Blue Team Toolkit
  • 👊Welcome!
  • application-security
    • Application Security
  • DFIR Toolkit
  • Incident Response
    • Containment, Eradication, and Recovery
    • Network Analysis
    • MITRE ATT&CK Framework
    • post-incident
    • preparation
  • network-hardening
    • Basic Network Tools
    • Basic Port Info
    • NMAP
    • Wireshark
  • Phishing Analysis
    • Basic Email Info
    • Email Headers
  • reversing
    • gdb
    • reversing
  • Security Information and Event Monitoring
    • DeepBlueCLI
    • Linux Log Analysis
    • Log Review Approach
    • Network Device Log Analysis
    • Other Tools
    • SIFT Workstation
    • Splunk
    • Syslog
    • Sysmon
    • Web Server Log Analysis
    • Windows Log Analysis
  • Systems Forensics
    • Autopsy
    • Basic File Metadata
    • Browser History Capturer
    • Browser History Viewer
    • Digital Evidence Handling
    • Exiftool
    • File Hashing
    • File Systems
    • forensics-workstation
    • FTK Imager
    • John the Ripper
    • JumpList Explorer
    • KAPE
    • Linux Artifacts
    • Memory File Analysis
    • Prefetch Explorer Command Tool PECmd.exe
    • Scalpel
    • Steghide
    • Sysinternals
    • Volatility
    • Windows Artifacts
    • Windows File Analyzer
    • YARA
  • systems-hardening
    • Active Directory Hardening
    • linux-hardening
    • windows-hardening
Powered by GitBook
On this page
  1. Systems Forensics

Scalpel

PreviousPrefetch Explorer Command Tool PECmd.exeNextSteghide

Last updated 2 years ago

  • Description: used to retrieve deleted files from .img files by using file carving

  • Linux installation: sudo apt-get install scalpel

  • Usage

    • Edit scalpel.conf to uncomment the type of files hoping to get from an .img file by doing one of the following

      • Manually edit the file by using the GUI to navigate to: /etc/scalpel/scalpel.conf and uncomment relevent file types

      • Use vim or nano sudo nano /etc/scalpel/scalpel.conf and uncomment relevent file types

      • Create a copy of the /etc/scalpel/scalpel.conf, uncomment relevent file types, and then specify that file when using scalpel by using: scalpel -c /path/to/new/conf.conf

    • Create an empty output directory

    • Run command: scalpel -b -o /empty/output/directory DiskImage.img

      • Example: scalpel -b -o /root/Desktop/ScalpelOutput DiskImage1.img

    • Note: scalpel can be configured to search for document types with custom headers and footers by editing the configuration file:

      • Example for files with "BTL1" header and "1LTB" footer: create a new line on the .conf file with txt y 10000 BTL1 1LTB

      • To show strings from a recovered file: strings path\to\txt

  • Resources

  • [https://linux.die.net/man/1/scalpel](Scalpel Man Page)

Kali Tool Description
Scalpel Guide