Welcome to Part 5. Here I will quickly go over recovering some files with tsk_recover and icat.
I first needed a "clean" image to work with. I figured that reusing an old USB thumbdrive would provide too many results and be a bit messy for demo so I decided to create a simple image using the dd command  on my SIFT workstation.
Here is how I created it:
So now that we have a part5.img created, let's prep it.
As you can see I ran fls against the image file and it came back with an error basically saying that when we specified the "-f fat" parameter it couldn't find anything within the image that agreed with us. I did this on purposes. I didn't expect it to work, because I wanted to show you the flow to make things work.So now we need to create a file system for our image. I checked this off by way of mkfs.vfat, which will create a FAT file system for our image. You can find more information about mkfs here. 
Then I proceeded to run the same fls command as before and as you can see we have a proper image now that we can proceed forward with and mount.
So here we are simply mounting our image so I can copy an image file over to it.
So here I simply copied over a Zeus_Malfind.png screen shot that I had taken when analyzing Zeus during my Zeus v2 Malware Analysis Part I.
Real quick I decided to run fls against our part5.img file and issued the -d parameter, which tells it to only show me deleted files.
As you can see here, Zeus_Malfind.png is coming back as being deleted. Depicted by the *.
I went ahead and unmounted the mount point.
As you can see I also issued the tsk_recover command. The -e parameter is telling it to recover all files it can find. You can also specify the -a, which will only recover allocated files.
Then I issued the ls command so you can see that our file was indeed recovered and put into Desktop/part5_out.
Here is a visual of the picture as well:
And there we go..... ZeusMalfind is recovered by way of tskrecover.
Let's look at another way by using icat.
Another way to extract this file would have been to use icat with the -r parameter, which is telling it to recover.
I've gone ahead and added two more files to our image that we created earlier. The Zeus_Malfind is still on the image, but its still deleted so you're not seeing it here.
Let's run fls against it now and check it out. You can see here that we have 3 deleted image files. Two .JPG and one .PNG. I know that the two JPGs are the most recent additions and the .PNG is the Zeus_Malfind image from before. I know this because I put them there. This wouldn't be so easy if you're looking at a large hard drive.
Let's attempt to use icat and recover one of the deleted files.
So we issued the icat -r (recover) command and also specified the "3", which is the inode that we obtained from running the fls command against our image.
I also ran MD5 sum against the original image, and also the 3.jpg file so you can see that they match.
I've also included a visual of the output here:
So as you can see there are a couple ways to recover deleted files from images by way of TSK. We covered tsk_recover and icat here. I'm sure there are other ways too.
Now you might be wondering why I don't just go ahead and use Scalpel. Well, this is a TSK series. Not a scalpel series ;)
No. In all seriousness that's why I used it. I typically use Scalpel, but I wanted to focus on TSK and use only TSK tools. I also couldn't find much online in way of Scalpel vs. tsk_recover/icat.
I guess the one thing I see is that with Scalpel I can specify what I want extracted vs. giving me everything. If I want a movie file I can ignore all other files and only extract movies. I guess maybe that in itself could be the main deciding difference between them.If anyone else knows some differences please share in the comments so everyone can benefit.