Scalpel Mac Os X Install

  1. Type pypm install scalpel Python 2.7 Python 3.2 Python 3.3; Windows (32-bit) Windows (64-bit) Mac OS X (10.5+) Linux (32-bit) 0.6.1 0.8.2: Failed.
  2. Scalpel on MacOS Sierra November 23, 2016 / Lynsay / 0 Comments Recently, I’ve been exploring mobile forensics and I wanted to install Scalpel on my new Mac however, I encountered a few difficulties along the way.

Mac OS X Leopard includes these tools by default. $ sudo port install foremost. Scalpel is a tool based on Foremost and performs much faster analysis using an. From the menu bar choose Mac OS X Installer - Quit Mac OS X Installer 8. On the question asked click Choose disk Choose your main HD and click restart 9. Your mac should start-up normally again This is obviously something that shouldn't be happening so I filled a bug report to apple. Untii they fix it, don't change those permissions.

Data recovery is the process of salvaging and handling the data through the data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. The data is recoverable because the information is not immediately removed from the disk.

Nowadays many tools are available for recovering lost data. Two of the most popular tool available are Scalpel and Foremost.

In this article, let’s see how to recover lost data using these tools.

1. Scalpel

Scalpel is an open source file system recovery for Linux and Mac operating systems. Its an open source program for recovering deleted data originally based on foremost, although significantly more efficient. The tool visits the block database storage and identifies the deleted files from it and recover them instantly.

Installation

>> From source code :

In order to compile from source code, we need TRE in the server. We can download TRE from http://laurikari.net/tre/download/
The source code for Scalpel is available on : https://github.com/machn1k/Scalpel-2.0

1. First install TRE

tar -xzvf tre-0.8.0.tar.gz
cd tre-0.8.0
./configure
make
make install

Scalpel Mac Os X Install

2. Now compile and install Scalpel

unzip Scalpel-2.0-master.zip
cd Scalpel-2.0-master
./configure
make
sudo make install

>> From yum repository

Follow the below steps in order to install Scalpel from yum repo :

# yum install scalpel

Sample Output :

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.01link.hk
* epel: mirror.nus.edu.sg
* epel-source: mirror.nus.edu.sg
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package scalpel.i686 0:2.0-1.el6 will be installed
–> Finished Dependency Resolution

Dependencies Resolved


Package Arch Version Repository Size

scalpel i686 2.0-1.el6 epel 50 k

Transaction Summary

Install 1 Package(s)

Total download size: 50 k
Installed size: 108 k
Is this ok [y/N]: y
Downloading Packages:
scalpel-2.0-1.el6.i686.rpm | 50 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : scalpel-2.0-1.el6.i686 1/1
Verifying : scalpel-2.0-1.el6.i686 1/1

Installed:
scalpel.i686 0:2.0-1.el6

Complete!

Configuration

By default, all the lines are commented with # in the configuration file.
In scalpel.conf, there are few lines which contain the file types that we can recover. For example gpg, doc, avi, doc, etc. So, before running Scalpel, you need to un-comment the file format that you need to recover.

We just need to remove the # sign from the beginning of these lines in order to uncomment them.

# vi /etc/scalpel/scalpel.conf (uncomment the file format that needs to be recovered)

After that please run the Scalpel. (As root)

# scalpel /dev/sda1 -o /home/digit/RECOVERY/

=> /dev/sda1 is the location of the device where the files are already deleted.
=> /home/digit/RECOVERY is the place to accommodate the files that will be recovered from /dev/sdb1. /dev/sdb1 could also be the location of the folder where the data that we will recover.
=> ‘-o‘ switch indicates an output directory, where you want to restore your deleted files. Make sure that this directory is empty before running any command otherwise it will give you an error.

Scalpel

The scalpel is now performing its process and depending on the disk space you are trying to scan and recover, it will take time to recover your deleted file.

2. Foremost

Foremost is a command-line tool which can recover files from a number of file systems, including fat, ext3 and NTFS. It has many built-in file filters for fast recovery. ( e.g: jpg, zip, rar etc.)

Installation

>> From source code :

The source code is available on the Foremost Sourceforge page: http://foremost.sourceforge.net/

Extract the archive and proceed with installation following the below steps :

# tar -xvzf foremost-1.5.7.tar.gz
# cd foremost-1.5.7

Before installation, open the Makefile and look for the below two lines : (Assuming installation of Foremost 1.5.7 on Mac OS X 10.8)

macinstall: MAN = /usr/share/man/man1/
macuninstall: MAN = /usr/share/man/man1

Substitute the “man1″ by “man8″.

Now the tool can be compiled and installed using the Mac directives:
#make mac
#make macinstall

>> From repository :

Mac

#apt-get install foremost

Take a look at ‘#man foremost’ to learn how to use foremost.

The included configuration file is located in:
/usr/local/etc/foremost.conf

This file will automatically be loaded if you don’t specify another one by using the -c switch. By default, everything in this file is commented out, though. This means that Foremost will only look for the built-in types.

Lets now see how to recover a file (an example jpg file) using Foremost tool :

First, make an empty writable directory to save recover files in a partition other than that you are going to recover (/home/digit/RECOVERY/) and run foremost.

Lets have a try with restoring the partition /dev/sda5.

#foremost -t jpg -i /dev/sda5 -o /home/digit/RECOVERY/

Finally set user permission to /recovery/data/ to view image. type

#chown YOUR_USER_NAME /recovery/data -R

Some important foremost command line arguments.

-i :– partition/image to recover
-o :– location to store recovered files.
-t :– built in file filter options. you can give multiple filters by separating using commas. (e.g: for jpg and pdf: -t jpg,pdf )
-q :- quick mode.

In the recovered location you may see an audit.txt file. This audit.txt contains a summary of what foremost has done.

If you require any help with configuration or install contact SupportPRO Server Admins

This is a brief tutorial for the use and installation of Scalpel on OSX

Scalpel Mac Os X Installation

  • The first thing to do is to download the TRE (regex) library (here)
  • open your download folder via a terminal and type in :
2
sudo port install automake

make sure you choose automake rather than automake17

Followed by these instructions

Scalpel Mac Os X Installing

install