File Recovery and Data Carving using Foremost

Foremost is a simple and effective CLI tool that recovers files by reading the headers and footers of the files. You can start Foremost by clicking on:

 Applications | 11-Forensics | foremost

 

Once Foremost is successfully started, a Terminal opens, displaying the program version, creators, and some of the many switches that can be used:

 

To have a better understanding of Foremost and the switches used, try browsing the Foremost System Manager’s Manual. This can be done by entering the following command:

 

man foremost

 

The syntax for using Foremost is as follows:

foremost -i (forensic image) -o (output folder) -options

In this example, the 11-carve-fat.dd file located on the desktop is specified as the input file (-i) and an empty folder named Foremost_recovery is specified as the output file (-o). Additionally, other switches can also be specified as needed.

To begin carving the 11-carve-fat.dd image with Foremost, type the following command in the Terminal:

foremost -i 11-carve-fat.dd -o Foremost_recovery

Although the characters found look quite unclear while processing, the results will be clearly categorized and summarized in the specified output folder. It is important that the specified output folder be empty or you will encounter problems, as shown in the following screenshot:

 

Viewing Foremost results

Once Foremost has completed the carving process, you can proceed to the Foremost_recovery output folder:

 

If you open the output directory, you can see the carved items, categorized by file type, along with an audit.txt folder, which contains details of the findings:

In the audit.txt file, you can see a list of the items found by Foremost, along with their Size and File Offset location:

When scrolling down on the audit.txt file, you should see a summary of the files found, which is particularly useful when carving larger images:

The first three files listed in the audit.txt files are .jpg image files, and you can see these files in the jpg sub-folder within the Foremost_recovery output folder:

As you can see, Foremost is quite a powerful data recovery and file carving tool. File carving can take very long, depending on the size of the drive or image used. If the type of the file that needs to be recovered is already known, it is wise to specify this file type using the -t option to reduce time taken.

 

More About This Topic

If you want to know more about this topic I have a recommendation for you, the book Name is Digital Forensics with Kali Linux. The book is written by Shiva V.N. Parasram, an IT and cybersecurity professional  and in fact he’s a major contributor to this article as well.

 

It's only fair to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn