i am trying to learn something about computer security, I decided to start from the linux world, through raspberry p3 with raspbian jessie OS I would like to start with forensics file management, and I did a test on data recovery I took an empty FAT usb stick, copied 5 images (jpg and png) and deleted 4 of 'em I inserted the usb in raspeberry which reads it to me as dev/sda1 (the mount is on media/usb0) from dd I made 2 images of the stick, one .raw and one .img and I copied them to the desktop, then I tried to recover data both from dev/sda1 and from the images in a Desktop/recover folder with the Foremost and Scalpel commands but I didn't get the result I expected. Here are the details:
Foremost: I have tried several commands including
sudo foremost -v -o /path/to/recover -i path/to/image
sometimes in the recover folder it created an audit.txt file and then another file with a text file icon but in reality it is a folder, inside which once there were .jpg files but they could not be opened in any way (which I know) another time it recovered the file (1 out of 5) which I had not deleted and 1 .png which I had deleted. in short, every time it gives me a different result.
Scalpel: i tried the commands
sudo scalpel /path/to/image -o path/to/recover
no result, when I launch it only the writing appears
Scalpel version 1.60 Written by Golden G. Richard III, based on foremost o.69.
it seems to doesn't work at all, print only a info about the version
can anyone tell me where I am wrong and can help me correct the error?
Thanks
