Home General Topics Data recovery using Scalpel and Foremost

Data recovery using Scalpel and Foremost

by Bella
data recovery

Data recovery is the process of salvaging and handling the data through the data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally.  The data is recoverable because the information is not immediately removed from the disk.

Nowadays many tools are available for recovering lost data. Two of the most popular tool available are Scalpel and Foremost.

In this article, let’s see how to recover lost data using these tools.

1. Scalpel

Scalpel is an open source file system recovery for Linux and Mac operating systems.  Its an open source program for recovering deleted data originally based on foremost, although significantly more efficient.  The tool visits the block database storage and identifies the deleted files from it and recover them instantly.


>> From source code :

In order to compile from source code, we need TRE in the server. We can download TRE from http://laurikari.net/tre/download/
The source code for Scalpel  is available on : https://github.com/machn1k/Scalpel-2.0

First install  TRE

tar -xzvf tre-0.8.0.tar.gz
cd tre-0.8.0
make install

Now compile and install Scalpel

unzip Scalpel-2.0-master.zip
cd Scalpel-2.0-master
sudo make install

>> From yum repository

Follow the below steps in order to install Scalpel from yum repo :

# yum install scalpel

Sample Output :
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.01link.hk
* epel: mirror.nus.edu.sg
* epel-source: mirror.nus.edu.sg
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package scalpel.i686 0:2.0-1.el6 will be installed
–> Finished Dependency Resolution

Dependencies Resolved

Package        Arch        Version            Repository        Size
scalpel                i686            2.0-1.el6               epel                    50 k

Transaction Summary
Install       1 Package(s)

Total download size: 50 k
Installed size: 108 k
Is this ok [y/N]: y
Downloading Packages:
scalpel-2.0-1.el6.i686.rpm                                                           |  50 kB     00:00    
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
 Installing : scalpel-2.0-1.el6.i686                            1/1
 Verifying  : scalpel-2.0-1.el6.i686                                                   1/1

 scalpel.i686 0:2.0-1.el6                                                                                                                               



By default, all the lines are commented with # in the configuration file.
In scalpel.conf, there are few lines which contain the file types that we can recover. For example gpg, doc, avi, doc, etc. So, before running Scalpel, you need to un-comment the file format that you need to recover.

We just need to remove the # sign from the beginning of these lines in order to uncomment them.

# vi /etc/scalpel/scalpel.conf  (uncomment the file format that needs to be recovered)

After that please run the Scalpel. (As root)

# scalpel /dev/sda1 -o /home/digit/RECOVERY/

=> /dev/sda1 is the location of the device where the files are already deleted.
=> /home/digit/RECOVERY is the place to accommodate the files that will be recovered from /dev/sdb1. /dev/sdb1 could also be the location of the folder where the data that we will recover.
=> ‘-o‘ switch indicates an output directory, where you want to restore your deleted files. Make sure that this directory is empty before running any command otherwise it will give you an error.

The scalpel is now performing its process and depending on the disk space you are trying to scan and recover, it will take time to recover your deleted file.

2. Foremost

Foremost is a command-line tool which can recover files from a number of file systems, including fat, ext3 and NTFS. It has many built-in file filters for fast recovery. ( e.g: jpg, zip, rar etc.)


>> From source code :

The source code is available on the Foremost Sourceforge page: http://foremost.sourceforge.net/

Extract the archive and proceed with installation following the below steps :

# tar -xvzf foremost-1.5.7.tar.gz
# cd foremost-1.5.7

Before installation, open the Makefile and look for the below two lines : (Assuming installation of Foremost 1.5.7 on Mac OS X 10.8)

macinstall: MAN = /usr/share/man/man1/
macuninstall: MAN = /usr/share/man/man1

Substitute the “man1″ by “man8″.

Now the tool can be compiled and installed using the Mac directives:
#make mac
#make macinstall

>> From repository :

#apt-get install foremost

Take a look at ‘#man foremost’ to learn how to use foremost.

The included configuration file is located in:

This file will automatically be loaded if you don’t specify another one by using the -c switch. By default, everything in this file is commented out, though. This means that Foremost will only look for the built-in types.

Lets now see how to recover a file (an example jpg file) using Foremost tool :

First, make an empty writable directory to save recover files in a partition other than that you are going to recover (/home/digit/RECOVERY/) and run foremost.

Lets have a try with restoring the partition /dev/sda5.

#foremost -t jpg -i /dev/sda5 -o /home/digit/RECOVERY/

Finally set user permission to /recovery/data/ to view image. type

#chown YOUR_USER_NAME /recovery/data -R

Some important foremost command line arguments.

  -i  :– partition/image to recover
  -o :– location to store recovered files.
-t  :– built in file filter options.  you can give multiple filters by separating using commas. (e.g: for jpg and pdf: -t jpg,pdf )
-q :- quick mode.

In the recovered location you may see an audit.txt file. This audit.txt contains a summary of what foremost has done.

If you require any help with configuration or install contact SupportPRO Server Admins

guy server checkup

Need help with your servers?

Contact Us today!

Leave a Comment


Sales and Support

Phone: 1-(847) 607-6123
Fax: 1-(847)-620-0626
Sales: sales@supportpro.com
Support: clients@supportpro.com
Skype ID: sales_supportpro

Postal Address

1020 Milwaukee Ave, #245,
Deerfield, IL-60015

©2022  SupportPRO.com. All Rights Reserved