Foremost is a Linux based tool for recovering deleted files

3,893 views

Published on

Foremost is a Linux based program data for recovering deleted files . The program uses a configuration file to specify headers and footers to search for. Intended to be run on disk images, foremost can search through most any kind of data without worrying about the format.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,893
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Foremost is a Linux based tool for recovering deleted files

  1. 1. Foremost Foremost is a Linux based program data for recovering deleted files . The program uses a configuration file to specify headers and footers to search for. Intended to be run on disk images, foremost can search through most any kind of data without worrying about the format. Below are the screen shots Fig. Foremost help options
  2. 2. Fig. Foremost Manual and the format types it can recover
  3. 3. Fig. Checks for the HD partitions
  4. 4. Fig. Foremost Usage Usage: foremost -t [type of files want to recover] –o [output dir] –I [input file(disk img/partition)]
  5. 5. Fig. The output file is generated on the desktop “ntfsoutput”
  6. 6. Fig. Recovered JPG files from the HD partition /dev/sda1
  7. 7. Fig. Recovered PNG files from the HD partition /dev/sda1 Fig. Audit.txt contains the Report of foremost
  8. 8. DCFLDD Dcfldd is a tool designed to acquire images. Dcfldd was designed to be an open sources computer forensic tool that would improve some of the shortcomings of the dd application. When the hashwindows=0 option is specified, the dcfldd will calculate the md5sum while the data is being copied, this options eliminate the extra step of having to use md5sum afterward to calculate the md5sum of the bitstream copy. This can save a lot of time as hashing the drive with md5sum can take a while. Another feature of the dcfldd command is the status bar, this is an important feature as it indicates how long the process it’s going to take. #fdisk –l /dev/sda1  HD partition /dev/sdb1 -> External HD #mkdir /mnt/pdrive (make dir in the /mnt to mount the external HD) #mount /dev/sdb1 /mnt/data (mounting the external HD ) #md5sum /dev/sda1 > /mnt/pdrive/md5hash1.txt ( Taking the hash value of sda1) Now comes to acquire the image of the /dev/sda1 partition in the external HD using DCFLDD tool #dcfldd if=/dev/sda1 of=/mnt/pdrive/image.dd hashlog=/mnt/pdrive/md5hash2.txt Above if represent “input file” Of represent “output file” Hashlog , by default is the Md5hash
  9. 9. Fig. Dcflff acquires the image of /dev/sda1 in the external HD /mnt/pdrive Now check the both the hash values Md5hash1.txt and Md5hash2.txt in the /mnt/pdrive , it should be the same.

×