Digital Forensics: Data Carving With Foremost

If you're doing forensic work, or if you need to do data recovery, you'll likely run into deleted files that you need to match up with actual file types. This is where data carving, or file carving comes into play. Data carving involves searching an input (in this case, a dd image) for content, rather than metadata like filenames.

One of the easiest ways to do this is with an open source tool called foremost. Foremost recovers files using headers, footers, and standard data structures, allowing you to match files on a disk image. Usage is simple:

foremost -v -T -t (type) -i (file)

This enables verbose mode (-v), timestamps the output directory (-T), selects the type of files you want to search for (jpeg, gif, etc), and feeds in your dd'ed input image file (-i).

You can find previous DA posts about digital forensics here:

• An Inexpensive Forensic Toolkit
• Digital Forensics: When Users Put The Mass In Mass Storage
• Digital Forensics: A Few More Tips