Download
moshe caplan moshecaplan@isis poly edu winter 2012 n.
Skip this Video
Loading SlideShow in 5 Seconds..
File Carving with Foremost PowerPoint Presentation
Download Presentation
File Carving with Foremost

File Carving with Foremost

210 Views Download Presentation
Download Presentation

File Carving with Foremost

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Moshe Caplan moshecaplan@isis.poly.edu Winter 2012 File Carving with Foremost

  2. Note • A module on another file carving tool, called Scalpel, has already been written • Some of the information in this module was taken from there • http://cyfor.isis.poly.edu/modules/scalpel • Users may find Foremost a little more user friendly than Scalpel • Built in capabilities to search for common file formats • pdf, jpg, exe, doc, zip, etc. • Configuration file necessary for non-built in formats

  3. Background • When a file is deleted: • Oftentimes the file is only MARKED as deleted • The actual data bytes are NOT overwritten • File Carving • Reconstructing files by scanning the raw bytes of the disk and reassembling them • Usually done by examining the header (first few bytes) and footer (last few bytes) of a file • Pro: Filesystem independent • Con: Recovering fragmented files is difficult

  4. Obtaining Foremost • Preinstalled on CERT ADIA and SANS SIFT • Executed from the command line • Configuration file (if necessary) stored in: /etc/foremost.conf • Can also be obtained from: • http://foremost.sourceforge.net/

  5. How Foremost Works • Many file formats have a specific structure • Headers and footers may contain specific strings • Known as “File Signatures” • These identify a file as being of a specific format • Foremost scans a drive for these signatures and uses them to carve out files

  6. Example: jpg • jpgs always start with one of two hex strings: • FF D8 FF E0 00 10 • FF D8 FF E1 • jpgs end with the hex string: FF D9 • I opened a jpeg file with a hex editor • Notice the matching header signature

  7. Foremost Options • Format: • foremostoptions input_image • Common options • -T : Time stamp output directory • -v : Verbose mode • -i : Input file (option can generally be left off) • -o : Output directory (must be empty or nonexistent) • -t : Specify formats to look for • Separate multiple formats to look for with commas • i.e. pdf,doc • Can use -t all to look for all built in formats (default) • List of built in formats can be seen with “man foremost”

  8. Running Format: Examples • foremost image • Search for all built in formats in “image” and output results to a new subdirectory in current dir • foremost -vT -t pdf,doc -i image • Look for pdfs and docs in “image” time stamping output dir and using verbose output

  9. Foremost Output (verbose)

  10. Foremost Results

  11. Foremost Configuration File • Used for non built in formats • File is generally stored at /etc/foremost.conf • Configuration instructions are in the file itself • Some examples are included in the file