Computer forensics – Recovering files by file carving with Foremost

The computer forensics It is one of the disciplines that I love, and have not spoken on the blog on this branch of the computer security how it deserves; so today we'll see How to recover deleted files with the technique of file carving using Foremost.


Is true that there are many more applications to carry out this task, but this tool and Scalpel are the ones that I like, and which I used when once by mistake I have deleted that should not; the two have helped me to lower the percentage of likelihood of alopecia, or heart attacks at an early age.

For the following practice, We will need a flash drive, and some files in different formats.


What we do with this flash drive, It would do so in the same way in any other storage media; the only difference is that you to do it on hard drives, We must open our desktop PC; having a port eSata; or have a USB host controller for IDE/PATA/SATA.


I prefer the controller option, Since it allows us to work with all types of hard drives; whether they are new or old, of 2,5″ or 3,5″, It is quite economical and this particular model up to two disks can be you at the same time.

disk controller

Controller multi-disc.


As previously commented, We will need some files to recover, I've copied mine in a pendrive.

Content of our storage support.

Required packages

We need to carry out this practice Foremost, so let's see that package must be installed for this software, Fortunately, it is available in the official repositories, so we will just have to use the tool apt.

usuario@maquina:~$ sudo apt-get install foremost

Deleting content

First Let's erase our files, and to do this we will use the command RM with the argument -r to make recursive deletion and -f to force the deletion; Finally as target select * i.e., We will inform you that deletes all the files inside our pendrive or hard disk.

#Nos movemos al directorio donde se ha montado nuestro soporte de almacenamiento.
usuario@maquina:~$ cd /media/ruta-del-disco

#Borramos todo el contenido.
usuario@maquina:~$ sudo rm -rf *

#Listamos el contenido para comprobar que ya no queda nada.
usuario@maquina:~$ ls

It is Foremost, and how it works internally

Foremost Forensic Tool It is a tool for recovering files initially developed by the Department of special investigations of the air forces of the army of the United States of America.

We must keep in mind that when you delete a file, the only thing we do is hide it in view of the user, marking as free the cluster occupied by the; in the hope that space is required, by then overwrite it.

Understand your way of recovering files is quite simple, what it does is take the disk trying to recognize files by the structure of the headers and the footers in format hexadecimal each file type, Since these they are generic.

Configure Foremost to our liking

To configure Foremost in a custom way, you only have to edit your configuration file /etc/foremost.conf and uncomment the file formats that you want to search; do This is not necessary, offers settings by default for all formats, but we can change the header and the footer hexadecimal if we wish, e even add different file types.

usuario@maquina:~$ sudo nano /etc/foremost.conf

Then you can see a sample of part of the content the configuration file, in concrete the lines that refer to the formats that we are going to recover; If we wanted to change some parameter only should uncomment the line associated with the desired extension, to finally change those values.

# GIF and JPG files (very common)
# gif y 155000000 \x47\x49\x46\x38\x37\x61 \x00\x3b
# gif y 155000000 \x47\x49\x46\x38\x39\x61 \x00\x00\x3b
# jpg y 20000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9
# jpg y 20000000 \xff\xd8\xff\xe1 \xff\xd9
# jpg y 20000000 \xff\xd8 \xff\xd9
# PNG (used in web pages)
# png y 200000 \x50\x4e\x47? \xff\xfc\xfd\xfe
# pdf y 5000000 %PDF- %EOF
# zip y 10000000 PK\x03\x04 \x3c\xac

Recover our files with Foremost

Recover files with Foremost is really easy, We should just run it with the desired options; I will then explain that I have chosen.

v enables verbose mode, foremost display more process information is while taking it out.

t indicates the type of file to retrieve.

T Add the date to the name of the directory where the data will be recovered, so we must not change the directory name whenever you launch foremost.

i indicates the name of the partition where you want to recover files.

o indicates the directory where we want to foremost save recovered files.

