NOTE: This does'nt returns whole data you had lost but it can return sort of all the important data you had lost.
It can recover any file type i.e avi,jpeg,bmp,doc,pdf etc
Basically this was previously used by the Cyber Forensics investigator to take out the data from the crime scene if the criminal has deleted or formatted the PC at the crime scene.
Most important thing is that you had to take an raw image of the system before you do this, which i had earlier written in my previous blogs to how to take the raw image.
so here we go........
STEPS:
1. Boot the the machine with the Linix bootable CD-ROM or PD .
2. After botting when the linux starts type the following command
fdisk -l
this command will list all the availble partitions on the machine, so that you can select yours from which you want to recover the files.
3. make a directory inside the mnt directory.
mkdir /mnt/ns
note: the name of the directory is your choice you can give any . i am taking ns
4.mount the partition from where you want to recover the data into recently made directory
mount /dev/sda6 /mnt/ns
note: dev stands for devices
sda6 is my selected partition from where i want to recover my files.
it is necessary that you provide one space after the sda6.
5. now to recover the files .
cd /etc/scalpel/
this will take you to the scalpel directory
note: scalpel is the default tool or you can say as a default mechanism provided by the linux OS to recover the files
6. nano scalpel.conf
this command is used to edit the files which you want to recover according to their header and footer.
eg: avi, pdf, flv, doc, xls, etc... any file you want.
just uncheck the " # " before the file header to mark it to recover.
save and quit. (ctrl + x and then 'y' and then press 'enter key')
7. get inside the ns directory and create any folder with whatever name you want,i am using name "scalpel"
because this will be our destiantion directory where we will gather the recovered files.
cd /mnt/ns/
mkdir /scalpel
ls -l
# to see whether the directory has been made or not...!!
8. now run the final command torecover the files
scalpel /mnt/ns/image.raw -o /mnt/ns/scalpel / -v
note: don't panic on the name raw image i made it clear in the starting of this blog that you had to got one raw iage before you perform this trick.
i had one raw image to whom i had given the name image.raw earlier.
-o stands for the output directory where are we recovering our files. which is " scalpel " in our case.
-v is for verbose mode .to see whats happening.
after running this command leave your PC for atleast 5 hrs. basically the recovery times depends on the types of file headers you has selected and ofcourse the amount of data you had in your PC or that drive.
Today i will not tell to go and have fun because waiting for more 5-6 hrs is never a fun ..!! :P lols..!! :)
It can recover any file type i.e avi,jpeg,bmp,doc,pdf etc
Basically this was previously used by the Cyber Forensics investigator to take out the data from the crime scene if the criminal has deleted or formatted the PC at the crime scene.
Most important thing is that you had to take an raw image of the system before you do this, which i had earlier written in my previous blogs to how to take the raw image.
so here we go........
STEPS:
1. Boot the the machine with the Linix bootable CD-ROM or PD .
2. After botting when the linux starts type the following command
fdisk -l
this command will list all the availble partitions on the machine, so that you can select yours from which you want to recover the files.
3. make a directory inside the mnt directory.
mkdir /mnt/ns
note: the name of the directory is your choice you can give any . i am taking ns
4.mount the partition from where you want to recover the data into recently made directory
mount /dev/sda6 /mnt/ns
note: dev stands for devices
sda6 is my selected partition from where i want to recover my files.
it is necessary that you provide one space after the sda6.
5. now to recover the files .
cd /etc/scalpel/
this will take you to the scalpel directory
note: scalpel is the default tool or you can say as a default mechanism provided by the linux OS to recover the files
6. nano scalpel.conf
this command is used to edit the files which you want to recover according to their header and footer.
eg: avi, pdf, flv, doc, xls, etc... any file you want.
just uncheck the " # " before the file header to mark it to recover.
save and quit. (ctrl + x and then 'y' and then press 'enter key')
7. get inside the ns directory and create any folder with whatever name you want,i am using name "scalpel"
because this will be our destiantion directory where we will gather the recovered files.
cd /mnt/ns/
mkdir /scalpel
ls -l
# to see whether the directory has been made or not...!!
8. now run the final command torecover the files
scalpel /mnt/ns/image.raw -o /mnt/ns/scalpel / -v
note: don't panic on the name raw image i made it clear in the starting of this blog that you had to got one raw iage before you perform this trick.
i had one raw image to whom i had given the name image.raw earlier.
-o stands for the output directory where are we recovering our files. which is " scalpel " in our case.
-v is for verbose mode .to see whats happening.
after running this command leave your PC for atleast 5 hrs. basically the recovery times depends on the types of file headers you has selected and ofcourse the amount of data you had in your PC or that drive.
Today i will not tell to go and have fun because waiting for more 5-6 hrs is never a fun ..!! :P lols..!! :)
Comments
Post a Comment