“Ooops. I deleted my photos”
I used foremost in this blog to try to recover deleted mp4 video files (for my sister) using ubuntu and the software called Foremost, but it wouldn’t find the video files. It found a bunch of photos but not her supposed videos.
Then, I thought maybe the tool wasn’t capable so I tried to figure out: Scalpel which is ‘the other’ major tool besides foremost.
But how to use it?
This video is an absolutely great way to get started doing the basics. Definitely take the time to watch it as it will give you a good birds eye view not just about carving an image file but also how to carve a device (ie. hard drive, usb drive) connected to the machine.
Also, the man scalpel
was pretty useful, however, I still couldn’t figure out
a) where the ever-important scalpel.conf file was and
b) how to do mp4 which was (oddly) missing from scalpel.conf
It was pretty surprising that mp4 was missing, that’s for sure…
However, I did find this blog which got me most of the way there in terms of basic learning. Interestingly the author did not make available the following code containing the mp4 header/footer stuff to simply copy and paste. However, I was able to manually type from the screenshot so that myself (and the world) can just copy and paste it. Here it is:
EDIT 200816 – See below the disclaimer before doing this. I was wrong..
mp4 y 30000000:70000000 \x46\x4c\x56\x01\x05\x00\x00\x00\x09\x00\x00\x00\x00\x12\x00\x02\x36
Important Disclaimer: I have no idea if this thing is right, or works, but the program itself, I can verify, ran perfectly and carved for files. No videos were ultimately carved in my situation, but I don’t think that is the fault of this software nor my copy/paste stuff above. It’s because I don’t think there actually were any videos on my drive to start with. But I wanted to be clear that I simply typed out another bloggers stuff and stuck it here.
I was wrong, it seems. I kept getting nothing at all which I thought was weird. Then I just decided to dump the hex stuff above into a hex-to-text editor thing and discovered it translates to “FLV”.. So then what I did was use the same hex editor and wrote ‘mp4’ in there, and got this output:
6d 70 34
Then I updated the scalpel.conf
file to look like this:
mp4 y 30000000:70000000 6d 70 34
This started working so I appear on the right path. However files still not playable and came in about 100 small chunks per directory. Need correct scalpel.conf entry to carve an mp4 file… any help appreciated in comments below!
Then I finally found another blog which showed that the scalpel.conf file is located at /etc/scalpel
. Now you don’t have to spend an hour to learn that!
The first thing I did once I had what I needed to paste, and knew where to paste it, was edit the scalpel.conf file with the following command, and then copy/paste the above ‘stuff’ at the very bottom of the file and then ctrl+x, etc, to save changes in the file:
sudo nano /etc/scalpel/scalpel.conf
Once that is done, we need to run the command. Even this kind of messed me up with a few of the tutorials and even the man pages I read. Here is the syntax of what you’ll need to start it running with my breakdown of what each component is following:
sudo scalpel -c /etc/scalpel/scalpel.conf -o /path/to/output/diretory/directoryname /path/to/location/of/image.img
Quick explanation of this so you can plug in your details into the command to get carving:
sudo
– it requires super user permissions (and your password)-c
– this tag points to the scalpel config file you edited above. If you want, you can move it, but if you didn’t move it this path in my example above is correct-o
– this points to your output path where ou want the recovered files to godirectoryname
– at the end of your path add a useful name you’ll remember, as this directory will be created and the recovered files placed inside if it works/path/to/location/of/image.img
– likely you have already cloned the drive and are not using the original (recommended for many reasons) so this is the path to where on your machine this image file is located.image.img
– represents the name of your image, whatever it is.
So once you customize your details and hit ‘go’ you should be able to start carving files. Also, if you want to carve for more than just mp4s you can un-comment the options in the scalpel.conf
file, or add others and they will all run at the same time once you start.
I found that Foremost found more .jpg than Scalpel but I might have configured one or both of them incorrectly…
Hope this helps you recover some lost goods!
Use a hex edit to see the first 32 bytes of working mp4 file and you’ll this signature. You can find a list of ‘file signatures’ on wikipedia.
‘
# MP4 Video
mp4 y 45000000 \x66\x74\x79\x70\x69\x73\x6F\x6D