xDB\xE0\xE1\xC4\xEE\xED]
Converting this into Scalpel mode, you may try the following config
jpg y 200000000 \xff\xd8\xff\xDB \xff\xd9
jpg y 200000000 \xff\xd8\xff\xE0 \xff\xd9
jpg y 200000000 \xff\xd8\xff\xE1 \xff\xd9
jpg y 200000000 \xff\xd8\xff\xC4 \xff\xd9
jpg y 200000000 \xff\xd8\xff\xEE \xff\xd9
jpg y 200000000 \xff\xd8\xff\xED \xff\xd9
That should do the trick for various JPEG types.
Good luck!
Greg
OK. I have now tried all the approaches you guys suggested.
When i shorten the header Scalpel only manages to carve out two full size images and a lot of thumbnails and unviewable images.
The best result came when i removed the footer in the config file. When it is removed, Scalpel manages to carve out all 10 images and i can view them in fullsize. However the downside is that all images (thumbnails included) have the same file size (Maximum file size).
My config file looks like this now and gave the best result.
jpg y 2000000 \xff\xd8\xff\xe0
jpg y 2000000 \xff\xd8\xff\xe1
Maybe this is the best approach for my case or any case?
Is there anything more that i could try or is this the best Scalpel can do?
I also want to add that i did check the header and footer for the images in FTK Imager and they are both correct.
I also tested Scalpel on Ubuntu 11.10 (32-bit & 64-bit) and on Linux mint. All with the same result.