Sunday, January 8, 2012

Forensics Quickie: Recovering Deleted Files With Scalpel (.CR2 Photos)

FORENSICS QUICKIES! These posts will consist of small tidbits of useful information that can be explained very succinctly.

SD card was accidentally formatted; RAW photos in .cr2 format from a Canon Rebel T3 needed to be recovered.

The Solution
Boot up a Linux VM (I chose Ubuntu) and install Scalpel with:
  • sudo apt-get install scalpel
Check to see if the required filetype signature is supported by Scalpel by default:
  • sudo vi /etc/scalpel/scalpel.conf
If it's there, simply uncomment it. If it's not there, add an entry for it. I didn't see .cr2 in there, so I added my desired extention (cr2), signature case sensitivity (y), filesize (17825792), and header signature (with no footer) with this entry:
  • cr2     y       17825792 \x49\x49\x2A\x00\x10\x00\x00\x00\x43\x52
Run Scalpel with parameters for the desired image file (it can be a split image) and the output directory:
  • scalpel [imageFile.dd] -o [outputDir]
Of course, you can also do this with other filetypes, as well. But if you ever need to add unsupported filetypes to scalpel.conf, that's how you do it. And if you find that your custom signature entry works, be sure to email it to the creators.

-Dan (@4n6k)

1. Download Scalpel: Digital Forensics Solutions