Did You Know?
Donate to TecMint

We are pleased to announce our new TecMint Q/A section to submit your Linux questions

Install Scalpel (A Filesystem Recovery Tool) to Recover Deleted Files/Folders in Linux

Download Your Free eBooks NOW - 10 Free Linux eBooks for Administrators

Many a times it happens that we accidentally or by mistakenly press ‘shift + delete‘ to files. By human nature you have an habit of using ‘shift + Del‘ instead of using only ‘Delete‘ option. I actually had this incident few days back. I was working on a project and saved my work file in a directory. There were many unwanted files in that directory and needs to be deleted permanently. So I started deleting them one by one. While deleting those files, I accidentally pressed ‘shift delete‘ to one of my important file. The file got deleted permanently from my directory. I was wondering how to recover deleted files and had no clue what to do. I almost spent much time restoring the file but no luck.

Recover files in Linux

Scalpel Recovery Tool For Linux

Knowing a bit of technical knowledge I knew about how file system and HDD works. When you delete a file accidentally, the content of the file does not get deleted from your computer. It is just removed from the database folder and you cannot see the file into the directory, but it still remains in somewhere in your hard drive. Basically the system has a list pointer to blocks on the storage device still has the data. The data is not deleted from the block storage device unless and until you overwrite with a new file. At this point of view I released that my deleted file may still remain somewhere in an unindexed area of the Hard disk. However it is recommended to immediately unmount a device as soon as you realize that you have deleted any important file. Unmount helps you to prevent the blocked files from overwritten with new file.

In this scenario I didn’t want to over write that data, hence I preferred to search in the hard drive without mounting it.

Normally in Windows we get tons of 3rd party tools to recovery lost data, but in Linux only few. However I use Ubuntu as an operating system and it is very difficult to find a tool that recovers lost file. During my research I got to know about ‘Scalpel‘ a tool that runs through entire hard drive and recovers a lost file. I installed and successfully recovered my lost file with the help of Scalpel tool. It’s really amazing tool I must say.

This can also happen with you as well. So I thought of sharing my experience with you. In this article I will show you how to recover deleted files with the help of scalpel tool. So here we go.

What is Scalpel Tool?

Scalpel is an open source file system recovery for Linux and Mac operation systems. The tool visits the block database storage and identifies the deleted files from it and recover them instantly. Apart from file recovery it is also useful for digital forensics investigation.

How to Install Scalpel in Debian/Ubuntu and Linux Mint

To Install Scalpel, open terminal by doing “CTrl+Alt+T” from desktop and run the following command.

$ sudo apt-get install scalpel
Sample Output
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 390 not upgraded.
Need to get 0 B/33.9 kB of archives.
After this operation, 118 kB of additional disk space will be used.
Selecting previously unselected package scalpel.
(Reading database ... 151082 files and directories currently installed.)
Unpacking scalpel (from .../scalpel_1.60-1build1_i386.deb) ...
Processing triggers for man-db ...
Setting up scalpel (1.60-1build1) ...

Installing Scalpel in RHEL/CentOS and Fedora

To install scalpel recovery tool, you need to first enable epel repository. Once it enabled, you can do ‘yum‘ to install it as shown.

# yum install scalpel
Sample Output
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.01link.hk
 * epel: mirror.nus.edu.sg
 * epel-source: mirror.nus.edu.sg
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package scalpel.i686 0:2.0-1.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

 Package		Arch		Version			Repository		Size
 scalpel                i686            2.0-1.el6               epel                    50 k

Transaction Summary
Install       1 Package(s)

Total download size: 50 k
Installed size: 108 k
Is this ok [y/N]: y
Downloading Packages:
scalpel-2.0-1.el6.i686.rpm                                                           |  50 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : scalpel-2.0-1.el6.i686							1/1 
  Verifying  : scalpel-2.0-1.el6.i686                                                   1/1 

  scalpel.i686 0:2.0-1.el6                                                                                                                                


Once scalpel is installed you need to do text editing. By default scalpel utility has its own configuration file in ‘/etc‘ directory and full path is “/etc/scalpel/scalpel.conf” or “/etc/scalpel.conf“. You can notice that everything is commented out (#). So before running scalpel you need to uncomment the file format that you need to recover. However uncomment the entire file is time consuming and will generate a huge false results.

