I need to do some intense data recovery on a disk image of my iPhone. Due to the complex way this was extracted from the phone the image cannot mounted as normal. I did manage to get it mounted to the point where it could be read by photorec. Some of the files I wanted were recovered but not all. I was recommended scalpel and I've managed to get it running but an error keeps coming up on the second data pass. It makes no sense to me. I have plenty of disk space available. Anyone know what's going on? Here is the process in Terminal: Last login: Thu Jan 13 18:30:52 on ttys000 macbook:~ Tim$ cd /Users/Tim/scalpel macbook:scalpel Tim$ /Users/Tim/iphone.img -bash: /Users/Tim/iphone.img: Permission denied macbook:scalpel Tim$ scalpel /Users/Tim/iphone.img -bash: scalpel: command not found macbook:scalpel Tim$ /Users/Tim/scalpel/scalpel Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. ERROR: Couldn't open configuration file: /Users/Tim/scalpel/scalpel.conf -- No such file or directory macbook:scalpel Tim$ /Users/Tim/scalpel/scalpel Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Carves files from a disk image based on file headers and footers. Usage: scalpel [-b] [-c <config file>] [-d] [-h|V] [-i <file>] [-m blocksize] [-n] [-o <outputdir>] [-O num] [-q clustersize] [-r] [-s num] [-t <blockmap file>] [-u] [-v] <imgfile> [<imgfile>] ... -b Carve files even if defined footers aren't discovered within maximum carve size for file type [foremost 0.69 compat mode]. -c Choose configuration file. -d Generate header/footer database; will bypass certain optimizations and discover all footers, so performance suffers. Doesn't affect the set of files carved. **EXPERIMENTAL** -h Print this help message and exit. -i Read names of disk images from specified file. -m Generate/update carve coverage blockmap file. The first 32bit unsigned int in the file identifies the block size. Thereafter each 32bit unsigned int entry in the blockmap file corresponds to one block in the image file. Each entry counts how many carved files contain this block. Requires more memory and disk. **EXPERIMENTAL** -n Don't add extensions to extracted files. -o Set output directory for carved files. -O Don't organize carved files by type. Default is to organize carved files into subdirectories. -p Perform image file preview; audit log indicates which files would have been carved, but no files are actually carved. -q Carve only when header is cluster-aligned. -r Find only first of overlapping headers/footers [foremost 0.69 compat mode]. -s Skip n bytes in each disk image before carving. -t Set directory for coverage blockmap. **EXPERIMENTAL** -u Use carve coverage blockmap when carving. Carve only sections of the image whose entries in the blockmap are 0. These areas are treated as contiguous regions. **EXPERIMENTAL** -V Print copyright information and exit. -v Verbose mode. ERROR: No image files specified. Scalpel is done, files carved = 0, elapsed = 0 seconds. macbook:scalpel Tim$ /Users/Tim/scalpel/scalpel /Users/Tim/iphone.img Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/Users/Tim/iphone.img" Image file pass 1/2. /Users/Tim/iphone.img: 100.0% |*************************| 7.6 GB 00:00 ETAAllocating work queues... Work queues allocation complete. Building carve lists... Carve lists built. Workload: art with header "\x4a\x47\x04\x0e" and footer "\xcf\xc7\xcb" --> 0 files art with header "\x4a\x47\x03\x0e" and footer "\xd0\xcb\x00\x00" --> 0 files gif with header "\x47\x49\x46\x38\x37\x61" and footer "\x00\x3b" --> 10 files gif with header "\x47\x49\x46\x38\x39\x61" and footer "\x00\x3b" --> 205 files jpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 7584 files png with header "\x50\x4e\x47\x3f" and footer "\xff\xfc\xfd\xfe" --> 1322 files bmp with header "\x42\x4d\x3f\x3f\x00\x00\x00" and footer "" --> 123 files tif with header "\x49\x49\x2a\x00" and footer "" --> 65 files tif with header "\x4d\x4d\x00\x2a" and footer "" --> 463 files avi with header "\x52\x49\x46\x46\x3f\x3f\x3f\x3f\x41\x56\x49" and footer "" --> 0 files mov with header "\x3f\x3f\x3f\x3f\x6d\x6f\x6f\x76" and footer "" --> 135 files mov with header "\x3f\x3f\x3f\x3f\x6d\x64\x61\x74" and footer "" --> 237 files mov with header "\x3f\x3f\x3f\x3f\x77\x69\x64\x65\x76" and footer "" --> 0 files mov with header "\x3f\x3f\x3f\x3f\x73\x6b\x69\x70" and footer "" --> 63557 files mov with header "\x3f\x3f\x3f\x3f\x66\x72\x65\x65" and footer "" --> 11706 files mov with header "\x3f\x3f\x3f\x3f\x69\x64\x73\x63" and footer "" --> 43 files mov with header "\x3f\x3f\x3f\x3f\x70\x63\x6b\x67" and footer "" --> 2 files mpg with header "\x00\x00\x01\xba" and footer "\x00\x00\x01\xb9" --> 1562 files mpg with header "\x00\x00\x01\xb3" and footer "\x00\x00\x01\xb7" --> 1303 files fws with header "\x46\x57\x53" and footer "" --> 583 files Carving files from image. Image file pass 2/2. /Users/Tim/iphone.img: 0.3% | | 20.0 MB 01:51 ETAError opening file: /Users/Tim/scalpel/scalpel-output/mov-13-0/00010152.mov -- Too many open files Scalpel was unable to write output files and will abort. This error generally indicates that disk space is exhausted. macbook:scalpel Tim$
I figured it out in the end. Needed to run in Sudo and set resources to unlimited. Didn't get the data I was looking for though :-(
