Foremost is a simple and effective CLI tool that recovers files by reading the headers and footers of the files. You can start Foremost by clicking on:

Applications > Forensics > foremost

 

- pic01 kali menu - File Recovery and Data Carving using Foremost

 

Once Foremost is successfully started, a Terminal opens, displaying the program version, , and some of the many switches that can be used:

- pic02 foremost options - File Recovery and Data Carving using Foremost

 

To have a better understanding of Foremost and the switches used, try browsing the Foremost Manager’s Manual. This can be done by entering the following command:

 

man foremost

 

- pic03 foremost man - File Recovery and Data Carving using Foremost

The syntax for using Foremost is as follows:

foremost -i (forensic image) -o (output folder) -options

In this example, the 11-carve-fat.dd file located on the desktop is specified as the input file (-i) and an empty folder named Foremost_recovery is specified as the output file (-o). Additionally, other switches can also be specified as needed.

To begin the 11-carve-fat.dd image with Foremost, type the following command in the Terminal:

foremost -i 11-carve-fat.dd -o Foremost_recovery

- pic04 foremost execute - File Recovery and Data Carving using Foremost

Although the characters found look quite unclear while processing, the results will be clearly categorized and summarized in the specified output folder. It is important that the specified output folder be empty or you will encounter problems, as shown in the following screenshot:

- pic05 foremost progress - File Recovery and Data Carving using Foremost

 

Viewing Foremost results

Once Foremost has completed the carving process, you can proceed to the Foremost_recovery output folder:

- pic06 foremost output dir - File Recovery and Data Carving using Foremost

 

If you open the output directory, you can see the carved items, categorized by file type, along with an audit.txt folder, which contains details of the findings:

- pic07 foremost output dir - File Recovery and Data Carving using Foremost

In the audit.txt file, you can see a list of the items found by Foremost, along with their Size and File Offset location:

- pic08 foremost audit - File Recovery and Data Carving using Foremost

When scrolling down on the audit.txt file, you should see a summary of the files found, which is particularly useful when carving larger images:

- pic09 foremost audit - File Recovery and Data Carving using Foremost

The first three files listed in the audit.txt files are .jpg image files, and you can see these files in the jpg sub-folder within the Foremost_recovery output folder:

- pic10 foremost pics - File Recovery and Data Carving using Foremost

As you can see, Foremost is quite a powerful recovery and file carving tool. File carving can take very long, depending on the size of the drive or image used. If the type of the file that needs to be recovered is already known, it is wise to specify this file type using the -t option to reduce time taken.

 

If you want to know more about this topic I have a recommendation for you, the book Name is Digital Forensics with Kali Linux. The book is written by Shiva V.N. Parasram, an IT and cybersecurity professional  and in fact he’s a major contributor to this article as well.

 



Source link
Based Blockchain Network

LEAVE A REPLY

Please enter your comment!
Please enter your name here