sleuthkit / scalpel Goto Github PK

Scalpel is an open source data carving tool. It is not being actively maintained.

Shell 38.19% C++ 13.52% C 20.39% CSS 0.02% Python 0.08% Makefile 19.51% M4 5.70% Roff 0.54% HTML 2.04% sed 0.02%

scalpel's Introduction

The Sleuth Kit

INTRODUCTION

The Sleuth Kit is an open source forensic toolkit for analyzing Microsoft and UNIX file systems and disks. The Sleuth Kit enables investigators to identify and recover evidence from images acquired during incident response or from live systems. The Sleuth Kit is open source, which allows investigators to verify the actions of the tool or customize it to specific needs.

The Sleuth Kit uses code from the file system analysis tools of The Coroner's Toolkit (TCT) by Wietse Venema and Dan Farmer. The TCT code was modified for platform independence. In addition, support was added for the NTFS (see wiki/ntfs) and FAT (see wiki/fat) file systems. Previously, The Sleuth Kit was called The @stake Sleuth Kit (TASK). The Sleuth Kit is now independent of any commercial or academic organizations.

It is recommended that these command line tools can be used with the Autopsy Forensic Browser. Autopsy, (http://www.sleuthkit.org/autopsy), is a graphical interface to the tools of The Sleuth Kit and automates many of the procedures and provides features such as image searching and MD5 image integrity checks.

As with any investigation tool, any results found with The Sleuth Kit should be be recreated with a second tool to verify the data.

OVERVIEW

The Sleuth Kit allows one to analyze a disk or file system image created by 'dd', or a similar application that creates a raw image. These tools are low-level and each performs a single task. When used together, they can perform a full analysis. For a more detailed description of these tools, refer to wiki/filesystem. The tools are briefly described in a file system layered approach. Each tool name begins with a letter that is assigned to the layer.

File System Layer:

A disk contains one or more partitions (or slices). Each of these partitions contain a file system. Examples of file systems include the Berkeley Fast File System (FFS), Extended 2 File System (EXT2FS), File Allocation Table (FAT), and New Technologies File System (NTFS).

The fsstat tool displays file system details in an ASCII format. Examples of data in this display include volume name, last mounting time, and the details about each "group" in UNIX file systems.

Content Layer (block):

The content layer of a file system contains the actual file content, or data. Data is stored in large chunks, with names such as blocks, fragments, and clusters. All tools in this layer begin with the letters 'blk'.

The blkcat tool can be used to display the contents of a specific unit of the file system (similar to what 'dd' can do with a few arguments). The unit size is file system dependent. The 'blkls' tool displays the contents of all unallocated units of a file system, resulting in a stream of bytes of deleted content. The output can be searched for deleted file content. The 'blkcalc' program allows one to identify the unit location in the original image of a unit in the 'blkls' generated image.

A new feature of The Sleuth Kit from TCT is the '-l' argument to 'blkls' (or 'unrm' in TCT). This argument lists the details for data units, similar to the 'ils' command. The 'blkstat' tool displays the statistics of a specific data unit (including allocation status and group number).

Metadata Layer (inode):

The metadata layer describes a file or directory. This layer contains descriptive data such as dates and size as well as the addresses of the data units. This layer describes the file in terms that the computer can process efficiently. The structures that the data is stored in have names such as inode and directory entry. All tools in this layer begin with an 'i'.

The 'ils' program lists some values of the metadata structures. By default, it will only list the unallocated ones. The 'istat' displays metadata information in an ASCII format about a specific structure. New to The Sleuth Kit is that 'istat' will display the destination of symbolic links. The 'icat' function displays the contents of the data units allocated to the metadata structure (similar to the UNIX cat(1) command). The 'ifind' tool will identify which metadata structure has allocated a given content unit or file name.

Refer to the ntfs wiki for information on addressing metadata attributes in NTFS.

Human Interface Layer (file):

The human interface layer allows one to interact with files in a manner that is more convenient than directly with the metadata layer. In some operating systems there are separate structures for the metadata and human interface layers while others combine them. All tools in this layer begin with the letter 'f'.

The 'fls' program lists file and directory names. This tool will display the names of deleted files as well. The 'ffind' program will identify the name of the file that has allocated a given metadata structure. With some file systems, deleted files will be identified.

Time Line Generation

Time lines are useful to quickly get a picture of file activity. Using The Sleuth Kit a time line of file MAC times can be easily made. The mactime (TCT) program takes as input the 'body' file that was generated by fls and ils. To get data on allocated and unallocated file names, use 'fls -rm dir' and for unallocated inodes use 'ils -m'. Note that the behavior of these tools are different than in TCT. For more information, refer to wiki/mactime.

Hash Databases

Hash databases are used to quickly identify if a file is known. The MD5 or SHA-1 hash of a file is taken and a database is used to identify if it has been seen before. This allows identification to occur even if a file has been renamed.

The Sleuth Kit includes the 'md5' and 'sha1' tools to generate hashes of files and other data.

Also included is the 'hfind' tool. The 'hfind' tool allows one to create an index of a hash database and perform quick lookups using a binary search algorithm. The 'hfind' tool can perform lookups on the NIST National Software Reference Library (NSRL) (www.nsrl.nist.gov) and files created from the 'md5' or 'md5sum' command. Refer to the wiki/hfind file for more details.

File Type Categories

Different types of files typically have different internal structure. The 'file' command comes with most versions of UNIX and a copy is also distributed with The Sleuth Kit. This is used to identify the type of file or other data regardless of its name and extension. It can even be used on a given data unit to help identify what file used that unit for storage. Note that the 'file' command typically uses data in the first bytes of a file so it may not be able to identify a file type based on the middle blocks or clusters.

The 'sorter' program in The Sleuth Kit will use other Sleuth Kit tools to sort the files in a file system image into categories. The categories are based on rule sets in configuration files. The 'sorter' tool will also use hash databases to flag known bad files and ignore known good files. Refer to the wiki/sorter file for more details.

LICENSE

There are a variety of licenses used in TSK based on where they were first developed. The licenses are located in the licenses directory.

The file system tools (in the tools/fstools directory) are released under the IBM open source license and Common Public License.
srch_strings and fiwalk are released under the GNU Public License
Other tools in the tools directory are Common Public License
The modifications to 'mactime' from the original 'mactime' in TCT and 'mac-daddy' are released under the Common Public License.

