Using CAINE and Scalpel to restore .doc's from an image file

Post  joetekno on Tue Mar 03, 2009 6:10 pm

1. Select "Start"... Caine... Caine Interface

2. Click the "Create Report" button

3. Select the "Analysis" tab

4. Click the “Scalpel” button

5. Click the “Open input file” button

6. Select your image file (example: file system.. evidence… sda-img.dd)

7. Click “Select directory” button

8. Create a directory to save your output to
a. Select… File system… evidence…
b. Click “Create folder” button, type “scalpeloutput”
c. Click “OK” button

9. Open a terminal window, maneuver to /evidence and see if the scalpeloutput directory exists. If it does not, redo step 8.

10. Click the “Edit file” button
a. Remove the pound/hash marks “#” in front of the “doc” entries
b. Click the “Save” button
c. Exit Gedit “File… Quit”
d. Click the “Run Scalpel” button

Using a Hex editor to find file headers/footers for file types not listed in the scalpel.conf

1. Download or create several files of the type you wish to search for.
a. Go to
b. Search for “filetype:docx” to search for MS Word 2007 file types
c. Use “Right Click… Save File As…” feature on the links that are .docx

2. Open the files in a Hex editor
a. Linux terminal window
b. xxd <filename>.docx | less

3. Document the first 13-15 sets of hex entries
a. (example: 50 4B 03 04 14 00 06 00 08 00 00 00 21)

4. Depending on file type you may need to document the last 13-15 sets of hex entries

5. Using the information provided in the scalpel.conf modify your entries to find the new file type.

