November 25th, 2008 by ahoogForemost is a file carving application which extracts files from images. Foremost is extensible so as new file formats/signature develop, you can update the configuration file and foremost will now carve those files. One great example of this is in the emerging world of mobile device forensics and specifically the Apple iPhone.
A sample foremost is as follows:
foremost -t all -T -v -o /home/ahoog/slucs/foremost -i /home/ahoog/slucs/sdb-img.dd
Below is the description of foremost from their website:
“Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.”
See also
