{"id":1454,"date":"2023-03-01T23:34:00","date_gmt":"2023-03-02T05:34:00","guid":{"rendered":"http:\/\/blog.supportpro.com\/?p=1454"},"modified":"2026-03-27T02:46:44","modified_gmt":"2026-03-27T08:46:44","slug":"data-recovery-using-scalpel-and-foremost","status":"publish","type":"post","link":"https:\/\/www.supportpro.com\/blog\/data-recovery-using-scalpel-and-foremost\/","title":{"rendered":"Data recovery using Scalpel and Foremost"},"content":{"rendered":"\n

Data recovery<\/strong> is the process of salvaging and handling the data through the data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally.  The data is recoverable because the information is not immediately removed from the disk.<\/p>\n\n\n\n

Nowadays many tools are available for recovering lost data. Two of the most popular tool available are Scalpel<\/strong> and Foremost<\/strong>.<\/p>\n\n\n\n

In this article, let’s see how to recover lost data using these tools.<\/p>\n\n\n\n

1. Scalpel<\/strong><\/span><\/h2>\n\n\n\n

Scalpel is an open source file system recovery for Linux and Mac operating systems.  Its an open source program for recovering deleted data originally based on foremost, although significantly more efficient.  The tool visits the block database storage and identifies the deleted files from it and recover them instantly.<\/p>\n\n\n\n

Installation<\/strong><\/span><\/h3>\n\n\n\n

>> From source code :<\/strong><\/h4>\n\n\n\n

In order to compile from source code, we need TRE in the server. We can download TRE from http:\/\/laurikari.net\/tre\/download\/
The source code for Scalpel  is available on : https:\/\/github.com\/machn1k\/Scalpel-2.0<\/p>\n\n\n\n

First install  TRE<\/strong><\/p>\n\n\n\n

tar -xzvf tre-0.8.0.tar.gz<\/em>
cd tre-0.8.0<\/em>
.\/configure<\/em>
make<\/em>
make install<\/em><\/p>\n\n\n\n

Now compile and install Scalpel<\/strong><\/p>\n\n\n\n

unzip Scalpel-2.0-master.zip<\/em>
cd Scalpel-2.0-master<\/em>
.\/configure<\/em>
make<\/em>
sudo make install<\/em><\/p>\n\n\n\n

>> From yum repository<\/strong><\/h4>\n\n\n\n

Follow the below steps in order to install Scalpel from yum repo :<\/p>\n\n\n\n

# yum install scalpel<\/em><\/p>\n\n\n\n

Sample Output :
==========<\/em>
Loaded plugins: fastestmirror<\/em>
Loading mirror speeds from cached hostfile<\/em>
* base: centos.01link.hk<\/em>
* epel: mirror.nus.edu.sg<\/em>
* epel-source: mirror.nus.edu.sg<\/em>
Setting up Install Process<\/em>
Resolving Dependencies<\/em>
–> Running transaction check<\/em>
—> Package scalpel.i686 0:2.0-1.el6 will be installed<\/em>
–> Finished Dependency Resolution<\/em><\/p>\n\n\n\n

Dependencies Resolved<\/em><\/p>\n\n\n\n

=============================================<\/em>
Package        Arch        Version            Repository        Size<\/em>
=============================================<\/em>
scalpel                i686            2.0-1.el6               epel                    50 k<\/em><\/p>\n\n\n\n

Transaction Summary<\/em>
=============================================<\/em>
Install       1 Package(s)<\/em><\/p>\n\n\n\n

Total download size: 50 k<\/em>
Installed size: 108 k<\/em>
Is this ok [y\/N]: y<\/em>
Downloading Packages:<\/em>
scalpel-2.0-1.el6.i686.rpm                                                           |  50 kB     00:00    <\/em>
Running rpm_check_debug<\/em>
Running Transaction Test<\/em>
Transaction Test Succeeded<\/em>
Running Transaction<\/em>
 Installing : scalpel-2.0-1.el6.i686                            1\/1<\/em>
 Verifying  : scalpel-2.0-1.el6.i686                                                   1\/1<\/em><\/p>\n\n\n\n

Installed:<\/em>
 scalpel.i686 0:2.0-1.el6                                                                                                                               <\/em><\/p>\n\n\n\n

Complete!<\/em>
==========<\/em><\/p>\n\n\n\n

Configuration<\/strong><\/span><\/h3>\n\n\n\n

By default, all the lines are commented with # in the configuration file.
In scalpel.conf<\/em>, there are few lines which contain the file types that we can recover. For example gpg, doc, avi, doc, etc. So, before running Scalpel, you need to un-comment the file format that you need to recover.<\/p>\n\n\n\n

