Friday, November 27, 2009

Foremost

Foremost is a very popular tool in the open source forensic world. This can recover files from practically anything, from hard disks, disk images, pcap network capture and your RAM. Unfortunatly, Due to programming difficulties, foremost is limited to processing files smaller than 2GB in earlier versions. In version 0.69, maximum file carv size was 4GB. Foremost served as the basis for other file carving applications such as scalpel and tcpxtract. The program uses a configuration file (foremost.conf) to specify headers and footers to search for and carv out.

Foremost.conf comes with preconfigured headers and footers for well known file types. The configuration file is not limited to whats there by default, but can be extended with by adding your own headers and footers or make a custom config file.

# foremost -i file.img -t doc -o /root/Foremost_Dir -c /etc/foremost.conf

'-i': Input file(image). Can specify a drive or partition as well, /dev/sda1
'-o': Folder to dump the recovered files in
'-t': Type of file to search for. Default is to search for all known file types in its config file.
'-c': [optional] Sets the config file to use. If left out, foremost is gonna use its defaul config file located at /etc/foremost.conf

[Supported file types out the box]['-t']
jpg
gif
ong
bmp
avi
exe
mpg
wav
riff
wmv
mov
pdf
ole
doc
zip
rar
htm
cpp
all

As mentioned earlier, Scalpel is based on foremost. Scalpel is more efficient and faster than foremost. Foremost's authors have recommended that practitioners use Scalpel instead of Foremost as well.

Resources/Good reading:
http://www.forensicswiki.org/wiki/Foremost
http://www.forensicswiki.org/wiki/Scalpel
http://www.forensicswiki.org/wiki/Tcpxtract

No comments:

Post a Comment