27 April 2020

How to Recover Permanently Deleted Files Using Foremost - Digital Forensic

Hey Cats 🐱‍💻, Today in this article we are going disscuss about how to recover permanently deleted or lost files using foremost forensic tools; even it can recover files from formatted media drives.

Foremost is a very useful open-source forensic utility that is able to recover deleted files using the technique called data carving. The utility was originally developed by the United States Air Force Office of Special Investigations and is able to recover several file types like videos, office-files. images, pdf and etc. It's also support for specific file types can be added by the user via the configuration file. The program can also work on partition images produced by DD or similar tools. This tool is very effective for forensic use like recovering any data from a criminal's pen drive.

Since foremost is already present in all the major Linux distributions repositories, So installing it is a very easy task. All we have to do is to use our favorite distribution package manager. On Debian we can use apt.
$ sudo apt install foremost

Now it's time to recover our permanently deleted data. If we need to recover permanently deleted data from a pen drive we need to know the pen drive's disk path. So, applying this command.
$ sudo fdisk -l

Here we can see our pen drive's location is /dev/sdb and the main partition of our pen drive is /dev/sdb1. This /dev/sdb1 is the memory storage partition. We can copy this path or just remember this.

The most basic way to use foremost is by providing a source to scan for deleted files (it can be either a partition or an image file, like those generated with dd). Let's see an example. We want to scan the /dev/sdb1 partition: Before we begin, a very important thing to remember is to never store retrieved data on the same partition we are retrieving the data from, to avoid overwriting delete files still present on the block device.
The command we would run is:
$ sudo foremost -i /dev/sdb1

By default, the program creates a directory called output. Inside this directory a subdirectory for each supported file type we are attempting to retrieve is created. Each directory will hold the corresponding file type obtained from the data carving process.

When foremost completes its job empty directories are removed. Only the ones containing files are left on the filesystem: this lets us immediately know what type of files were successfully retrieved. The audit.txt file contains information about the actions performed by the program.
By default the program tries to retrieve all the supported file types to restrict our search we can use the -t option and provide a list of the file types we want to retrieve separated by a comma. In our case, we restrict the search only to PNG and ZIP files.
$ sudo foremost -v -q -t png,zip -i /dev/sdb1 -o $HOME/Documents/output

In this command we use -t flag to specify file types; if we did not use this foremost will recover all known file types and we choose -v for verbose mode this mode will display all the process in screen. We choose the -q for quick mode, -i is for input devices in our case our input device is our pen drive and the path is /dev/sdb1. We have also chosen -o tag to set the output directory. That means where we want to keep our recovered files. Here we choose the recovered folder in our Desktop. Then hit enter to start the process.

This process will take time because it will analyze the entire disk, Small size disks can be recovered very quickly. It also takes time if we are recovering much data or we are not in quick mode.

Once the process complete we can check our recovered folder in Desktop.
Here we have successfully recovered our deleted data😊.

Video Tutorial

Not only in digital forensic, we can use this free tool to recover data for our personal uses, like we can recover data from our camera memory card or any other flash drives. We will get many paid tools for this job but when we have a very powerful free tool; Then why do we pay for recovery tools? In this article we have learned how to use foremost, a forensic program able to retrieve deleted files of various types. Also we learned that the program works by using a technique called data carving, and relies on file signatures to achieve its goal.

Will this article was helpful? or if you have any questions or problem fell free to ask, We always happy to help you. Don't Forget to Subscribe💖.

Whatsapp Button works on Mobile Device only

Start typing and press Enter to search