# Filecarving with scalpel ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FyghZkOmnOPLlHvRYBTBL%2Ffilecarving.jpg?alt=media\&token=14d3cfb1-85cd-42ba-a7e7-99dd4dd76a2c) ### 1. Introduction In this lab, a disk image file “evidence.img” is provided in the home directory of the root user (/root/). One of the PDF files present on the disk contains the flag. Extract files from the given image using [**Scalpel** ](https://github.com/sleuthkit/scalpel)tool and retrieve the flag! Guidelines: * pdftotext tool can be used to convert PDF files into text files. ### 2. Filecarving with scalpel

`scalpel evidence.img -o output`

Seems that I’ve to edit the config file first which is located under /etc/scalpel/scalpel.conf `vi /etc/scalpel/scalpel.conf` We search for pdf files therefore, I’ll „uncomment“ the lines which are responsible for pdf files

Save the file and give scalpel a new try: `scalpel evidence.img -o output`

### 3. Retrieve the flag Let's browse to the output directory and use pdf to text to reveal the flag

### 4. Summary {% embed url="" %}