Recovering Data with Foremost
Author: Chris Bergeron
Sometimes you can craftily restore a damaged master boot record
after an all night hack-a-thon. With proper care, restoration software,
and carefully maintained backups it usually isn't necessary to read
data raw off a partition.
But even with the best recovery systems in place accidents can still
happen. When you've written over the MBR of your system after deleting
it during a 4AM coding marathon more drastic measures than a backup
restore are called for. Enter Foremost.
Foremost is a simple program designed by Special Agents Kris Kendall
and Jesse Kornblum of the United States Air Force Office of Special
Investigations. It's also one of the only easy to use and completely
free pieces of data recovery software of it's kind that I've come
across. Since it's released by the US government there is no copyright.
Using Foremost, data can be recovered from any available disk. This
includes hard drive images created using dd or similar archiving
utilities. Data integrity is assured through the permissions used on
files and directories when they're written out. Since file systems can
be accidentally tampered with, or hardware can be further damaged
through use, pulling a backup of a file system before attempting
recovery is always a good idea.
The only available package for Linux from the maintainers website is
a source tarball. If you're distribution doesn't have a precompiled
binary of foremost available, you'll have to start with the "tar
xvzf/make/make install" dance to compile and install the program.
Make sure that GCC and related development utilities are installed.
Then download the formost-x.y.tgz tarball and type the following
commands in the directory you'd like to compile it from. I'm using
version 1.0 as an example.
chris@ubuntu:~$ tar xvzf foremost-1.0.tar.gz
chris@ubuntu:~$ cd foremost-1.0
chris@ubuntu:~$ make && make install
Note that it defaults to installing the configuration file in
/usr/local/etc. You may need to change this to /etc if you're
distribution doesn't have a /usr/local/etc. Edit the file "Makefile" in
your Foremost source directory and change the line "CONF=
/usr/local/etc" to read "CONF= /etc". This was true on Ubuntu 5.10 and
may be true for other distributions.
Now that installation's out of the way, lets take a look at what our newly installed data recovery software can do.
Getting Your .conf On
Recovering files based on their header and footer with Foremost
isn't dissimilar from searching for files with the command line utility
"grep" or looking for data with a search engine like Google.
Essentially we need to define the starting and ending lines of the
binary file(s) we're attempting to find and save.
"foremost.conf" contains configuration options which are well
documented under the manpage (type "man foremost" to access it). Many
common file formats are supported in the default configuration file.
For a listing of the defaults see the file types sidebar.
If you need to define any files that aren't part of the
pre-configured set open up the /etc/foremost.conf file in your favorite
text editor. Extension abbreviation, case sensitive status, and max
size must be specified for each file type. An optional footer entry can
be included as well to define where your type of file "ends".
To get an idea of how to define a file you'll need to take a look at
its raw data. My favorite way of doing this makes use of the command
line utility "strings". We'll use the jpeg file
"Peter_van_der_Lindens.jpg" as an example.
Using strings to look at the head of our file:
chris@ubuntu:~$ strings Peter_van_der_Lindens.jpg | head -5
(3 lines of garbled data)
So to start with we can try to search for any files starting with JFIF. Let's check for a footer:
chris@ubuntu:~$ strings Peter_van_der_Lindens.jpg | tail -5
Which doesn't look all that useful.
To verify this we'll check another file:
chris@ubuntu:~$ strings Two_Harddrives-1.jpg | tail -5
Which still doesn't look like anything useful.
We're going to assume from this output that JPEGs don't contain a
usable footer string for us to check for. Our config file entry for
JPEGs based on the above would read:
jpg y 2000000 JFIF
If there was a footer it would follow a few spaces after JFIF with
whitespace as a seperator. Size is the third line over and can be
adjusted up or down depending on the size of the files you're looking
for. For an unknown size specify a high number to be sure the search
finds all of the file you're looking for.
Grepping for Files
Actually searching for our JPEG files on the device or file requires running the following command:
chris@ubuntu:~$ foremost -t jpg -i
Make sure you're in the directory you have write access to and are
logged in as a user able to read the device or file you're attempting
to take data from. I ran this command on the mounted /dev/hda drive.
This probably isn't a good idea a file system that you wouldn't want to
Once foremost starts running it creates an "output" directory in
the directory your currently in. Subdirectories for each of the file
types you're attempting to retrieve get created as the filetypes in
question are found. In our case, the directory output/jpg contains
numeric filenames ending in .jpg. Each one is prospectively a restored
On Your Way to Being a Forensics Expert
Okay, so maybe not an expert exactly. But now that you've got
a grasp of what Foremost can do you've got a powerful tool for
extracting files from raw partition data. Other features such as
recovering blocks containing a certain phrase can also be accomplished
and are well documented in the foremost.conf file.
To find out more about Foremost visit Foremost's sourceforge page and grab a copy. It's an excellent utility for your data recovery toolbox.