The library uses utilities that were released under MIT and BSD 3-clause.

INSTALL

For installation instructions, refer to the INSTALL.txt document.

OTHER DOCS

The wiki contains documents that describe the provided tools in more detail. The Sleuth Kit Informer is a newsletter that contains new documentation and articles.

www.sleuthkit.org/informer/

MAILING LIST

Mailing lists exist on SourceForge, for both users and a low-volume announcements list.

http://sourceforge.net/mail/?group_id=55685

Brian Carrier

carrier at sleuthkit dot org

scalpel's People

Contributors

Stargazers

Watchers

Forkers

franzt shahit2 steven-wright znunez samcorbin stevenhoneyman aungthurhahein githubutilities zerowindow pombredanne jkobrien thx0701 oi-buhtig sixstars manelpin eltiech transformersprimeabcxyz andy737 rlugojr jaonlin dinkin marcan shekkbuilder redteamcaliber xloem techlord-rce nosuchprocess neo4reo dougvj julianvolodia pawankumar9 cyberpacheco methos2016 tedezed batou8 yuhangwang ohsevin grukz gitforwfy seabreg adminer modulexcite mmg1 raimundojimenez swathikrishnaks dmitryzakharov1 andresrt vishalbelsare gregcopenhaver naripok davidji2018 denixport jaychowjingjie skolldz wadelma cipherbunker mrinjamul s4ros hgasoft chuck-r urwithajit9 alchemycyberblaze golegen anthonykava masterscott xaionaro andrecs-br 5l1v3r1 15642875149 earn9 raisingagent hellowebde liumorgan dekoder cybernetics lhskyqqq khal-18 toshywoshy mcelfreshkevin26 nawaralhalabi ideasideas hbliyafei lhllacp rmadamson xsjbetter khalu truir off-ini vineetp6 s0u1sb4n3 nobiggiee hartl3y94 ryanbekabe puffupuff kets99 mauricioppires bashtulakovu wconstanza

scalpel's Issues

Malloc failed in function add_to_queue()

Attempting to carve images, videos and docs out of a large E01 disk image, approx. 210GB. The application crashes after : "
Image file pass 1/2 ... 100%
Allocating work queues...
Work queues allocation complete. Building work queues...
Malloc failed in function add_to_queue()
"

Watching RAM usage on the server (CentoOS 7 VM with 32 proc and 16GB RAM), the scalpel process uses approx. 11GB before the crash.

Any help appreciated.

PNG correction

The current scalpel.conf file has improper PNG header/footer, and will carve an invalid PNG.

Current, incorrect header/footer:

PNG

png y 20000000 \x50\x4e\x47? \xff\xfc\xfd\xfe

Corrected header/footer:

png

png y 20000000 \x89\x50\x4e\x47\x0d\x0a\x1a\x0a \x49\x45\x4e\x44\xae\x42\x60\x82

Reference: http://www.libpng.org/pub/png/spec/1.2/PNG-Rationale.html#R.PNG-file-signature

Does not compile with GPU

/bin/bash ../libtool  --tag=CXX   --mode=link g++  -g -O2  -static -o libscalpel_test libscalpel_test.o libscalpel.la -ltre -lpthread -lm 
libtool: link: g++ -g -O2 -o libscalpel_test libscalpel_test.o  ./.libs/libscalpel.a -ltre -lpthread -lm
./.libs/libscalpel.a(dig.o): In function `gpu_handler(void*)':
/home/vld/scalpel/src/dig.cpp:926: undefined reference to `copytodevicepattern(char (*) [20])'
/home/vld/scalpel/src/dig.cpp:927: undefined reference to `copytodevicelookup_headers(char (*) [16])'
/home/vld/scalpel/src/dig.cpp:928: undefined reference to `copytodevicelookup_footers(char (*) [16])'
/home/vld/scalpel/src/dig.cpp:933: undefined reference to `gpu_init(int)'
/home/vld/scalpel/src/dig.cpp:942: undefined reference to `gpuSearchBuffer(char*, int, char*, int, char)'
/home/vld/scalpel/src/dig.cpp:951: undefined reference to `gpuSearchBuffer(char*, int, char*, int, char)'
/home/vld/scalpel/src/dig.cpp:958: undefined reference to `gpu_cleanup()'
./.libs/libscalpel.a(dig.o): In function `init_store()':
/home/vld/scalpel/src/dig.cpp:2635: undefined reference to `ourCudaMallocHost(void**, int)'
collect2: error: ld returned 1 exit status
Makefile:485: recipe for target 'libscalpel_test' failed
make[1]: *** [libscalpel_test] Error 1
make[1]: Leaving directory '/home/vld/scalpel/src'
Makefile:524: recipe for target 'all-recursive' failed
make: *** [all-recursive] Error 1

How to extract header and footer for unknown file type?

My file type is not listed among the ones in scalpel.conf. How do I extract the header and footer information if I have a sample of this file?

Scalpel 2.1 pre-release fails to build on Fedora 20

Hello,
the current code seems to fail to build on Fedora 20 (64 bit).
Trying with commit 90393b6.

