Foremost in Data Recovery

Recovering Data with Foremost

Author: Chris Bergeron

Sometimes you can craftily restore a damaged master boot record after an all night hack-a-thon. With proper care, restoration software, and carefully maintained backups it usually isn't necessary to read data raw off a partition.

But even with the best recovery systems in place accidents can still happen. When you've written over the MBR of your system after deleting it during a 4AM coding marathon more drastic measures than a backup restore are called for. Enter Foremost.

Foremost is a simple program designed by Special Agents Kris Kendall and Jesse Kornblum of the United States Air Force Office of Special Investigations. It's also one of the only easy to use and completely free pieces of data recovery software of it's kind that I've come across. Since it's released by the US government there is no copyright.

Using Foremost, data can be recovered from any available disk. This includes hard drive images created using dd or similar archiving utilities. Data integrity is assured through the permissions used on files and directories when they're written out. Since file systems can be accidentally tampered with, or hardware can be further damaged through use, pulling a backup of a file system before attempting recovery is always a good idea.

Installing Foremost

File Types

The only available package for Linux from the maintainers website is a source tarball. If you're distribution doesn't have a precompiled binary of foremost available, you'll have to start with the "tar xvzf/make/make install" dance to compile and install the program.

Make sure that GCC and related development utilities are installed. Then download the formost-x.y.tgz tarball and type the following commands in the directory you'd like to compile it from. I'm using version 1.0 as an example.

chris@ubuntu:~$ tar xvzf foremost-1.0.tar.gz
chris@ubuntu:~$ cd foremost-1.0
chris@ubuntu:~$ make && make install

Note that it defaults to installing the configuration file in /usr/local/etc. You may need to change this to /etc if you're distribution doesn't have a /usr/local/etc. Edit the file "Makefile" in your Foremost source directory and change the line "CONF= /usr/local/etc" to read "CONF= /etc". This was true on Ubuntu 5.10 and may be true for other distributions.

Now that installation's out of the way, lets take a look at what our newly installed data recovery software can do.

Getting Your .conf On

Recovering files based on their header and footer with Foremost isn't dissimilar from searching for files with the command line utility "grep" or looking for data with a search engine like Google. Essentially we need to define the starting and ending lines of the binary file(s) we're attempting to find and save.

"foremost.conf" contains configuration options which are well documented under the manpage (type "man foremost" to access it). Many common file formats are supported in the default configuration file. For a listing of the defaults see the file types sidebar.

If you need to define any files that aren't part of the pre-configured set open up the /etc/foremost.conf file in your favorite text editor. Extension abbreviation, case sensitive status, and max size must be specified for each file type. An optional footer entry can be included as well to define where your type of file "ends".

To get an idea of how to define a file you'll need to take a look at its raw data. My favorite way of doing this makes use of the command line utility "strings". We'll use the jpeg file "Peter_van_der_Lindens.jpg" as an example.

Using strings to look at the head of our file:

chris@ubuntu:~$ strings Peter_van_der_Lindens.jpg | head -5
(3 lines of garbled data)

So to start with we can try to search for any files starting with JFIF. Let's check for a footer:

chris@ubuntu:~$ strings Peter_van_der_Lindens.jpg | tail -5

Which doesn't look all that useful.
To verify this we'll check another file:

chris@ubuntu:~$ strings Two_Harddrives-1.jpg | tail -5

Which still doesn't look like anything useful.

We're going to assume from this output that JPEGs don't contain a usable footer string for us to check for. Our config file entry for JPEGs based on the above would read:

jpg y 2000000 JFIF

If there was a footer it would follow a few spaces after JFIF with whitespace as a seperator. Size is the third line over and can be adjusted up or down depending on the size of the files you're looking for. For an unknown size specify a high number to be sure the search finds all of the file you're looking for.

Grepping for Files

Actually searching for our JPEG files on the device or file requires running the following command:

chris@ubuntu:~$ foremost -t jpg -i

Make sure you're in the directory you have write access to and are logged in as a user able to read the device or file you're attempting to take data from. I ran this command on the mounted /dev/hda drive. This probably isn't a good idea a file system that you wouldn't want to have corrupted.

Once foremost starts running it creates an "output" directory in the directory your currently in. Subdirectories for each of the file types you're attempting to retrieve get created as the filetypes in question are found. In our case, the directory output/jpg contains numeric filenames ending in .jpg. Each one is prospectively a restored JPEG file.

On Your Way to Being a Forensics Expert

Okay, so maybe not an expert exactly. But now that you've got a grasp of what Foremost can do you've got a powerful tool for extracting files from raw partition data. Other features such as recovering blocks containing a certain phrase can also be accomplished and are well documented in the foremost.conf file.

To find out more about Foremost visit Foremost's sourceforge page and grab a copy. It's an excellent utility for your data recovery toolbox.