Scalpel on raspberry

[alfredoivan]

Hello. I was testing scalpel on my raspberry pi file server.

First, i installed it with sudo apt-get install scalpel (it installed 1.60 fine) but when executing scalpel, it will throw: " Scalpel version 1.60 Written by .... "

So then i uninstalled it, went to /tmp/ folder and git clone this project: ./boostrap ./configure make

And it finished ok.

I then used the scalpel binary and it throws the same text:

" ./scalpel -c scalpel.conf -v /dev/sda -o ./SALIDA/

Scalpel version 2.1 Written by Golden G. Richard III and Lodovico Marziale. "

[vicodark]

Is it possible that you don't have permission to read /dev/sda1? You do not appear to be root.

-- Vico

On Thu, Dec 4, 2014 at 9:43 AM, alfredoivan notifications@github.com wrote:

Hello. I was testing scalpel on my raspberry pi file server.

First, i installed it with sudo apt-get install scalpel (it installed 1.60 fine) but when executing scalpel, it will throw: " Scalpel version 1.60 Written by .... "

So then i uninstalled it, went to /tmp/ folder and git clone this project: ./boostrap ./configure make

And it finished ok.

I then used the scalpel binary and it throws the same text:

" ./scalpel -c scalpel.conf -v /dev/sda -o ./SALIDA/

Scalpel version 2.1 Written by Golden G. Richard III and Lodovico Marziale. "

[image: scalpel_issue] https://cloud.githubusercontent.com/assets/5880102/5300946/2eaab912-7bb3-11e4-837f-874f59d77004.png

— Reply to this email directly or view it on GitHub https://github.com/sleuthkit/scalpel/issues/11.

http://pgp.mit.edu/pks/lookup?op=get&search=0x172FE8F06CE6CB1C

[alfredoivan]

I tried and happened the same. I find it strange that it is not even throwing an error when reading /dev/sda1 , it doesn't even reach that point. It uses NTFS file system (and is an external HDD) if that matters.

[Beariture]

Did you ever find a solution for this? I'm seeing the same thing on my pi. I also did the same thing you did: I uninstalled the version from the repo and build the one from git. Any valid command just shows the same banner. Funny thing is that it's working fine in Windows, but I like to have tools like this on my pi.

[xambroz]

Hello - please can you share also your scalpel.conf which you use to make the carving? If it is pristine example config from the up-stream distribution package, then you have probably everything commented out. Please try to edit the file and uncomment the filetypes you would like scalpel to look for. Best regards Michal Ambroz

[Beariture]

I did uncomment a bunch of file types, but since I know the file I'm carving contains a wav, I've uncommented only that type for a quick comparison. The machine called "tools" is a Lubuntu VM and the one called raspb... well you get the picture: If there are any other files that may help figure out what's going on here, I'd be happy to provide them.

[alfredoivan]

(to CheshireBat: i couldn't find a solution for this)

[b1tfl0w]

Same problem here..

sudo scalpel -c /home/pi/Scalpel-2.0/conf/scalpel.conf /dev/sda -o /home/pi/Videos Scalpel version 2.0 Written by Golden G. Richard III and Lodovico Marziale.

[chuck-r]

So, the issue lies in processCommandLineArgs() in scalpel_exec.cpp. Specifically, getopt() returns 255 instead of -1 as it does on x86 systems because of the fact that the toolchain defaults to an unsigned char type for 'char'. This causes the command line processing loop to hit the default section, resulting in exit(1). I've found that I can work around this issue by using env CXXFLAGS=-fsigned-char make. I assume that this wouldn't have any ramifications for the rest of the program (as it seems to be making that assumption anyway).

pi@raspberrypi4:~/git/scalpel $ ./scalpel
Scalpel version 2.1
Written by Golden G. Richard III and Lodovico Marziale.
Scalpel carves files or data fragments from a disk image based on a set of
file carving patterns, which include headers, footers, and other information.

Usage: scalpel [-b] [-c <config file>] [-d] [-e] [-h] [-i <file>]
[-n] [-o <outputdir>] [-O] [-p] [-q <clustersize>] [-r]
[-v] [-V] <imgfile> [<imgfile>] ...

Options:
-b  Carve files even if defined footers aren't discovered within
    maximum carve size for file type [foremost 0.69 compat mode].
-c  Choose configuration file.
-d  Generate header/footer database; will bypass certain optimizations
    and discover all footers, so performance suffers.  Doesn't affect
    the set of files carved.  **EXPERIMENTAL**
-e  Do nested header/footer matching, to deal with structured files that may
    contain embedded files of the same type.  Applicable only to
    FORWARD / NEXT patterns.
-h  Print this help message and exit.
-i  Read names of disk images from specified file.  Note that minimal parsing of
    the pathnames is performed and they should be formatted to be compliant C
    strings; e.g., under Windows, backslashes must be properly quoted, etc.
-n  Don't add extensions to extracted files.
-o  Set output directory for carved files.
-O  Don't organize carved files by type. Default is to organize carved files
    into subdirectories.
-p  Perform image file preview; audit log indicates which files
    would have been carved, but no files are actually carved.  Useful for
    indexing file or data fragment locations or supporting in-place file
    carving.
-q  Carve only when header is cluster-aligned.
-r  Find only first of overlapping headers/footers [foremost 0.69 compat mode].
-V  Print copyright information and exit.
-v  Verbose mode.

ERROR: No image files specified.

Scalpel is done, files carved = 0, elapsed  = 0 secs.

[ChTBoner]

I have the same issue, but solution above doesn't work for me.

[okoeroo]

Hi, I have an aarch64 server (AMD64), which is a bit bigger than a raspberry pi, but has the same outcome.

[aagdere]

Looks like this was fixed but never merged. Is this no longer maintained? https://github.com/sleuthkit/scalpel/pull/25

[chuck-r]

Seems like it.