Forensics -> Forensic Carving Tools
/usr/local/bin/foremost
foremost is a data carving tool, which can work on drives or image files. It extracts files based on their internal structure / signatures / header and footer information. It will also recover deleted files. There are a lot of pre-defined types, but if wee need additional, we can define them at foremost.conf, which is located at /usr/local/etc/
Usage examples:
foremost -t jpeg,wmv -i Desktop/forensics/11-carve-fat/11-carve-fat.dd - carve jpeg and vmw files
foremost -t jpeg,wmv -w -i Desktop/forensics/11-carve-fat/11-carve-fat.dd - only create audit file, without actually extracting the files
It will extract files to a directory called "output" by default, and also crated an audit.txt file, where it will print a summary information.
In the example below I used the forensic test image #11, which can be found here:
This is a great resource for testing forensic tools.
Data carve jpeg and wmv files from the image:
Produced output:
audit.txt
Running md5deep we can verify on the list: http://dftt.sourceforge.net/test11/index.html which files were extracted. We can see that any corrupted or invalid files were not carved, and deleted files were extracted.
Official Webpage: http://foremost.sourceforge.net/
No comments:
Post a Comment