File Carving with Foremost
Foremost is a file carving tool which can be used to extract files from raw images. It is similar to the file carving tool “Scalpel” (for which a CyFor module has already been created: http://cyfor.isis.poly.edu/modules/scalpel ) However, many users may find Foremost slightly easier to use as it has built-in capabilities to search for many of the most common file formats including jpg, exe, pdf, doc, zip, amongst others. For non built-in file formats the user is required to create a configuration file specifying the header and footer signatures (along with other information) about the file format. (Note: Non built-in file formats will only be briefly touched upon in this tutorial. Information on creating a Foremost configuration file can be found in the sample configuration file included with the standard installation of Foremost. This file can often be found in /etc/foremost.conf.)
Intro to File Carving (taken from CyFor Scalpel Module)
To refresh your memory, many filesystems do not zero-out the data when they delete it. Instead, they simply remove the knowledge of where it is. File-carving is the process of reconstructing files by scanning the raw bytes of the disk and reassembling them. This is usually done by examining the header (first few bytes) and footer (last few bytes) of a file.
The benefit of using file-carving techniques over analyzing the filesystem’s index is that it’s possible the file was deleted from the filesystem’s index, the partition information may have been damaged, or you might not have a tool that can handle that filesystem type. File-carving programs circumvent these problems by not relying on the filesystem data. That strength is a weakness as well; if a file is fragmented in multiple areas of the disk, it is far more complicated for a file-carving program to extract it.
Foremost is pre-installed on both CERT ADIA and SANS SIFT. We highly recommend using one of these two prebuilt Forensics VMs, but if you are using a different machine you can download Foremost from: http://foremost.sourceforge.net/ (Note: Although we do not provide installation instructions for other machines if you run into problems you can always post a question on the CyFor discussion forum: http://cyfor.isis.poly.edu/discussion-forum )
Author’s Description (taken from: http://foremost.sourceforge.net/ )
Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.
By: Moshe Caplan
Use Foremost to recover files from the raw file provided for the DFRWS 2006 Forensics Challenge. It can be found at:
You should be able to find at least 25 files (of various filetypes) from a simple execution of Foremost.
Further information on this module can be found at the following:
Below is a copy of the (compressed) image file analyzed in the video for this module. It can be used to follow along with the presentation or for analysis on your own.
|foremostDemoForResources.zip(1.77 MB)||marcbudofsky, Mar 17 2013, 9:46 PM|
You must Sign-In to post a comment.