We just need to remove the # sign from the beginning of these lines in order to uncomment them.<\/p>\n\n\n\n

# vi \/etc\/scalpel\/scalpel.conf<\/em>  (uncomment the file format that needs to be recovered)<\/p>\n\n\n\n

After that please run the Scalpel. (As root)<\/p>\n\n\n\n

# scalpel \/dev\/sda1 -o \/home\/digit\/RECOVERY\/<\/em><\/code><\/pre>\n\n\n\n
=> \/dev\/sda1<\/em> is the location of the device where the files are already deleted.
=> \/home\/digit\/RECOVERY<\/em> is the place to accommodate the files that will be recovered from \/dev\/sdb1. \/dev\/sdb1 could also be the location of the folder where the data that we will recover.
=> \u2018-o\u2018<\/em> switch indicates an output directory, where you want to restore your deleted files. Make sure that this directory is empty before running any command otherwise it will give you an error.<\/p>\n\n\n\n
The scalpel is now performing its process and depending on the disk space you are trying to scan and recover, it will take time to recover your deleted file.<\/p>\n\n\n\n
2. Foremost<\/strong><\/span><\/h2>\n\n\n\n
Foremost is a command-line tool which can recover files from a number of file systems, including fat, ext3 and NTFS. It has many built-in file filters for fast recovery. ( e.g: jpg, zip, rar etc.)<\/p>\n\n\n\n
Installation<\/strong><\/span><\/h3>\n\n\n\n
>> From source code :<\/strong><\/h4>\n\n\n\n
The source code is available on the Foremost Sourceforge page: http:\/\/foremost.sourceforge.net\/<\/p>\n\n\n\n
Extract the archive and proceed with installation following the below steps :<\/p>\n\n\n\n
# tar -xvzf foremost-1.5.7.tar.gz<\/em>
# cd foremost-1.5.7<\/em><\/p>\n\n\n\n
Before installation, open the Makefile and look for the below two lines : (Assuming installation of Foremost 1.5.7 on Mac OS X 10.8)<\/p>\n\n\n\n
macinstall: MAN = \/usr\/share\/man\/man1\/
macuninstall: MAN = \/usr\/share\/man\/man1<\/p>\n\n\n\n
Substitute the \u201cman1\u2033 by \u201cman8\u2033.<\/p>\n\n\n\n
Now the tool can be compiled and installed using the Mac directives:<\/p>\n\n\n\n
#make mac<\/em>\n#make macinstall<\/em><\/code><\/pre>\n\n\n\n
>> From repository :<\/strong><\/h4>\n\n\n\n
#apt-get install foremost<\/strong><\/p>\n\n\n\n
Take a look at ‘#man foremost’ to learn how to use foremost.<\/p>\n\n\n\n
The included configuration file is located in:
\/usr\/local\/etc\/foremost.conf<\/em><\/p>\n\n\n\n
This file will automatically be loaded if you don\u2019t specify another one by using the -c switch. By default, everything in this file is commented out, though. This means that Foremost will only look for the built-in types.<\/p>\n\n\n\n
Lets now see how to recover a file (an example jpg file) using Foremost tool :<\/p>\n\n\n\n
First, make an empty writable directory to save recover files in a partition other than that you are going to recover (\/home\/digit\/RECOVERY\/) and run foremost.<\/p>\n\n\n\n
Lets have a try with restoring the partition \/dev\/sda5.<\/p>\n\n\n\n
#foremost -t jpg -i \/dev\/sda5 -o \/home\/digit\/RECOVERY\/<\/em><\/code><\/pre>\n\n\n\n
Finally set user permission to \/recovery\/data\/ to view image. type<\/p>\n\n\n\n
#chown YOUR_USER_NAME \/recovery\/data -R<\/em><\/code><\/pre>\n\n\n\n
Some important foremost command line arguments.<\/p>\n\n\n\n
  -i  :<\/em>– partition\/image to recover
  -o :<\/em>– location to store recovered files.
-t  :<\/em>– built in file filter options.  you can give multiple filters by separating using commas. (e.g: for jpg and pdf: -t jpg,pdf )
 -q :-<\/em> quick mode.<\/p>\n\n\n\n
In the recovered location you may see an audit.txt file. This audit.txt contains a summary of what foremost has done.<\/p>\n\n\n\n
If you require any help with configuration or install contact SupportPRO Server Admins<\/a><\/p>\n\n\n\n
\n
Partner with SupportPRO<\/strong> for 24\/7 proactive cloud support that keeps your business secure, scalable, and ahead of the curve.<\/p>\n\n\n\n\"Contact<\/a><\/span>