Using Foremost for file recovery and data carving
Foremost is a simple and effective CLI tool that recovers files by reading the headers and footers of the files. We can start Foremost by clicking on Applications
| 11-Forensics
| foremost
:
Once Foremost is successfully started, a Terminal opens, displaying the program version, creators, and some of the many switches for usage:
To have a better understanding of Foremost and the switches used, try browsing the Foremost System Manager's Manual
. This can be done by entering the following command:
man foremost
The syntax for using Foremost is as follows:
foremost -i (forensic image) -o (output folder) -options
In this example, we have specified the 11-carve-fat.dd
file located on the desktop as the input file (-i
) and specified an empty folder named Foremost_recovery
as the output file (-o
). Additionally, other switches can also be specified as needed.
To begin carving the 11-carve-fat.dd
image with Foremost, we type the following command in the Terminal...