libtool: compile: g++ -DPACKAGE_NAME="scalpel" -DPACKAGE_TARNAME="scalpel" -DPACKAGE_VERSION="2.0" "-DPACKAGE_STRING="scalpel 2.0"" -DPACKAGE_BUGREPORT="[email protected]" -DPACKAGE_URL="" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1 -DLT_OBJDIR=".libs/" -DPACKAGE="scalpel" -DVERSION="2.0" -DHAVE_LIBM=1 -DHAVE_LIBPTHREAD=1 -DHAVE_LIBTRE=1 -DHAVE_FCNTL_H=1 -DHAVE_LIMITS_H=1 -DHAVE_STDDEF_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_SYS_IOCTL_H=1 -DHAVE_SYS_MOUNT_H=1 -DHAVE_SYS_PARAM_H=1 -DHAVE_SYS_TIME_H=1 -DHAVE_SYS_TIMEB_H=1 -DHAVE_UNISTD_H=1 -DHAVE__BOOL=1 -DHAVE_STDBOOL_H=1 -DHAVE_FSEEKO=1 -DHAVE_STDLIB_H=1 -DHAVE_MALLOC=1 -DHAVE_STDLIB_H=1 -DHAVE_REALLOC=1 -DHAVE_BZERO=1 -DHAVE_GETTIMEOFDAY=1 -DHAVE_MKDIR=1 -DHAVE_REALPATH=1 -DHAVE_REGCOMP=1 -DHAVE_STRCHR=1 -DHAVE_STRDUP=1 -DHAVE_STRERROR=1 -DHAVE_STRNCASECMP=1 -DHAVE_STRTOUL=1 -DHAVE_STRTOULL=1 -I. -I../src -Wall -I/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65-2.5.2.5.fc20.x86_64/include -I/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65-2.5.2.5.fc20.x86_64/include/linux -g -O2 -MT libscalpel_jni.lo -MD -MP -MF .deps/libscalpel_jni.Tpo -c libscalpel_jni.cpp -o libscalpel_jni.o >/dev/null 2>&1
mv -f .deps/libscalpel_jni.Tpo .deps/libscalpel_jni.Plo
/bin/sh ../libtool --tag=CXX --mode=link g++ -g -O2 -o libscalpel_jni.la -rpath /usr/local/lib libscalpel_jni.lo ../src/libscalpel.la -ltre -lpthread -lm
libtool: link: g++ -fPIC -DPIC -shared -nostdlib /usr/lib/gcc/x86_64-redhat-linux/4.8.3/../../../../lib64/crti.o /usr/lib/gcc/x86_64-redhat-linux/4.8.3/crtbeginS.o .libs/libscalpel_jni.o ../src/.libs/libscalpel.a -ltre -lpthread -L/usr/lib/gcc/x86_64-redhat-linux/4.8.3 -L/usr/lib/gcc/x86_64-redhat-linux/4.8.3/../../../../lib64 -L/lib/../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/x86_64-redhat-linux/4.8.3/../../.. -lstdc++ -lm -lc -lgcc_s /usr/lib/gcc/x86_64-redhat-linux/4.8.3/crtendS.o /usr/lib/gcc/x86_64-redhat-linux/4.8.3/../../../../lib64/crtn.o -O2 -Wl,-soname -Wl,libscalpel_jni.so.0 -o .libs/libscalpel_jni.so.0.0.0
/usr/bin/ld: ../src/.libs/libscalpel.a(scalpel.o): relocation R_X86_64_32 against .rodata.str1.1' can not be used when making a shared object; recompile with -fPIC ../src/.libs/libscalpel.a: could not read symbols: Bad value collect2: error: ld returned 1 exit status make[1]: *** [libscalpel_jni.la] Error 1 make[1]: Leaving directory/home/mambroz/rpmbuild/BUILD/scalpel-90393b6537471626932a097ad0584ea186dacc64/jni'
make: *** [all-recursive] Error 1

How do I download for Windows?

The readme file says that a pre-compiled version for Windows exists. Yet I can't find it. Where do I download it from? Please help me.

how to find .py, .json, .java and other script files? all .mov files found dupes and corrupt

How can Python, JSON, batch and other text files be found?

Also, ran this recently against an image of a RAID 10 member and all .mov files were corrupt/unplayable/un-conertable and all images were either cut off or just corrupted in the case of PNG's and many duplicates. Perhaps I need to reduce the options in the conf file.

configure error: cannot find input file Makefile.in

Hi
I am getting the following error when I run ./configure from the latest master branch:
http://pastebin.com/whfT5yAW
I tried it on arch linux and ubuntu server.
Any idea why this is happening or do you need more infos from me?

Thank you in advance :-)

`make` on Manjaro fails

As in title.

# make
gcc -Wall -O2 -DVERSION=\"1.5.7\" -D__UNIX -D__LINUX -DLARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 main.o state.o helpers.o config.o cli.o engine.o dir.o extract.o api.o -o foremost
/usr/bin/ld: state.o:(.bss+0xbd760): multiple definition of `wildcard'; main.o:(.bss+0xbd760): first defined here
/usr/bin/ld: state.o:(.bss+0x20): multiple definition of `search_spec'; main.o:(.bss+0x20): first defined here
/usr/bin/ld: state.o:(.bss+0x0): multiple definition of `signal_caught'; main.o:(.bss+0x0): first defined here
/usr/bin/ld: helpers.o:(.bss+0x20): multiple definition of `search_spec'; main.o:(.bss+0x20): first defined here
/usr/bin/ld: helpers.o:(.bss+0xbd760): multiple definition of `wildcard'; main.o:(.bss+0xbd760): first defined here
/usr/bin/ld: helpers.o:(.bss+0x0): multiple definition of `signal_caught'; main.o:(.bss+0x0): first defined here
/usr/bin/ld: config.o:(.bss+0x20): multiple definition of `search_spec'; main.o:(.bss+0x20): first defined here
/usr/bin/ld: config.o:(.bss+0xbd760): multiple definition of `wildcard'; main.o:(.bss+0xbd760): first defined here
/usr/bin/ld: config.o:(.bss+0x0): multiple definition of `signal_caught'; main.o:(.bss+0x0): first defined here
/usr/bin/ld: cli.o:(.bss+0x0): multiple definition of `signal_caught'; main.o:(.bss+0x0): first defined here
/usr/bin/ld: cli.o:(.bss+0x20): multiple definition of `search_spec'; main.o:(.bss+0x20): first defined here
/usr/bin/ld: cli.o:(.bss+0xbd760): multiple definition of `wildcard'; main.o:(.bss+0xbd760): first defined here
/usr/bin/ld: engine.o:(.bss+0x20): multiple definition of `search_spec'; main.o:(.bss+0x20): first defined here
/usr/bin/ld: engine.o:(.bss+0x0): multiple definition of `signal_caught'; main.o:(.bss+0x0): first defined here
/usr/bin/ld: engine.o:(.bss+0xbd760): multiple definition of `wildcard'; main.o:(.bss+0xbd760): first defined here
/usr/bin/ld: dir.o:(.bss+0x20): multiple definition of `search_spec'; main.o:(.bss+0x20): first defined here
/usr/bin/ld: dir.o:(.bss+0x0): multiple definition of `signal_caught'; main.o:(.bss+0x0): first defined here
/usr/bin/ld: dir.o:(.bss+0xbd760): multiple definition of `wildcard'; main.o:(.bss+0xbd760): first defined here
/usr/bin/ld: extract.o:(.bss+0x10): multiple definition of `signal_caught'; main.o:(.bss+0x0): first defined here
/usr/bin/ld: extract.o:(.bss+0x20): multiple definition of `search_spec'; main.o:(.bss+0x20): first defined here
/usr/bin/ld: extract.o:(.bss+0xbd760): multiple definition of `wildcard'; main.o:(.bss+0xbd760): first defined here
/usr/bin/ld: api.o:(.bss+0x448): multiple definition of `dirlist'; extract.o:(.bss+0x8): first defined here
/usr/bin/ld: api.o:(.bss+0x440): multiple definition of `dl'; extract.o:(.bss+0x0): first defined here
/usr/bin/ld: api.o:(.bss+0x450): multiple definition of `signal_caught'; main.o:(.bss+0x0): first defined here
/usr/bin/ld: api.o:(.bss+0x460): multiple definition of `search_spec'; main.o:(.bss+0x20): first defined here
/usr/bin/ld: api.o:(.bss+0xbdba0): multiple definition of `wildcard'; main.o:(.bss+0xbd760): first defined here
collect2: error: ld returned 1 exit status
make: *** [Makefile:113: foremost] Error 1

