Recover deleted files and folders using scalpel (A Filesystem Recovery Tool) on linux

Photo of author

By rasho

Scalpel based on Foremost an open source application developed to recover deleted information, Scalpel is significantly more Fast and efficient by reading database of header and footer definitions and extracts matching files or data fragments from a set of image files or raw device files. Scalpel is file-system-independent and can recover files from FATx, NTFS, ext2/3/4, HFS+, or raw partitions. It is useful for both digital forensics investigation and file recovery.
Scalpel is a standalone tool file system. It is available on Linux and Mac OS, but can also be used in Windows, although it is necessary to compile it.

How to install scalpel recovery tool on Ubuntu 12.04/12.10/13.04/13.10 and Mint 13/14/15

To install scalpel open terminal and enter following commands:

# sudo apt-get install scalpel
Scalpel installation on Ubuntu and linux Mint
Scalpel installation on Ubuntu and linux Mint

Installing Scalpel in CentOS 5.x/6.x and Fedora 15/16/17/18/19/

To install scalpel recovery tool on Centos or Fedora linux, you need to first enable epel repository and type following command:

# yum install scalpel

How to use scalpel recovery tool

[ads]
Before we can use Scalpel, we must define some file types that Scalpel should search for in /etc/scalpel/scalpel.conf. By default, all file types are commented out. In this example, I want to search for deleted jpg files, so I uncomment the following lines:

# GIF and JPG files (very common)
        gif     y       5000000         x47x49x46x38x37x61        x00x3b
        gif     y       5000000         x47x49x46x38x39x61        x00x3b
        jpg     y       200000000       xffxd8xffxe0x00x10        xffxd9
Scalpel config file
Scalpel config file

Go to terminal and type following syntax. The ‘/dev/sda6‘ is a location of a device from where the file is already deleted.

# sudo scalpel /dev/sda6 -o /home/rasho/Desktop/output/

Sample output:

Sample Scalpel output
Sample Scalpel output

See also:Photorec recovery deleted files on RHEL/CentOS/Fedora and Ubuntu/Mint linux

 

7 thoughts on “Recover deleted files and folders using scalpel (A Filesystem Recovery Tool) on linux”

  1. hello, I am trying to recover few things using scalpel. but i’m not able to uncomment or edit the scalpel.conf file. I changed the permission of the .conf file to 777 using chmod, but in vain. Can you help me?

    Reply
  2. So…what happens? I don’t understand the last step. I start scalpel, and what do I get? a list of files that it finds? or what? how do I recover the missing file?? It seems like this tutorial is incomplete. Is there a second page I’m not seeing?

    Reply
  3. Thanks for the tutorial, I was able to recover the files but all files were renamed and original data structures were not recovered, instead each folder of file type was created and all the respective files were stored with system renamed files.

    Now, the question is that is there any workaround to restore the original data folder structures/files?

    Reply
  4. i am using ubuntu 16.04 an accidentally i lost my folder can i recover lost folder using scalpel command utility pls reply ASAP.

    Reply

Leave a Comment