Let say for example I want to recover only ‘.jpg‘ files, so simply uncomment ‘.jpg‘ file section for the scalpel configuration file.

# GIF and JPG files (very common)
        gif     y       5000000         \x47\x49\x46\x38\x37\x61        \x00\x3b
        gif     y       5000000         \x47\x49\x46\x38\x39\x61        \x00\x3b
        jpg     y       200000000       \xff\xd8\xff\xe0\x00\x10        \xff\xd9

Go to terminal and type following syntax. The ‘/dev/sda1‘ is a location of a device from where the file is already deleted.

$ sudo scalpel /dev/sda1-o output

The ‘-o‘ switch indicates a output directory, where you want to restore your deleted files. Make sure that this directory is empty before running any command otherwise it will give you an error. The output of the above command is.

Scalpel version 1.60
Written by Golden G. Richard III, based on Foremost 0.69.

Opening target "/dev/sda1"

Image file pass 1/2.
/dev/sda1:   6.1% |***** 		|    6.6 GB    39:16 ETA

As you see, the scalpel is now performing its process and it will take time to recovery your deleted file depending upon the disk space that you are trying to scan and the speed of the machine.

I would recommend you all to have a habit of using only delete instead of “Shift + Delete“. Because as said prevention is always better than cure.

Linux Services & Free WordPress Setup

Our post is simply ‘DIY’ aka ‘Do It Yourself, still you may find difficulties and want us to help you out. We offer wide range of Linux and Web Hosting Solutions at fair minimum rates. Please submit your orders by Clicking Here.

15 Responses

  1. Sachin says:

    Nice article
    Add more tools like foremost & testdisk.

  2. larryhill says:

    Thanks for sharing about ‘scalpel’ :)

  3. knura9 says:

    Thanks for sharing your experience with scalpel.

    There is another similar tool called photorec (from the author of testdisk).

    You made a very important point about unmounting the file system – which is excellent.

    But what do you do when the file you just deleted happens to be on the device (disk partition) for the ‘/’ filesystem? e.g. /etc

    There are live rescue cd/usb images that can be of help.

    Specifically Ubuntu Rescue Remix:

    which according to it’s documentation comes with photorec pre-installed.

    My recommendation is to use one of these invaluable distros to recovery files and/or lost partition tables on you hard disks (lost disk partition also happens).

    BTW, some of them also come with anti virus software; need internet connection to get the latest updates. I have found them helpful when the native A/V software (some times commercial) were unsuccessful :)

  4. marine says:

    what should the location of output folder be?
    i’m creating an empty output folder in my home directory but every time the command is giving error of non-empty output directory.
    I need to restore something very important.
    please help!!!! :(

  5. Pradeep Goswami says:

    Thanks for updating this very useful tool,I would like to see many more tool like this!!!

  6. rahman says:

    Dear sir i downloaded the scalpel tool from internet i copy in to my linux p.c in /root/home location when i am giving the path $ sudo apt-get install scalpel it is giving some help message so please help me out to install this ofline in my linux fedro 16 p.c

  7. christin says:

    Thanks. I used the command and in a folder I see the binary format files. How can I open that

  8. I’m running this Scalpel to recover a day’s lost work but get this error:

    [root@server home]#scalpel /dev/sda7-o output1
    Scalpel version 2.0
    Written by Golden G. Richard III and Lodovico Marziale.
    ERROR: Couldn’t open configuration file:
    scalpel.conf — No such file or directory
    Scalpel was unable to read a needed file and will abort.

    I am logged in as root and the conf. file exists in /etc/scalpel/scalpel.conf

  9. Suri says:

    Hi.. I lost my all data and partition while installing Ubuntu 14.4 by replacing Windows 7. So is it possible to recover data using scalpel or any other tool.. Plz help me…

Leave a Reply

This work is licensed under a (cc) BY-NC | TecMint uses cookies. By using our services, you comply to use of our cookies. More info: Privacy Policy.
© 2012-2014 All Rights Reserved.