Forensics Quickie: Recovering Deleted Files With Scalpel (.CR2 Photos)

FORENSICS QUICKIES! These posts will consist of small tidbits of useful information that can be explained very succinctly.

Scenario
SD card was accidentally formatted; RAW photos in .cr2 format from a Canon Rebel T3 needed to be recovered.

The Solution
Boot up a Linux VM (I chose Ubuntu) and install Scalpel with:

• sudo apt-get install scalpel

Check to see if the required filetype signature is supported by Scalpel by default:

• sudo vi /etc/scalpel/scalpel.conf

If it's there, simply uncomment it. If it's not there, add an entry for it. I didn't see .cr2 in there, so I added my desired extention (cr2), signature case sensitivity (y), filesize (17825792), and header signature (with no footer) with this entry:

• cr2     y       17825792 \x49\x49\x2A\x00\x10\x00\x00\x00\x43\x52

Run Scalpel with parameters for the desired image file (it can be a split image) and the output directory:

• scalpel [imageFile.dd] -o [outputDir]

Of course, you can also do this with other filetypes, as well. But if you ever need to add unsupported filetypes to scalpel.conf, that's how you do it. And if you find that your custom signature entry works, be sure to email it to the creators.

-4n6k

References
1. Download Scalpel: Digital Forensics Solutions