ES highly recommended Browse the manual to clear any doubt about.

usuario@maquina:~$ man foremost

Foremost supports many different formats, and not to repeat the operation one by one we're going to indicate to retrieve all available formats with the argument all for option -t; It is possible so late most, but we are going to quit working, and we will go for a coffee or to perform other tasks during that time period.

usuario@maquina:~$ sudo foremost -v -T -t all -i /dev/sdb1 -o /home/usuario/Escritorio/recuperado

[sudo] password for usuario:
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Sat Dec 27 12:13:03 2014
Invocation: foremost -v -T -t all /dev/sdb1 -o /home/usuario/Escritorio/recuperado
Output directory: /home/usuario/Escritorio/recuperado
Configuration file: /etc/foremost.conf
Processing: /dev/sdb1
File: /dev/sdb1
Start: Sat Dec 27 12:13:03 2014
Length: 7 GB (8010072064 bytes)
Num Name (bs=512) Size File Offset Comment 

*0: 00266344.png 74 KB 136368128 (297 x 222)
1: 00267240.png 2 MB 136826880 (2176 x 1915)
2: 00275456.png 22 KB 141033603 (181 x 256)
3: 00275520.png 21 KB 141066371 (181 x 256)
4: 00275664.png 87 KB 141139968 (1157 x 654)
5: 00275840.png 297 KB 141230080 (1023 x 635)
6: 00276480.png 255 KB 141557760 (1021 x 588)
7: 00276992.png 21 KB 141819904 (912 x 553)
8: 00277040.png 106 KB 141844480 (1308 x 701)
9: 00277256.png 10 KB 141955072 (797 x 114)
10: 00277280.png 49 KB 141967360 (519 x 485)
11: 00285584.png 21 KB 146219139 (181 x 256)

2869: 02437564.dll 51 KB 1248032768 10/20/2010 13:24:41
2870: 02437679.dll 79 KB 1248091648 10/20/2010 13:24:50
2871: 02437850.dll 68 KB 1248179200 10/20/2010 13:24:41
2872: 02438005.dll 358 KB 1248258560 02/24/2011 04:00:44
2873: 02438756.dll 51 KB 1248643072 10/20/2010 13:24:41
2874: 02438872.dll 79 KB 1248702464 10/20/2010 13:24:50
2875: 02439043.dll 68 KB 1248790016 10/20/2010 13:24:41
2876: 02439199.dll 358 KB 1248869888 02/24/2011 04:00:44 

Finish: Sat Dec 27 13:09:06 2014


gif:= 347 
jpg:= 483
png:= 922
avi:= 119
pdf:= 278
zip:= 2
exe:= 132
dll:= 691

The recovery has taken a little less than an hour, Although this will vary depending on the size of the partition, the amount of formats to retrieve, and the team with which we carry out the task; I have shortened the list of files, since they have been more than 2900 files in different formats, and with dates dating from 1998 so far.

I want to emphasize that the pendrive I bought it in 2013, so the other data should be a holiday gift of the SR. Kingston; but I non-be ungrateful, I'm going to delete them.


Mr. Kingston.

Once the application finishes its task, We will go to the directory that has been called “recovered“, and inside you will find a folder associated with each format; among them are files that have been recovered, but before we need to change the permissions to access these directories.

usuario@maquina:~$ sudo chown usuario -R /home/usuario/Escritorio/recuperado_DíaSemana_Mes_DíaMes_Hora_Minuto_Segundo_Año

Now we can already access to the directory that contains your files; each and every one of them have been recovered successfully, Let's look inside the folder that contains the files as an example PDF recovered.

Recovered PDF files.

If you like you can follow me on Twitter, Facebook, Google +, LinkedIn, or share it with the buttons under this publication, If you have any questions or suggestions please do not hesitate to comment.

Help us to reach more readers Share on LinkedInShare on FacebookTweet about this on TwitterShare on Google+Email this to someone

Leave a Reply