lunar (1) scalpel.1.gz

Provided by: scalpel_1.60-10_amd64 bug

NAME

       scalpel - Recover files using a header/footer database

SYNOPSIS

       scalpel  [-b] [-c <file>] [-d] [-h] [-i <file>] [-m <blocksize>] [-n] [-o <dir>] [-O] [-p]
       [-r] [-s <num>] [-t] [-u] [-V] [-v] [FILES]...

DESCRIPTION

       Recover files from a disk image or raw block device based on headers and footers specified
       by the user.

       -b     Carve files even if defined footers aren't discovered within maximum carve size for
              file type [foremost 0.69 compat mode]

       -c file
              Chooses  which  configuration  file  to  use.  If  this  option  is  omitted,  then
              "scalpel.conf"  in  the current directory is used. The format for the configuration
              file is described in  the  default  configuration  file  "scalpel.conf".   See  the
              CONFIGURATION FILE section below for more information.

       -d     Generate header/footer database; will bypass certain optimizations and discover all
              footers,  so  performance  suffers.   Doesn't  affect  the  set  of  files  carved.
              **EXPERIMENTAL**

       -m     Generate/update  carve coverage blockmap file.  The first 32bit unsigned int in the
              file identifies the block size. Thereafter each 32bit unsigned  int  entry  in  the
              blockmap  file  corresponds  to one block in the image file.  Each entry counts how
              many  carved  files  contain  this  block.   Requires   more   memory   and   disk.
              **EXPERIMENTAL**

       -h     Show a help screen and exit.

       -i file
              file  is  used as a list of input files to examine. Each line in the specified file
              should contain a single filename.

       -o directory
              Recovered files are written to the directory  directory.    Scalpel  requires  that
              this  directory  be  either  empty  or not exist.  The directory will be created if
              necessary.

       -O     Don't organize carved files by type. Default  is  to  organize  carved  files  into
              subdirectories to make previewing of large numbers of carved files easier.

       -p     Perform image file preview; audit log indicates which files would have been carved,
              but no files are actually carved.

       -q clustersize
              Carve only when header is cluster-aligned.

       -r     Find only first of overlapping headers/footers [foremost 0.69 compat mode]

       -s number
              Skips number bytes in each input file before beginning the search for file  headers
              and footers.

       -t     Set directory for coverage blockmap.  **EXPERIMENTAL**

       -u     Use  carve  coverage blockmap when carving.  Carve only sections of the image whose
              entries in the blockmap are 0.  These areas  are  treated  as  contiguous  regions.
              **EXPERIMENTAL**

       -V     Show copyright information and exit.

       -v     Enables  verbose  mode.  This causes copious amounts of debugging information to be
              output.

CONFIGURATION FILE

       The configuration file is used to control the types  of  files  Scalpel  will  attempt  to
       carve.   A  sample configuration file, "scalpel.conf", is included with this distribution.
       For each file type, the configuration file describes the  file's  extension,  whether  the
       header and footer are case sensitive, the maximum file size, and the header and footer for
       the file. The footer field is optional,  but  the  header,  size,  case  sensitivity,  and
       extension fields are required.

       Important  note:  The default configuration file has all supported file patterns commented
       out--you must edit this before before running Scalpel.

       Any line in the configuration file that begins with a pound sign is considered  a  comment
       and ignored.

       Headers  and  footers  are  decoded  before  use.  To  specify  a value in hexadecimal use
       \x[0-f][0-f], and for octal use  \[1-9][1-9][1-9].   Spaces  can  be  represented  by  \s.
       Example: "\x4F\123\I\sCCI" decodes to "OSI CCI".

       To  match  any  single character (aka a wildcard) use a '?'. If you need to search for the
       '?' character, you will need to change the 'wildcard' line *and* every occurrence  of  the
       old  wildcard  character  in  the configuration file, including those appearing in hex and
       octal values. '?' is equal to \x3f and \063.

AUTHORS

       Written by Golden G. Richard III.  The first version of  Scalpel  was  based  on  foremost
       0.69,  which was written by Special Agent Kris Kendall and Special Agent Jesse Kornblum of
       the United States Air Force Office of Special Investigations.

BUGS AND LIMITATIONS

       It is currently not possible to carve physical block devices directly  using  the  Windows
       version  of  Scalpel.   This  is  a limitation that will be removed in a future release of
       Scalpel.

REPORTING BUGS

       When submitting a bug report, please include a description of the problem, how  you  found
       it, and your contact information.

       Send bug reports to:
       golden@digitalforensicssolutions.com

       This  is free software.  There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR
       A PARTICULAR PURPOSE.

SEE ALSO

       More information on Scalpel appears in the  README  file,  distributed  with  the  Scalpel
       source code.