Debian Stable - can't compile

Hello,
When i try to make i get this output (the end):

libtool: compile: g++ -DPACKAGE_NAME="scalpel" -DPACKAGE_TARNAME="scalpel" -DPACKAGE_VERSION="2.0" "-DPACKAGE_STRING="scalpel 2.0"" -DPACKAGE_BUGREPORT="[email protected]" -DPACKAGE_URL="" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1 -DLT_OBJDIR=".libs/" -DPACKAGE="scalpel" -DVERSION="2.0" -DHAVE_LIBM=1 -DHAVE_LIBPTHREAD=1 -DHAVE_LIBTRE=1 -DHAVE_FCNTL_H=1 -DHAVE_LIMITS_H=1 -DHAVE_STDDEF_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_SYS_IOCTL_H=1 -DHAVE_SYS_MOUNT_H=1 -DHAVE_SYS_PARAM_H=1 -DHAVE_SYS_TIME_H=1 -DHAVE_SYS_TIMEB_H=1 -DHAVE_UNISTD_H=1 -DHAVE__BOOL=1 -DHAVE_STDBOOL_H=1 -DHAVE_FSEEKO=1 -DHAVE_STDLIB_H=1 -DHAVE_MALLOC=1 -DHAVE_STDLIB_H=1 -DHAVE_REALLOC=1 -DHAVE_BZERO=1 -DHAVE_GETTIMEOFDAY=1 -DHAVE_MKDIR=1 -DHAVE_REALPATH=1 -DHAVE_REGCOMP=1 -DHAVE_STRCHR=1 -DHAVE_STRDUP=1 -DHAVE_STRERROR=1 -DHAVE_STRNCASECMP=1 -DHAVE_STRTOUL=1 -DHAVE_STRTOULL=1 -I. -I../src -Wall -I/usr/lib/jvm/java-7-openjdk-amd64/include -I/usr/lib/jvm/java-7-openjdk-amd64/include/linux -g -O2 -MT libscalpel_jni.lo -MD -MP -MF .deps/libscalpel_jni.Tpo -c libscalpel_jni.cpp -o libscalpel_jni.o >/dev/null 2>&1
mv -f .deps/libscalpel_jni.Tpo .deps/libscalpel_jni.Plo
/bin/bash ../libtool --tag=CXX --mode=link g++ -g -O2 -o libscalpel_jni.la -rpath /usr/local/lib libscalpel_jni.lo ../src/libscalpel.la -ltre -lpthread -lm
libtool: link: g++ -fPIC -DPIC -shared -nostdlib /usr/lib/gcc/x86_64-linux-gnu/4.9/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/4.9/crtbeginS.o .libs/libscalpel_jni.o ../src/.libs/libscalpel.a -ltre -lpthread -L/usr/lib/gcc/x86_64-linux-gnu/4.9 -L/usr/lib/gcc/x86_64-linux-gnu/4.9/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/4.9/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/4.9/../../.. -lstdc++ -lm -lc -lgcc_s /usr/lib/gcc/x86_64-linux-gnu/4.9/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/4.9/../../../x86_64-linux-gnu/crtn.o -O2 -Wl,-soname -Wl,libscalpel_jni.so.0 -o .libs/libscalpel_jni.so.0.0.0
/usr/bin/ld: ../src/.libs/libscalpel.a(scalpel.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
../src/.libs/libscalpel.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
Makefile:408: recipe for target 'libscalpel_jni.la' failed
make[1]: *** [libscalpel_jni.la] Error 1
make[1]: Leaving directory '/home/dk/src/scalpel/jni'
Makefile:512: recipe for target 'all-recursive' failed
make: *** [all-recursive] Error 1

From OpenCV issues i guess i need to recompile some library to be shared. Can someone help me on this?

Dealing with headers that have constant offsets.

Hello,

my current recovery job requires to recover fragmented files (zip-archives) from unallocated space.
scalpel is usually my first-choice tool, however this particular machine stores 100 bytes of metadata infront of every file.

I do want to use cluster-aligned mode, since all data is perfectly cluster aligend.

My fear however is, that rewriting the header definition (e.g. preceeding it with 100 "?") of a zip-file within the scalpel.conf will break the zip-file handling.

My suggestion would be to introduce an offset (or a list of offests) that will be used to locate a file's header not only at byte 0 of a cluster but at any given offset.

Hadoop extension

Hello,

At the moment I am doing my masters dissertation in Hadoop forensics and will be nice to use you software to rescue files with extension ".meta" . is it possible to do this with the newest version?

Thanks for your time,
Alvaro Garzon.

Scalpel on raspberry

Hello.
I was testing scalpel on my raspberry pi file server.

First, i installed it with sudo apt-get install scalpel
(it installed 1.60 fine)
but when executing scalpel, it will throw:
"
Scalpel version 1.60
Written by ....
"

So then i uninstalled it, went to /tmp/ folder and git clone this project:
./boostrap
./configure
make

And it finished ok.

