Scalpel: (Filesystem Recovery Tool) Recover Deleted Files in Linux
Scalpel system recovery tool deleted files and folders in Linux. This tool is used to recover data from the system; it is an open source tool for Linux operating systems. For the recovery of deleted data is an updated first fork, although faster and more efficient in tracking and searching file patterns.
To install it we can go to a terminal window and write the following code:
sudo apt-get install scalpel
Next, we will have to configure Scalpel for it we can locate the file of installation by means of the following command:
whereis scalpel
Next we open the file with a text editor such as nano or vi. By default, all the lines of the expressions are commented with # in the configuration file. In the scalpel.conf configuration file, there are some lines that contain the types of files that we can recover. For example jpg, png, doc, etc.
Here we uncomment the file extensions that we want Scalpel to search for, otherwise the files will be ignored.
An important step, if we find an error when executing, we must manually create the / et / scalpel folder and copy the scalpel.conf file .
Then we execute scalpel from your folder, indicate the folder where the recovered files are saved.
scalpel -c /etc/scalpel/scalpel.conf /dev/sda -o test
Scalpel will start the scanning process and depending on the disk space or device you are trying to scan and recover, so it can take a long time to recover the deleted files.
If we want to recover data from a pendrive or an external device, we must know what the partition is with the fdsik command , if it is a flash drive or flash memory, it will usually be located as a sdb partition.
scalpel -c /etc/scalpel/scalpel.conf /dev/sdb -o recu
Inside the folder it is saved in a file called audit.txt that contains information about the whole process and the recovered files.
We can see in this case that png files have been recovered from the pendrive and we have them available in the folder we call recu. One of the utilities of Scalpel is to copy the contents of a broken external USB device or with faults and create an img or dd disk image, so then we can see it from other software or mount it, the code to generate the disk image is the following:
scalpel -c -c /etc/scalpel/scalpel.conf /dev/sdb -o recovered.dd
Scalpel is ideal for working on Centos server to recover files from the terminal window remotely. Scalpel works on other server-oriented Linux distributions, including:
- Red Hat
- Fedora
- Debian
One of the disadvantages that Scalpel has is that you have to know very well how is the structure of a disk or a storage device and the commands to manage their partitions, in addition to how the file system works.
Each deleted file remains somewhere on your hard drive. being the operating system which keeps a pointer to the list of blocks of the storage device that contains the data of the files,
Normally in Windows we have many very simple tools to use as Recuva that is used for recovering lost data, but in Linux only a few if we want to use it at server level with security.
Scalpel runs through the entire hard drive, works very well with external storage devices and recovers lost files according to regular expressions which makes it very versatile.
