Foremost is a Linux based program data for recovering deleted files . The program uses a configuration file to specify headers and footers to search for. Intended to be run on disk images, foremost can search through most any kind of data without worrying about the format.
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
Foremost is a Linux based tool for recovering deleted files
1. Foremost
Foremost is a Linux based program data for recovering deleted files . The program uses a
configuration file to specify headers and footers to search for. Intended to be run on disk images,
foremost can search through most any kind of data without worrying about the format.
Below are the screen shots
Fig. Foremost help options
7. Fig. Recovered PNG files from the HD partition /dev/sda1
Fig. Audit.txt contains the Report of foremost
8. DCFLDD
Dcfldd is a tool designed to acquire images. Dcfldd was designed to be an open sources
computer forensic tool that would improve some of the shortcomings of the dd application.
When the hashwindows=0 option is specified, the dcfldd will calculate the md5sum while the
data is being copied, this options eliminate the extra step of having to use md5sum afterward to
calculate the md5sum of the bitstream copy. This can save a lot of time as hashing the drive with
md5sum can take a while. Another feature of the dcfldd command is the status bar, this is an
important feature as it indicates how long the process it’s going to take.
#fdisk –l
/dev/sda1 HD partition
/dev/sdb1 -> External HD
#mkdir /mnt/pdrive (make dir in the /mnt to mount the external HD)
#mount /dev/sdb1 /mnt/data (mounting the external HD )
#md5sum /dev/sda1 > /mnt/pdrive/md5hash1.txt ( Taking the hash value of sda1)
Now comes to acquire the image of the /dev/sda1 partition in the external HD using DCFLDD
tool
#dcfldd if=/dev/sda1 of=/mnt/pdrive/image.dd hashlog=/mnt/pdrive/md5hash2.txt
Above if represent “input file”
Of represent “output file”
Hashlog , by default is the Md5hash
9. Fig. Dcflff acquires the image of /dev/sda1 in the external HD /mnt/pdrive
Now check the both the hash values Md5hash1.txt and Md5hash2.txt in the /mnt/pdrive , it
should be the same.