I'm fairly inexperienced in forensics and am trying to learn file carving. I've used scalpel to carve out .doc, .xls, .ppt, etc from an image of a 16G usb drive image. But I'm having issues reliably finding straight ASCII text files.

I'm curious if anyone has an easier way to restore text files from a drive image. I'm looking for straight ASCII text files, so there's no magic number associated with the file. So far, the best I've been able to come up with is to do a 'strings' on the image and grep for what I'm looking for.

While I was playing around, I decided to approach this as though I didn't know what I was looking for, though. The best I could come up with was to filter out some of the garbage in the strings output with a sed statement as such:

strings file1 | sed -n '/^.\{15\}/p' > file2

Of course, you can set the threshold to something larger than 15 to get rid of more garbage, but you'd possibly be ignoring some smaller txt files.

Any thoughts? Thanks!

Thanks for the response Ketchup. I'd love to play with enCase, but alas, I don't have the money or really the need...