1 / 11

File Carving with Foremost

Moshe Caplan moshecaplan@isis.poly.edu Winter 2012. File Carving with Foremost. Note. A module on another file carving tool, called Scalpel, has already been written Some of the information in this module was taken from there http://cyfor.isis.poly.edu/modules/scalpel

carr
Download Presentation

File Carving with Foremost

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Moshe Caplan moshecaplan@isis.poly.edu Winter 2012 File Carving with Foremost

  2. Note • A module on another file carving tool, called Scalpel, has already been written • Some of the information in this module was taken from there • http://cyfor.isis.poly.edu/modules/scalpel • Users may find Foremost a little more user friendly than Scalpel • Built in capabilities to search for common file formats • pdf, jpg, exe, doc, zip, etc. • Configuration file necessary for non-built in formats

  3. Background • When a file is deleted: • Oftentimes the file is only MARKED as deleted • The actual data bytes are NOT overwritten • File Carving • Reconstructing files by scanning the raw bytes of the disk and reassembling them • Usually done by examining the header (first few bytes) and footer (last few bytes) of a file • Pro: Filesystem independent • Con: Recovering fragmented files is difficult

  4. Obtaining Foremost • Preinstalled on CERT ADIA and SANS SIFT • Executed from the command line • Configuration file (if necessary) stored in: /etc/foremost.conf • Can also be obtained from: • http://foremost.sourceforge.net/

  5. How Foremost Works • Many file formats have a specific structure • Headers and footers may contain specific strings • Known as “File Signatures” • These identify a file as being of a specific format • Foremost scans a drive for these signatures and uses them to carve out files

  6. Example: jpg • jpgs always start with one of two hex strings: • FF D8 FF E0 00 10 • FF D8 FF E1 • jpgs end with the hex string: FF D9 • I opened a jpeg file with a hex editor • Notice the matching header signature

  7. Foremost Options • Format: • foremostoptions input_image • Common options • -T : Time stamp output directory • -v : Verbose mode • -i : Input file (option can generally be left off) • -o : Output directory (must be empty or nonexistent) • -t : Specify formats to look for • Separate multiple formats to look for with commas • i.e. pdf,doc • Can use -t all to look for all built in formats (default) • List of built in formats can be seen with “man foremost”

  8. Running Format: Examples • foremost image • Search for all built in formats in “image” and output results to a new subdirectory in current dir • foremost -vT -t pdf,doc -i image • Look for pdfs and docs in “image” time stamping output dir and using verbose output

  9. Foremost Output (verbose)

  10. Foremost Results

  11. Foremost Configuration File • Used for non built in formats • File is generally stored at /etc/foremost.conf • Configuration instructions are in the file itself • Some examples are included in the file

More Related