I then used the scalpel binary and it throws the same text:

"
./scalpel -c scalpel.conf -v /dev/sda -o ./SALIDA/

Scalpel version 2.1
Written by Golden G. Richard III and Lodovico Marziale.
"

bootstrap fails on Ubuntu 14.04

I just tried to build Scalpel on Ubuntu 14.04 and got the following error:

 ./bootstrap
libtoolize: putting auxiliary files in `.'.
libtoolize: copying file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
configure.ac:7: warning: AM_INIT_AUTOMAKE: two- and three-arguments forms are deprecated.  For more info, see:
configure.ac:7: http://www.gnu.org/software/automake/manual/automake.html#Modernize-AM_005fINIT_005fAUTOMAKE-invocation
Makefile.am:12: warning: source file 'src/scalpel_exec.cpp' is in a subdirectory,
Makefile.am:12: but option 'subdir-objects' is disabled
automake: warning: possible forward-incompatibility.
automake: At least a source file is in a subdirectory, but the 'subdir-objects'
automake: automake option hasn't been enabled.  For now, the corresponding output
automake: object file(s) will be placed in the top-level directory.  However,
automake: this behaviour will change in future Automake versions: they will
automake: unconditionally cause object files to be placed in the same subdirectory
automake: of the corresponding sources.
automake: You are advised to start using 'subdir-objects' option throughout your
automake: project, to avoid future incompatibilities.

I added this line to Makefile.am

AUTOMAKE_OPTIONS = subdir-objects

And then got

$ ./bootstrap
libtoolize: putting auxiliary files in `.'.
libtoolize: copying file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
configure.ac:7: warning: AM_INIT_AUTOMAKE: two- and three-arguments forms are deprecated.  For more info, see:
configure.ac:7: http://www.gnu.org/software/automake/manual/automake.html#Modernize-AM_005fINIT_005fAUTOMAKE-invocation

At this point I think I'll hand it over to people who understand the bootstrap process as I've never worked with it before.

The copy of Scaplel from the repo works fine so this is only affecting building from source.

GPU threading

Hi there!

It looks like some sources files are missing to enable GPU threading. Namely, dig.cu is not in the repo. Is it intentional?

Scalpel can't recover files in partition if it was edited with dd

If some partition was incorrectly edited with dd Scalpel can't recover files from it - it incorrectly obtains size of partition which equals damaged memory size and as expected tries recover files in damaged area despite on the rest of correct memory.

You can reproduce that bug simply - create image with dd, then format it (for example as ext3 drive), fill with files and then make dd if=/dev/zero of=yourdrive.img count=10 bs=1M and then try to restore files..

Some of the files recovered may be corrupted or have incomplete data

Component: scalpel.x86_64 2.1-0.rc1.2.47815c2.fc32.8 @fedora

Case: files deleted today on Fedora from an external drive formatted in FAT32, by invoking shift + del. Location on my system of the default configuration file:

$ rpm -ql scalpel | grep '.conf'
/etc/scalpel.conf

Recovering operation allowed command scalpel -c /home/yk/scalpel.conf -o /home/yk/P.../ /dev/sdb1.

Some the recovered PDF files encounter this issue while attempting to open them:

Strangely some files deleted one year ago could be recovered properly as they were readable but not the last deleted. I am fully ready to investigate by my own in order to recover that last one. I guess I would need knowledge that you would provide if you wish it.

Scalpel "Make Check" library file not found error

https://privatepaste.com/d7c70c10de

"make" fails

Hi,
I'm trying to build & install scalpel 0.5.2 on Ubuntu 15.10
running Terminal from the unpacked source folder
when using "sudo make", I get an error message about missing BamReader.h
the file is there (in scalpel-0.5.2/bamtools-2.3.0/src/api)
plz see attached screedshot

what do I do?

Where is Scalpel.exe?

The readme says there is a scalpel.exe file for Windows but I am unable to find it.

MakeFile Errors - Windows 10

Getting some errors when running MakeFile - Windows 10 x64
Been at this for like 2 hours... Any thoughts?

