Forensicsfile carvingdata recoverymagic bytesforensicsundeleterecipes

magicrescue

Magic Rescue scans block devices for known file types using magic bytes and extracts them with external programs. It serves as both an undelete utility and a tool for recovering data from corrupted drives or partitions.

Description

Magic Rescue is a file carving tool designed for forensics investigations. It scans block devices or forensic images for file types it recognizes by examining magic bytes (file patterns) in the content. As long as the file data is intact, it can recover it regardless of filesystem damage.

The tool relies on 'recipes'—configuration files containing strings and commands to identify and extract specific file types. Predefined recipes are available for formats like avi, jpeg, mp3, png, zip, and others. Users can also create custom recipes for additional file types.

The package includes three main commands: magicrescue for scanning and extraction, dupemap for duplicate elimination via checksums, and magicsort for categorizing recovered files using the file(1) utility.

How It Works

Magic Rescue examines raw data on block devices for magic bytes matching patterns defined in recipe files. When a match is found, it invokes external programs specified in the recipe to extract the file. Recipes provide identification strings and extraction commands, enabling recovery of files like AVI, JPEG, MP3, PNG, ZIP, and specialized formats such as Canon CR2 or Nikon RAW without relying on filesystem metadata.

Installation

bash

sudo apt install magicrescue

Flags

-b BLOCKSIZEOnly consider files starting at a multiple of BLOCKSIZE.

-d OUTPUT_DIRMandatory. Output directory for found files.

-r RECIPE1Mandatory. Recipe name, file or directory.

-I FILERead input file names from this file ("-" for stdin).

-M MODEProduce machine-readable output to stdout.

-O [+-=][0x]OFFSETResume from specified offset (hex or decimal) in the first device.

-d DATABASERead/write from a database on disk (for dupemap).

-I FILERead input file names from this file ("-" for stdin) (for dupemap).

-m MINSIZEExclude files below this size (for dupemap).

-M MAXSIZEExclude files above this size (for dupemap).

Examples

Display help for dupemap, which creates a database of file checksums to eliminate duplicates.

dupemap -h

Display help for magicrescue, showing usage for scanning devices and extracting files by magic bytes.

magicrescue -h

Categorize all files in the specified DIRECTORY using the system's file(1) utility.

magicsort DIRECTORY

Scan block device /dev/sdb for JPEG files using jpeg recipe and save to /output directory.

magicrescue -d /output -r jpeg /dev/sdb

Scan /dev/sda1 for JPEG, PNG, and ZIP files using respective recipes and extract to /output.

magicrescue -d /output -r jpeg png zip /dev/sda1

Read device list from devices.txt, scan /dev/sdc for AVI files, and output to /output.

magicrescue -I devices.txt -d /output -r avi /dev/sdc

Create checksum database for files in /recovered/files, excluding those below 1kB.

dupemap -d checksums.db -m 1k /recovered/files

Sort and categorize all files found in /magicrescue/output by their file magic types.

magicsort /magicrescue/output

Updated 2026-04-16kali.org ↗