sudo apt-get install scalpel
According to the standard definition of .jpg format these files may have two different signatures,
i.e two different setups of headers:
\xff\xd8\xff\xe0\x00\x10
And:
\xff\xd8\xf1\xe1
For both of the above variants of the header, there is a trailing footer at the end of each file:
\xff\xd9
Note that '\x' before each hexadecimal number is the standard marker for hexadecimal notation.
To be convinced about the above, just open a random .jpeg file in a hexeditor and observe the header and footer.
The above info will then be used to make a custom scalpel configuration file, here called
customscalpel.conf:
jpg y 20000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9
jpg y 20000000 \xff\xd8\xf1\xe1 \xff\xd9
The configuration file is thus customized to make scalpel look in a specified filesystem for .jpg
files up to 20Mb. The second row enables scalpel to not discard .jpeg files with the other
allowed signature.
If the target drive that is supposed to be examined with scalpel is /dev/sda, then scalpel is launched via
sudo scalpel -c customscalpel.conf -o someoutfilename /dev/sda
Here the -o flag generates an outputfile where the results are collected.
Note that upon installing scalpel a standard configuration file, scalpel.conf, is automatically placed in
/etc/scalpel
To use it, just open the config-file in a text-editor and remove the '#' sign in front of relevant fileformats.
However, many formats are not present in the default installed configuration file.
