nbah07
September 24, 2020, 4:24pm
1
Good day team Sleuthkit, I can’t run scalpel in a backup.img (dd a external USB HDD 320GB) because it always “skips” on 83.1% mark with the following verbose stdout. It “drops” either in a live-usb Backbox Linux (scalpel 1.60-8) or frugal with persistence AntiX Linux (scalpel 1.60-6 and github build’s 2.1). I could run the same img with foremost which succeeded carving files. Please advise me if scalpel is OFF-TOPIC or whatever more appropriate routes I should follow to get the desired file recovery.
Scalpel version 2.1 audit file
Output directory: /home/u/scalpeddua
/media/usbhdd/backup.img: 83.1% |**** | 247.3 GB 1:48:29 ETA
#------ BEGIN COPY OF CONFIG FILE USED ------#_ Scalpel configuration file#_ #_ case size header footer#extension sensitive #_ #--------------------------------------------------------------------- #_ EXAMPLE WITH NO SUFFIX#--------------------------------------------------------------------- #_ #_ Here is an example of how to use the no extension option. Any files#_ beginning with the string “FOREMOST” are carved and no file extensions#_ are used. No footer is defined and the max carve size is 1000 bytes.#_ #_ NONE y 1000 FOREMOST#_