Forensicsfile carvingfile recoverydigital forensicsdisk imageheader footer

Scalpel

Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from image files or raw device files. It is filesystem-independent and supports carving from various filesystems like FAT, NTFS, Ext, and more.

Description

Scalpel is a complete rewrite of the Foremost 0.69 file carver, designed for digital forensics investigations and file recovery. It operates independently of the filesystem, enabling it to carve files from FAT16, FAT32, exFAT, NTFS, Ext2, Ext3, Ext4, JFS, XFS, ReiserFS, raw partitions, and others.

The tool uses a database of header and footer definitions to identify and extract files from disk images or raw devices. This makes it particularly useful in scenarios where filesystem metadata is damaged or unavailable, such as in forensic analysis of compromised or corrupted storage media.

Scalpel offers compatibility modes with Foremost and experimental features for advanced carving control, block mapping, and performance optimization.

How It Works

Scalpel reads a configuration file containing header and footer definitions for various file types. It scans disk images or raw device files for matching headers, then searches for corresponding footers within a maximum carve size. Files are extracted when headers and footers match, bypassing filesystem structures entirely. Options like cluster alignment, blockmaps, and foremost compatibility modes adjust the carving behavior for precision or speed.

Installation

bash

sudo apt install scalpel

Flags

-bCarve files even if defined footers aren't discovered within maximum carve size for file type [foremost 0.69 compat mode].

-cChoose configuration file.

-dGenerate header/footer database; will bypass certain optimizations and discover all footers, so performance suffers. Doesn't affect the set of files carved. **EXPERIMENTAL**

-hPrint this help message and exit.

-iRead names of disk images from specified file.

-mGenerate/update carve coverage blockmap file. The first 32bit unsigned int in the file identifies the block size. Thereafter each 32bit unsigned int entry in the blockmap file corresponds to one block in the image file. Each entry counts how many carved files contain this block. Requires more memory and disk. **EXPERIMENTAL**

-nDon't add extensions to extracted files.

-oSet output directory for carved files.

-ODon't organize carved files by type. Default is to organize carved files into subdirectories.

-pPerform image file preview; audit log indicates which files would have been carved, but no files are actually carved.

-qCarve only when header is cluster-aligned.

-rFind only first of overlapping headers/footers [foremost 0.69 compat mode].

-sSkip n bytes in each disk image before carving.

-tSet directory for coverage blockmap. **EXPERIMENTAL**

-uUse carve coverage blockmap when carving. Carve only sections of the image whose entries in the blockmap are 0. These areas are treated as contiguous regions. **EXPERIMENTAL**

-VPrint copyright information and exit.

-vVerbose mode.

Examples

Display the help message and usage information for scalpel.

scalpel -h

Carve files from image.img and save them to the specified output directory.

scalpel -o /output/dir image.img

Use a custom configuration file to carve files from image.dd into the audit directory.

scalpel -c scalpel.conf -o audit image.dd

Carve files in foremost 0.69 compatibility mode, allowing carves without footers and taking only first overlapping headers.

scalpel -b -r image.img

Perform a preview of carving without extracting files, in verbose mode.

scalpel -p -v image.img

Carve files without extensions or subdirectory organization into /tmp/noext.

scalpel -n -O /tmp/noext image.img

Carve only files where headers are cluster-aligned.

scalpel -q image.img

Skip the first 1024 bytes of the image before starting carving.

scalpel -s 1024 image.img

Updated 2026-04-16kali.org ↗