Tuesday, November 5, 2013

Scalpel : Data Recovery From Byte Strings

In digital forensics, file carving is an essential process. It is a technique in which investigator uses databases of headers as well footers. These headers and footers contain byte strings. So, suppose you have 5 JPEG files. So all those 5 files will have same header & footer byte strings. So this tool carves data by analyzing that byte string. This Is an advance tool as it also carves file even after its metadata is removed.

Design of Scalpel
It’s a high performance file carving utility which is designed based on 2 principles.
1.    Economical yet flexible : This tool is designed in such a way that it can run on any machine which is having still those ancient Pentium II processors with 256 or even less MB ram. It can also run on Knoppix, Helix or any other Linux system. Additionally this tool is capable of recovering data of any larger size.

2.    Time Complexity : Here I am using this “High Performance” word frequently because when we talk about high performance, we always consider quality along with time. This tool is carving files in no time without compromising the quality of the carving service.

Scalpel in Action (Working Flow)
STARTSTOPCARVE : Actual process of file carving starts here. It opens a file,      it writes some portion of the file and it closes it.
CONTINUECARVE : The entire portion of the chunk is taken and written and meanwhile of this operation, file also remains open.
STOPCARVE: After writing few last portion of chunks, it closes the file.

Scalpel Practical
Once you download the scalpel**. RPM file you have to extract it with below
Command.  I am using CentOS 6 here.

rpm –Uvh scalpel-2.0-1.el6.i686.rpm

As you can see from the from the pic that we have got an error which tells us about missing libraries. So if you face this problem then do not panic. I have provided a solution over here. All we need to do is to install libraries. So to install these libraries, command is as follows:

yum install libQtGui.so.4

So as you can see in below pics that its continuing the installation. It will check for the dependencies and will install all supported packages along with our library.
Now I will look into the directory that what have we got. We will do this by simple ls command.

Now we will again try to install scalpel with same command which we gave previously.

After successful installation lets run scalpel command and lets check for whether it's running or not.

After installation we need to configure scalpel’s conf file. By default it has scalpel.conf file in which there will be the list of file extensions with their header and footer byte strings. The location of that configuration file will be /etc/scalpel.conf .

First thing we will do is, we will back up this file by giving this command.

cp /etc/scalpel.conf /etc/scalpel_backup.conf

Now we will compare both these files. The left file I personally edited and the right backup file is the default file. As you can clearly see from pic that default configuration file has everything commented within it. So I uncommented some filetypes, which I want to recover from my system. Mostly I have uncommented (selected) graphics files to be recovered.

As you can see that in left side you will see some byte strings mentioning 

\xff\xd8\xff\xe0\x00\x10        \xff\xd9  => Byte string header footer pattern for all JPG files.

So the left byte strings are the headers and the right ones are footers.

Before moving forward lets do a small practical comparison of this byte string to any real JPG image file’s byte string.

To do so I have a very good utility called HxD named Hex Editor. I will open one image(JPG) file in that and you will notice that in both file starting and ending header is same and they both are also identical to the config file of the scalpel.
So here is the first file’s Hex information.

As you can see the lower level of byte information (header & footer) is identical the configuration file (scalpel.conf), which we are using for file carving techniques. It means header and footer signature of every JPEG file will be identical so we can say that can be the general syntax of all JPG files.

Now we will move forward and will use the scalpel to carve a graphics file along with JPG. Before that lets suppose a scenario that you inserted pen drive into your Linux system and you don’t know that which drive letter or name is assigned to it. Then you can simply use mount command to list all drives and partition.

Now here I am going to select /dev/sda1 partition to be opened and to be operated file carving process. So the command to run scalpel is pretty simple as follows:
scalpel /dev/sda-1 –o RCVR_DATA2

Here, O specifies the output directory which will be created in /etc/ folder by default. So here is a mount command and scalpel result together.

As you can see that scalpel will first open the target then it will allocate the queue to each task as we discussed in theory part. Then it will start checking for each files header and footer information in order to carve lost files.

Here I am doing this demo on newly installed CentOS so I did not delete JPGs. It’s for you to understand. Once your task is done and if you want to see that which data is recovered you can go to /etc/ folder and you will find your recovered data over there. In my case the folder name is “RCVR_DATA2”.

As you can see that, like a log file it has also generated audit.txt file for the general summarizing whole process. Thus how you can recover lost files from your Linux systems.

Forensics investigators use this to recover data from Linux systems.

  1. HxD - Freeware Hex Editor and Disk Editor. (n.d.). Retrieved from http://mh-nexus.de/en/hxd/
  2. III, G. G. (2005). Scalpel: A Frugal, High Performance File Carver. Research Paper, New Orleans.
  3. http://www.papergourmet.co.uk/ebay/images/no%2010%20blade.jpg

1 comment:

Anonymous said...

Hi there very cool blog!! Guy .. Beautiful
.. Wonderful .. I'll bookmark your website and take the feeds additionally?
I'm satisfied to seek out a lot of useful info right here within the submit, we'd like work out more
techniques on this regard, thanks for sharing.
. . . . .

Feel free to surf to my web blog - homepage []