C:\Users\Test\Downloads\scalpel-master>mingw32-make -f Makefile.win
g++ -Wall -g -O2 -D__WIN32 -Isrc -Itre-0.7.5-win32/lib -Ipthreads-win32 -D__WIN32 -Isrc -Itre-0.7.5-win32/lib -Ipthreads-win32 -c src/helpers.cpp src/syncqueue.cpp src/files.cpp src/scalpel.cpp src/dig.cpp src/prioque.cpp src/base_name.cpp src/input_reader.cpp -liberty -L. -Ltre-0.7.5-win32/lib -L pthreads-win32 -lpthreadGC2 -ltre-4
src/helpers.cpp:531:17: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
"ERROR: Couldn't skip %"PRIu64 " bytes at the start of input file %s\n",
^
src/helpers.cpp:546:29: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
fprintf(stderr, "\nSkipped the first %"PRIu64 " bytes of %s...\n",
^
In file included from src/scalpel.h:54:0,
from src/helpers.cpp:23:
src/pthread.h:307:8: error: redefinition of 'struct timespec'
struct timespec {
^~~~~~~~
In file included from src/scalpel.h:47:0,
from src/helpers.cpp:23:
c:\mingw\include\time.h:115:8: error: previous definition of 'struct timespec'
struct timespec
^~~~~~~~
In file included from src/syncqueue.h:29:0,
from src/syncqueue.cpp:31:
src/pthread.h:307:8: error: redefinition of 'struct timespec'
struct timespec {
^~~~~~~~
In file included from src/pthread.h:218:0,
from src/syncqueue.h:29,
from src/syncqueue.cpp:31:
c:\mingw\include\time.h:115:8: error: previous definition of 'struct timespec'
struct timespec
^~~~~~~~
In file included from src/scalpel.h:54:0,
from src/files.cpp:23:
src/pthread.h:307:8: error: redefinition of 'struct timespec'
struct timespec {
^~~~~~~~
In file included from src/scalpel.h:47:0,
from src/files.cpp:23:
c:\mingw\include\time.h:115:8: error: previous definition of 'struct timespec'
struct timespec
^~~~~~~~
In file included from src/scalpel.h:54:0,
from src/scalpel.cpp:23:
src/pthread.h:307:8: error: redefinition of 'struct timespec'
struct timespec {
^~~~~~~~
In file included from src/scalpel.h:47:0,
from src/scalpel.cpp:23:
c:\mingw\include\time.h:115:8: error: previous definition of 'struct timespec'
struct timespec
^~~~~~~~
src/dig.cpp:381:35: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
fprintf(state->auditFile, "\nSkipped the first %"PRIu64 "bytes of %s...\n",
^
src/dig.cpp:384:29: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
fprintf(stdout, "\nSkipped the first %"PRIu64 "bytes of %s...\n",
^
src/dig.cpp:621:33: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
fprintf(stdout, "A %s header was found at : %"PRIu64 "\n",
^
src/dig.cpp:650:29: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
"Memory reallocation performed, total header storage = %"PRIu64 "\n",
^
src/dig.cpp:759:33: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
fprintf(stdout, "A %s footer was found at : %"PRIu64 "\n",
^
src/dig.cpp:787:29: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
"Memory reallocation performed, total footer storage = %"PRIu64 "\n",
^
src/dig.cpp:994:33: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
fprintf(stdout, "Read %"PRIu64 " bytes from image file.\n", bytesread);
^
src/dig.cpp:1109:25: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
fprintf(stdout, "Total file size is %"PRIu64 " bytes\n", filesize);
^
src/dig.cpp:1540:25: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
fprintf(stdout, "" --> %"PRIu64 " files\n", currentneedle->numfilestocarve);
^
src/dig.cpp:1918:25: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
fprintf(stdout, "# of blocks in coverage blockmap is %"PRIu64 ".\n",
^
src/dig.cpp:1973:25: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
fprintf(stdout, "# of blocks in coverage blockmap is %"PRIu64 ".\n",
^
src/dig.cpp:2377:17: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
"Coverage map decreased current file position by %"PRIu64 " bytes.\n",
^
src/dig.cpp:2402:17: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
"Issuing coverage map-based READ, wants %"PRIu64 " bytes.\n",
^
src/dig.cpp:2428:25: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
"fread using coverage map to skip %"PRIu64 " bytes.\n", bytestoskip);
^
src/dig.cpp:2453:25: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
"fread using coverage map found %"PRIu64 " consecutive bytes.\n",
^
src/dig.cpp:2468:37: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
fprintf(stdout, "fread using coverage map read %"PRIu64 " bytes.\n",
^
src/dig.cpp:2882:32: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
if(fprintf(dbfile, "%"PRIu64 "\n", currentneedle->offsets.numheaders)
^
src/dig.cpp:2896:30: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
(dbfile, "%"PRIu64 "\n",
^
src/dig.cpp:2916:32: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
if(fprintf(dbfile, "%"PRIu64 "\n", currentneedle->offsets.numfooters)
^
src/dig.cpp:2928:30: warning: invalid suffix on literal; C++11 requires a space between literal and string macro [-Wliteral-suffix]
(dbfile, "%"PRIu64 "\n",
^
In file included from src/scalpel.h:54:0,
from src/dig.cpp:24:
src/pthread.h:307:8: error: redefinition of 'struct timespec'
struct timespec {
^~~~~~~~
In file included from src/scalpel.h:47:0,
from src/dig.cpp:24:
c:\mingw\include\time.h:115:8: error: previous definition of 'struct timespec'
struct timespec
^~~~~~~~
In file included from src/prioque.h:47:0,
from src/prioque.cpp:40:
src/pthread.h:307:8: error: redefinition of 'struct timespec'
struct timespec {
^~~~~~~~
In file included from src/pthread.h:218:0,
from src/prioque.h:47,
from src/prioque.cpp:40:
c:\mingw\include\time.h:115:8: error: previous definition of 'struct timespec'
struct timespec
^~~~~~~~
In file included from src/scalpel.h:54:0,
from src/input_reader.cpp:24:
src/pthread.h:307:8: error: redefinition of 'struct timespec'
struct timespec {
^~~~~~~~
In file included from src/scalpel.h:47:0,
from src/input_reader.cpp:24:
c:\mingw\include\time.h:115:8: error: previous definition of 'struct timespec'
struct timespec
^~~~~~~~
Makefile.win:50: recipe for target 'libwin32_static' failed
mingw32-make: *** [libwin32_static] Error 1

Using Scalpel on Unallocated Space without dumping?

I need to run scalpel on the unallocated space of a raw image. Based on everything I read online, this is done by first dumping the unallocated space to another file using blkls, and then running scalpel on that. However due to disk space constraints, this may not be possible. I don't see why scalpel can't theoretically run against the unallocated space on the raw image itself, without dumping. Is there anyway to do this currently?

how can i recover a bashrc file or bash file?

Is there a way i can recover a deleted .bashrc file or other bashscript?

Dependencies and License

Installing from Ubuntu repository the 1.60 version of this app using APT tool gives no problem.

Installing from Source, I'm getting the Dependency error, which links into POSIX threads library.

Does this tool is using that library, which is available in the same git? but from tre-0.7.6 license is new one,
so what is possible to do now?
Do we could build it from Yours "win32" directory?
How I could install this app using APT tool without any additional dependencies?

Cannot build: mingw32-make failed

Cannot build.

Makefile.win:50: recipe for target 'libwin32_static' failed
mingw32-make: *** [libwin32_static] Error 1

Complete log:
https://pastebin.com/rV1vn3kb

Man page improvements

The man page is unclear on if and how the -i and the [FILES]... alternatives interact. I suspect they don't, but the man page doesn't confirm that -- nor does it contradict it.

Without making any extensive tests, I suggest splitting the command line into two: one with the -i but without the [FILES]..., and one without -i but with [FILES].... to show what I assume is the intended usage. If not, please clarify man page accordingly: are any [FILES] added (conceptually) at the end of the -i list, or the other way around?

