用於數位鑑識的檔案還原工具

用於數位鑑識的檔案還原工具

1.Scalpel

可透過資料庫所提供的檔案特徵 ( header 、 footer ... ) 從映象檔或磁碟中復原檔案 ( FATx 、 NTFS 、 ext2/3 ... )。

Scalpel: A Frugal, High Performance File Carver

Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery. Scalpel resulted from a complete rewrite of foremost 0.69, a popular open source file carver, to enhance performance and decrease memory usage.

Notes on Platforms

Linux
The preferred platform for using Scalpel is Linux. Scalpel has small memory requirements and runs well even on machines with modest resources. For example, Scalpel will rapidly carve arbitrary-sized files on a Pentium 2 with 256MB, booting a "live" Linux distribution such as Knoppix.

Windows
Scalpel will also compile under Win32 using mingw, provided you first install the pthreads library. If you'd like to try Scalpel on Win32 w/o the bother of compiling it yourself, an executable and pthreads DLL are included in the distribution--just untar and go. Note that under Windows, the pthreads DLL must be present in the same directory as the Scalpel executable. Carving physical and logical devices directly under Windows (e.g., using \\.\physicaldrive0 as a target) is not supported in the current release.

Mac OS X
As of v1.53, Scalpel is supported on Mac OS X. Compile using "make bsd".  As of v1.54, Scalpel supports "live" carving of block devices under Mac OS X.
All platforms
As of v1.54, Scalpel supports carving files larger than 4GB on all platforms.
As of v1.60, Scalpel supports preview carving and other new carving modes. See the distribution for details.

Downloads

Current version of Scalpel:
Scalpel 1.60 (Released 12/08/2006)
Previous versions of Scalpel:
Scalpel 1.54
Scalpel 1.53
Scalpel 1.52
Scalpel 1.51

MD5 hashes for Scalpel distributions:
a0ad1ae3f709bb42d30ba2dee992c3b0 *scalpel-1.60.tar.gz
5315f3e737437faf3cef7da55cde2d32 *scalpel-1.54.tar.gz
626df7149175b8a1a0b8380003dadf24 *scalpel-1.53.tar.gz
cb54d87d54a0fa4721d13ba4f6076491 *scalpel-1.52.tar.gz
8e64bf92085081e0367cf23718bb6126 *scalpel-1.51.tar.gz




2.Foremost

根據檔案的 headers 、 footers 、 internal data structures 來復原檔案；除磁碟外，也可以從映象檔 ( dd 、 Safeback 、 Encase ) 中復原檔案。

Introduction

Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.
Originally developed by the United States Air Force Office of Special Investigations and The Center for Information Systems Security Studies and Research , foremost has been opened to the general public. We welcome any comments, suggestions, patches, or feedback you have on this program. Please direct all correspondence to namikus@users.sf.net.

Download

The latest version of Foremost can be found here
DFRWS 2006
DFRWS 2007



參考資料：
http://www.digitalforensicssolutions.com/Scalpel/
http://foremost.sourceforge.net/
http://macivilian.blogspot.com/2010/03/blog-post_15.html