Phenquestions
This article describes some of the most popular available File Carving Tools for Linux including PhotoRec, Scalpel, Bulk Extractor with Record Carving, Foremost and TestDisk.
PhotoRec Carving Tool
Photorec allows you to recover media, documents and files from hard drives, optical disks or camera memories. PhotoRec tries to find the file data block from the superblock for Linux filesystems or from the volume boot record for WIndows filesystems. If not possible the software will check block by block comparing it with a PhotoRec's database. It checks for all blocks while other tools only check for the start or end of a header, that's why PhotoRec's performance isn't the best one when compared with tools using different carving methods like block header search, yet PhotoRec is perhaps the file carving tool with better results in this list, if time isn't a problem PhotoRec is the first recommendation.
If PhotoRec manages to gather the file size from the file header it will compare the result of recovered files with the header discarding incomplete files. Yet PhotoRec will leave partial recovered files when possible, for example in the case of media files.
PhotoRec is Open Source and it is available for Linux, DOS, Windows and MacOS, you can download it for free from its official website at https://www.cgsecurity.org/.
Scalpel Carving Tool:
Scalpel is another alternative for file carving available for both Linux and Windows OS. Scalpel is part of The Sleuth Kit described at Live Forensic Tools article. It is faster than PhotoRec and it is among the faster file carving tools but without the same performance of PhotoRec. It searches on header and footers blocks or clusters. Among its features there are multithreading for multicore CPUs, asynchronous I/O increasing performance. Scalpel is used both in professional forensics and data recovery, it is compatible with all filesystems.
You can get Scalpel for carving files by running in the terminal:
# git clone https://github.com/sleuthkit/scalpel.git
Enter the installation directory with the command cd (Change Directory):
# cd scalpel
To install it run:
# ./bootstrap# ./configure
# make
On Debian based Linux distributions such as Ubuntu or Kali you can install scalpel from the apt package manager by running:
# sudo apt install scalpelConfiguration files may be at /etc/scalpel/scalpel.conf' or /etc/scalpel.conf depending on your Linux distribution. You can find Scalpel options in the man page or online at https://linux.die.net/man/1/scalpel.
In conclusion Scalpel is faster than PhotoRect which has bette results when recovering files, the next tool is BulkExtractor With Record Carving.
Bulk Extractor with Record Carving Tool:
Like the tools previously mentioned Bulk Extractor with Record Carving is multi thread, it is an enhancement of the previous version “Bulk Extractor”. It allows to recover any kind of data from filesystems, disks and memory dump. Bulk Extractor with Record Carving can be used to develop other file recovery scanners. It supports additional plugins which can be used for carving, yet not for parsing. This tool is available both in text mode to be used from terminal and a graphical user friendly interface.
Bulk Extractor with Record Carving can be downloaded from its official website at https://www.kazamiya.net/en/bulk_extractor-rec.
Foremost Carving Tool:
Foremost is perhaps, together with PhotoRect one of the most popular carving tools available for Linux and in the market in general, a curiosity is it was initially developed by the US Air Force. Foremost has a faster performance when compared with PhotoRect but PhotoRec is better recovering files. There is no graphical environment forForemost, it is used from the terminal and searches on headers, footers and data structure. It is compatible with images of other tools such as dd or Encase for Windows.
Foremost supports any type of file carving including jpg, gif, png, bmp, avi, exe, mpg, wav, riff, wmv, mov, pdf, ole, doc, zip, rar, htm, and cpp. Foremost comes by default in Forensic distributions and security oriented like Kali Linux with a suite for Forensic tools.
On debian systems Foremost can be installed using the APT package manager, on Debian or based Linux distribution run:
# sudo apt install foremost
Once installed check the man page for available options or check online at https://linux.die.net/man/1/foremost.
Despite being a text mode program Foremost is simple to use for file carving.
TestDisk:
TestDisk is part of PhotoRec, it can fix and recover partitions, FAT32 boot sectors, it can also fix NTFS and Linux ext2,ext3,ext3 filesystems and restore files from all these partition types. TestDisk can be used both by experts and new users making recovering files process easy for domestic users, it is available for Linux, Unix (BSD and OS), MacOS, Microsoft Windows in all its versions and DOS.
TestDisk can be downloaded from its official website (PhotoRec's one) at https://www.cgsecurity.org/wiki/TestDisk.
PhotoRect has a testing environment for you to practise file carving, you can access at https://www.cgsecurity.org/wiki/TestDisk_and_PhotoRec_in_various_digital_forensics_testcase#Test_your_knowledge.
Most of tools listed above are included in most popular Linux distributions focused on computer forensics such as Deft/Deft Zero live forensic tool, CAINE live forensic tool and probably on Santoku live forensic too, check this list for more information https://linuxhint.com/live_forensics_tools/.
I hope you found this tutorial on File Carving Tools useful. Keep following LinuxHint for more tips and updates on Linux and networking.