I also suggest correcting the minor confusion with [FILES]... : the three dots indicating repetition must be placed inside the brackets to be perfectly clear.

compiling fails on ubuntu 18.04.1

Tried ./configure --without-pic and still failed.

ibtool: compile:  g++ -DPACKAGE_NAME=\"scalpel\" -DPACKAGE_TARNAME=\"scalpel\" -DPACKAGE_VERSION=\"2.0\" "-DPACKAGE_STRING=\"scalpel 2.0\"" -DPACKAGE_BUGREPORT=\"[email protected]\" -DPACKAGE_URL=\"\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1 -DLT_OBJDIR=\".libs/\" -DPACKAGE=\"scalpel\" -DVERSION=\"2.0\" -DHAVE_LIBM=1 -DHAVE_LIBPTHREAD=1 -DHAVE_LIBTRE=1 -DHAVE_FCNTL_H=1 -DHAVE_LIMITS_H=1 -DHAVE_STDDEF_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_SYS_IOCTL_H=1 -DHAVE_SYS_MOUNT_H=1 -DHAVE_SYS_PARAM_H=1 -DHAVE_SYS_TIME_H=1 -DHAVE_SYS_TIMEB_H=1 -DHAVE_UNISTD_H=1 -DHAVE__BOOL=1 -DHAVE_STDBOOL_H=1 -DHAVE_FSEEKO=1 -DHAVE_STDLIB_H=1 -DHAVE_MALLOC=1 -DHAVE_STDLIB_H=1 -DHAVE_REALLOC=1 -DHAVE_BZERO=1 -DHAVE_GETTIMEOFDAY=1 -DHAVE_MKDIR=1 -DHAVE_REALPATH=1 -DHAVE_REGCOMP=1 -DHAVE_STRCHR=1 -DHAVE_STRDUP=1 -DHAVE_STRERROR=1 -DHAVE_STRNCASECMP=1 -DHAVE_STRTOUL=1 -DHAVE_STRTOULL=1 -I. -I../src -Wall -I/usr/local/jdk-11.0.1/include -I/usr/local/jdk-11.0.1/include/linux -g -O2 -MT libscalpel_jni.lo -MD -MP -MF .deps/libscalpel_jni.Tpo -c libscalpel_jni.cpp -o libscalpel_jni.o >/dev/null 2>&1
mv -f .deps/libscalpel_jni.Tpo .deps/libscalpel_jni.Plo
/bin/bash ../libtool  --tag=CXX   --mode=link g++  -g -O2   -o libscalpel_jni.la -rpath /usr/local/lib libscalpel_jni.lo ../src/libscalpel.la -ltre -lpthread -lm 
libtool: link: g++  -fPIC -DPIC -shared -nostdlib /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o  .libs/libscalpel_jni.o   ../src/.libs/libscalpel.a -ltre -lpthread -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. -lstdc++ -lm -lc -lgcc_s /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o  -g -O2   -Wl,-soname -Wl,libscalpel_jni.so.0 -o .libs/libscalpel_jni.so.0.0.0
/usr/bin/ld: .libs/libscalpel_jni.o: relocation R_X86_64_PC32 against symbol `stdout@@GLIBC_2.2.5' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Bad value
collect2: error: ld returned 1 exit status
Makefile:419: recipe for target 'libscalpel_jni.la' failed
make[1]: *** [libscalpel_jni.la] Error 1
make[1]: Leaving directory '/opt/scalpel/jni'
Makefile:524: recipe for target 'all-recursive' failed
make: *** [all-recursive] Error 1

Have problem with install

I use ./bootstrap
and then have this problem in terminal (Ubuntu 20.4 LTS)
Makefile.am:12: warning: source file 'src/scalpel_exec.cpp' is in a subdirectory,
Makefile.am:12: but option 'subdir-objects' is disabled
automake: warning: possible forward-incompatibility.
automake: At least a source file is in a subdirectory, but the 'subdir-objects'
automake: automake option hasn't been enabled. For now, the corresponding output
automake: object file(s) will be placed in the top-level directory. However,
automake: this behaviour will change in future Automake versions: they will
automake: unconditionally cause object files to be placed in the same subdirectory
automake: of the corresponding sources.
automake: You are advised to start using 'subdir-objects' option throughout your
automake: project, to avoid future incompatibilities.
Makefile.am: installing './depcomp'

How to reset search to not get recurring results?

I have a raw image, not even any file system image, with lot of archived files in it. Bz2 files to be more precise and when carved header is found correctly but resulting files are containing all subsequent files as well.

+-------------------+------+----------------------+------+------------------+---
| BZh... Aaaaaa     | blaa | BZh... Bbbbbbb       | blab | BZh... Ccccc     | ...
+-------------------+------+----------------------+------+------------------+---

// and next file will be 

+----------------------+------+-------------------+---
| BZh... Bbbbbbb       | blab | BZh... Ccccc      | ...
+----------------------+------+-------------------+---

+-------------------+---
| BZh... Ccccc      | ...
+-------------------+---

and so on.

How can I reset search when next header of the same type especially is found so I get something like this:

+-------------------+------+
| BZh... Aaaaaa     | blaa |
+-------------------+------+

+----------------------+------+
| BZh... Bbbbbbb       | blab |
+----------------------+------+

+-------------------+---
| BZh... Ccccc      | ...
+-------------------+---

Is there an option for that or it would had to be developed?

Consultation on scalpel usage

How do I use scalpel 2.1 to scan the first 50GB of disk space because it consumes too much memory? I appreciate your assistance with this matter.

can find files csv ?

Hello,

I would like to search for a file.csv to delete a few months ago would someone know the line to add to the conf file.

I found information about this on another forum, a member had added this line but in my case it does not work. Can you tell me if it can be modified and if it contains errors.

R n 60000 read.csv

Thanks

PreviewMode option in library does not appear to be honored

I was testing using scalpel as a library and looked at libscalpel_test.cpp as a base. I wanted to use the library in preview mode (just get the resulting audit.txt), but can't seem to figure it out.

I first modified line 41 of libscalpel_test.cpp to be:

options.previewMode = TRUE;

instead of FALSE, but with this set the library still carves the files out to disk after pass 1.

I then modified libscalpel_carve_input to only call digimagefile by commenting out the block around the call to carveimagefile. This made the test program segfault.

Any help would be appreciated!

License Change -- Are you sure?

It looks like the codebase was originally GPL. Unless you've received copyright from the license holders or a different version that was under a non-copyleft license, I'm pretty sure your derivate work must also be under the GPL. Please clarify how you were able to make this change.

Scalpel doesn't find images that Photorec does?

So, I've done a pass on a drive that found some of my images in photorec.

I made sure the headers of these recovered images were the same as JPG in scalpel's conf, and they were. I also made sure the min:max filesize was more than large enough to cover the image size

Even after this Scalpel cannot find the same images that i've recovered, why is this? It finds some that photorec doesn't, but not the right size, they are all probably thumbnails or caches

Release Tarball

When scalpel's previous maintainers went away it lost homebrew support and I would love to get it going again. I've already got the formula built. The only thing I'm missing is a tarball release of scalpel, which I wasn't able to find here or on TSK homepage.

