Foremost
Foremost is a Linux file carving tool that recovers files from disk images based on file headers and footers, useful for recovering deleted or fragmented files.
Installation
Linux/Ubuntu
sudo apt update
sudo apt install foremostmacOS
brew install foremostBasic Commands
| Command | Description |
|---|---|
foremost -i disk.img | Carve files from disk image |
foremost -i disk.img -o output_dir | Save recovered files to directory |
foremost -i disk.img -t all | Search all file types |
foremost -i disk.img -t jpeg,pdf | Search specific types only |
foremost -h | Display help |
foremost -V | Show version |
File Type Searching
# Search for specific file types
foremost -i image.dd -t jpeg # JPEG images
foremost -i image.dd -t png # PNG images
foremost -i image.dd -t pdf # PDF documents
foremost -i image.dd -t docx # Word documents
foremost -i image.dd -t zip # ZIP archives
# Multiple file types
foremost -i disk.img -t jpeg,png,gif,pdf
# All supported types
foremost -i disk.img -t all
# View supported types
foremost -h | grep -A 20 "File Types"Common Workflows
Recover All Files
# Create output directory
mkdir recovered_files
# Carve all file types
foremost -i disk.img -o recovered_files
# Check results
ls -la recovered_files/*/Selective File Recovery
# Recover only images
foremost -i disk.img -t jpeg,png,gif,bmp -o images_only
# Recover only documents
foremost -i disk.img -t pdf,docx,doc,xls,xlsx -o docs_only
# Recover archives
foremost -i disk.img -t zip,rar,7z -o archivesCustom Configuration File
# Edit /etc/foremost.conf to customize file types
# Example entries:
# [jpeg]
# extension = jpg
# header = FF D8 FF
# footer = FF D9
# ...
# Use custom configuration
foremost -c custom.conf -i disk.img -o output