Filecarving with scalpel

1. Introduction

In this lab, a disk image file “evidence.img” is provided in the home directory of the root user (/root/). One of the PDF files present on the disk contains the flag.

Extract files from the given image using Scalpel tool and retrieve the flag!

Guidelines:

pdftotext tool can be used to convert PDF files into text files.

2. Filecarving with scalpel

scalpel evidence.img -o output

Seems that I’ve to edit the config file first which is located under /etc/scalpel/scalpel.conf

vi /etc/scalpel/scalpel.conf

We search for pdf files therefore, I’ll „uncomment“ the lines which are responsible for pdf files

Save the file and give scalpel a new try:

scalpel evidence.img -o output

3. Retrieve the flag

Let's browse to the output directory and use pdf to text to reveal the flag

4. Summary

PreviousFilecarving with Foremost NextBulk extractor

Last updated 2 years ago