Forensicsforensicsfile-recoverydata-carvingheadersfooters

foremost

Foremost is a forensic program to recover lost files based on their headers, footers, and internal data structures. It works on image files or directly on drives using built-in file types or configuration files.

Description

Foremost is designed for recovering lost files in forensic investigations. It analyzes disk images generated by tools like dd, Safeback, or Encase, or operates directly on drives. By examining headers, footers, and internal data structures, it identifies and extracts files even when file system metadata is damaged or deleted.

Common use cases include data recovery after accidental deletion, analysis of disk images in incident response, and forensic examinations where files need to be carved from unallocated space. The tool supports built-in file types for reliable and fast recovery, with options to specify custom types via command line or configuration files.

It produces an audit file detailing the recovery process and outputs recovered files to a specified directory, making it suitable for both quick triage and thorough forensic workflows.

How It Works

Foremost scans input files or drives for file signatures using headers, footers, and internal data structures of various formats. Built-in types enable detection based on file format specifics for reliable recovery. It supports indirect block detection for UNIX file systems, quick mode on 512-byte boundaries, and options for no error detection to handle corrupted files. Configuration files allow custom header/footer definitions.

Installation

bash

sudo apt install foremost

Flags

-Vdisplay copyright information and exit

-tspecify file type. (-t jpeg,pdf ...)

-dturn on indirect block detection (for UNIX file-systems)

-ispecify input file (default is stdin)

-aWrite all headers, perform no error detection (corrupted files)

-wOnly write the audit file, do not write any detected files to the disk

-oset output directory (defaults to output)

-cset configuration file to use (defaults to foremost.conf)

-qenables quick mode. Search are performed on 512 byte boundaries.

-Qenables quiet mode. Suppress output messages.

-vverbose mode. Logs all messages to screen

-hdisplay help information

-Tlisted in usage but no specific description provided

Examples

Search for a selection of file types (doc,jpg,pdf,xls) in the given image file (image.dd)

foremost -t doc,jpg,pdf,xls -i image.dd

Display help and usage information for foremost

foremost -h

Run in verbose mode on input file image.dd, logging all messages to screen

foremost -v -i image.dd

Recover PDF files from disk.img and output to 'recovered' directory

foremost -t pdf -i disk.img -o recovered

Run in quick mode on image.dd, searching on 512 byte boundaries

foremost -q -i image.dd

Only write the audit file without saving detected files to disk

foremost -w -i image.dd

Recover all JPEG headers without error detection for potentially corrupted files

foremost -a -t jpg -i image.dd

Updated 2026-04-16kali.org ↗