Recover files based on their headers
Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive.
The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.
Originally developed by the United States Air Force Office of Special Investigations and The Center for Information Systems Security Studies and Research , foremost has been opened to the general public.
foremost can be used as follows to try to recover the jpeg file:
foremost -t jpeg -i /dev/had2
foremost.i686 : Recover files by "carving" them from a raw disk [root@fedora ~]# yum install foremost [root@fedora ~]# rpm -ql foremost /etc/foremost.conf /usr/bin/foremost /usr/share/doc/foremost-1.5.7 /usr/share/doc/foremost-1.5.7/CHANGES /usr/share/doc/foremost-1.5.7/README /usr/share/man/man8/foremost.8.gz [root@fedora ~]# NAME foremost - Recover files using their headers, footers, and data structures SYNOPSIS foremost[-h][-V][-d][-vqwQT][-b<blocksize>][-o<dir>] [-t<type>][-s<num>][-i<file>] BUILTIN FORMATS Recover files from a disk image based on file types specified by the user using the -t switch. EXAMPLES Search for jpeg format skipping the first 100 blocks foremost -s 100 -t jpg -i image.dd Only generate an audit file, and print to the screen (verbose mode) foremost -av image.dd Search all defined types foremost -t all -i image.dd Search for gif and pdf's foremost -t gif,pdf -i image.dd Search for office documents and jpeg files in a Unix file system in verbose mode. foremost -vd -t ole,jpeg -i image.dd Run the default case foremost image.dd Example on my desktop: [root@fedora downloads]# foremost -t zip -i /dev/sda2 [root@fedora downloads]# cd output/ [root@fedora output]# ls -ltr total 16 drwxr-xr-- 2 root root 4096 Feb 18 13:44 zip drwxr-xr-- 2 root root 4096 Feb 18 13:44 docx -rw-r--r-- 1 root root 4581 Feb 18 13:44 audit.txt [root@fedora output]# [root@fedora output]# tail audit.txt 84: 03436672.zip 9 KB 1759576064 85: 03506560.docx 15 KB 1795358720 Finish: Mon Feb 18 13:44:49 2013 86 FILES EXTRACTED zip:= 86 ------------------------------------------------------------------ Foremost finished at Mon Feb 18 13:44:49 2013 [root@fedora output]#
Original Code written by Special Agent Kris Kendall and Special Agent Jesse Kornblum of the United States Air Force Office of Special Investigations.