An easy fix would be to enable a release.

Build fail...

Arch Linux (up-to-date)
https://privatepaste.com/0156f5a96f

After bootstrap

Dear Scalpel author,

I tried to install scalpel on RHEL 7.9 server, after git clone the package, I followed the readme, do
$ ./bootstrap

I find directory autom4te.cache created but with one file 'request' with zero size. It did not update after 10-15 minutes, I used control-C to terminate the process. I also tried different versions gcc and cmake, no luck.

Any suggestion?

scalpel crashed when disk is full

Hi,
indeed the error message printed was incorrect and indeed the target drive was full. although it seems the error message cannot be improved the application shout not crash:

# scalpel -o /mnt/foo/scalpel /mnt/foo/dm-3.raw
...
Work queues built.  Workload:
gif with header "\x47\x49\x46\x38\x37\x61" and footer "\x00\x3b" --> 1471 files
gif with header "\x47\x49\x46\x38\x39\x61" and footer "\x00\x00\x3b" --> 33065 files
jpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 92280 files
png with header "\x89\x50\x4e\x47\x0d\x0a\x1a\x0a" and footer "\x00\x00\x00\x00\x49\x45\x4e\x44\xae\x42\x60\x82" --> 492546 files
tif with header "\x49\x49\x2a\x00" and footer "" --> 90819 files
tif with header "\x4D\x4D\x00\x2A" and footer "" --> 83839 files
avi with header "RIFF????AVI" and footer "" --> 2131 files
mpg with header "\x00\x00\x01\xba" and footer "\x00\x00\x01\xb9" --> 207682 files
mpg with header "\x00\x00\x01\xb3" and footer "\x00\x00\x01\xb7" --> 169385 files
fws with header "FWS" and footer "" --> 474499 files
wav with header "RIFF????WAVE" and footer "" --> 2440 files
doc with header "\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00" and footer "\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00" --> 4349 files
doc with header "\xd0\xcf\x11\xe0\xa1\xb1" and footer "" --> 4616 files
pst with header "\x21\x42\x4e\xa5\x6f\xb5\xa6" and footer "" --> 0 files
ost with header "\x21\x42\x44\x4e" and footer "" --> 556 files
dbx with header "\xcf\xad\x12\xfe\xc5\xfd\x74\x6f" and footer "" --> 14 files
idx with header "\x4a\x4d\x46\x39" and footer "" --> 2563 files
mbx with header "\x4a\x4d\x46\x36" and footer "" --> 2589 files
htm with header "<html" and footer "</html>" --> 100205 files
pdf with header "%PDF" and footer "%EOF\x0d" --> 3855 files
pdf with header "%PDF" and footer "%EOF\x0a" --> 4295 files
zip with header "PK\x03\x04" and footer "\x3c\xac" --> 1363443 files
java with header "\xca\xfe\xba\xbe" and footer "" --> 219551 files
tgz with header "\x1f\x8b\x08\x08" and footer "" --> 20982 files
ogg with header "x4fx67x67x53x00x02" and footer "x4fx67x67x53x00x02" --> 0 files
Carving files from image.
Image file pass 2/2.
/mnt/foo/dm-3.raw:   9.3% |****************                                                                                                                                                                      |  166.2 GB --:--ETA
Error writing to file: /mnt/foo/scalpel/tif-4-7/00626367.tif -- Operation not permitted
Scalpel was unable to write output files and will abort.
This error generally indicates that disk space is exhausted.
Error carving file Scalpel was unable to write output files and will abort.
This error generally indicates that disk space is exhausted.


Opening target "/mnt/foo/dm-3.raw"

Segmentation fault (core dumped)

I added a newline before the Error writing to file message so it appears visible but the \n should be added into the source code. The binary has no debug symbols so the 2GB core dump file was not helpful.

Indeed, next I time I should figure out the config file and enable recovery of only jpg files. The runtime help is too difficult to understand:

# scalpel -h
Scalpel version 2.1
Written by Golden G. Richard III and Lodovico Marziale.
Scalpel carves files or data fragments from a disk image based on a set of
file carving patterns, which include headers, footers, and other information.

Usage: scalpel [-b] [-c <config file>] [-d] [-e] [-h] [-i <file>]
[-n] [-o <outputdir>] [-O] [-p] [-q <clustersize>] [-r]
[-v] [-V] <imgfile> [<imgfile>] ...

Options:
-b  Carve files even if defined footers aren't discovered within
    maximum carve size for file type [foremost 0.69 compat mode].
-c  Choose configuration file.
-d  Generate header/footer database; will bypass certain optimizations
    and discover all footers, so performance suffers.  Doesn't affect
    the set of files carved.  **EXPERIMENTAL**
-e  Do nested header/footer matching, to deal with structured files that may
    contain embedded files of the same type.  Applicable only to
    FORWARD / NEXT patterns.
-h  Print this help message and exit.
-i  Read names of disk images from specified file.  Note that minimal parsing of
    the pathnames is performed and they should be formatted to be compliant C
    strings; e.g., under Windows, backslashes must be properly quoted, etc.
-n  Don't add extensions to extracted files.
-o  Set output directory for carved files.
-O  Don't organize carved files by type. Default is to organize carved files
    into subdirectories.
-p  Perform image file preview; audit log indicates which files
    would have been carved, but no files are actually carved.  Useful for
    indexing file or data fragment locations or supporting in-place file
    carving.
-q  Carve only when header is cluster-aligned.
-r  Find only first of overlapping headers/footers [foremost 0.69 compat mode].
-V  Print copyright information and exit.
-v  Verbose mode.
#

sleuthkit / scalpel Goto Github PK

scalpel's Introduction

INTRODUCTION

OVERVIEW

File System Layer:

Content Layer (block):

Metadata Layer (inode):

Human Interface Layer (file):

Time Line Generation

Hash Databases

File Type Categories

LICENSE

INSTALL

OTHER DOCS

MAILING LIST

scalpel's People

Contributors

Stargazers

Watchers

Forkers

scalpel's Issues

PNG

png

Recommend Projects

Recommend Topics

Recommend Org