Scalpel 1.54 vs. Foremost 1.1
On Feb. 13th Scalpel v1.54 and Foremost v.1.1 were released to the public. Both are file carvers, so why not let them compete against each other?
(Dieser Beitrag ist auch auf Deutsch verfügbar.)
Good old Foremost v0.69 will provide the reference for the benchmark. I use a version packaged for Fedora Code by Dag Wieers. Scalpel and Foremost are compiled from the sources. Both compile out of the box: configure, make, done!
The challenge is set to carve Word DOC files from an image of about 590 MB. Because Scalpel has been derived from Foremost it reads the same configuration file. The computer used for the benachmarks provides about 500 MB free RAM for the apps, a P4 CPU in hyperthreading mode and a Linux 2.6.10 SMP kernel. Of course I don't run any other resource-intensive services during the tests.
Each program has to complete a dry-run to check settings and to let the file cache organize itself. This is immediately followed by three runs timed by time(1). The mean execution time is calculated and expressed in terms of the time needed by Foremost v0.69. Hence a smaller number indicates a faster execution. I don't measure the amount of memory allocated during the run.
| Scalpel 1.54 | Foremost 0.69 | Foremost 1.1 | |
|---|---|---|---|
| real | 0,506 | 1 | 0,649 |
| user | 0,391 | 1 | 0,392 |
| sys | 0,151 | 1 | 0,143 |
I calculate MD5 checksums for all extracted files and compare the sets. All programs produce the same set of files.
Both programs, Scalpel v.154 and Foremost 1.1 execute significantly faster than Foremost v.069. Scalpel performs slightly better than the up-to-date version of Foremost. Both programs provide a slightly different set of options, though. The decision which one to use in the lab will finally depend on the task to accomplish.
