Monday, June 23, 2014

File recovery using foremost

Quick note on using foremost to retrieve files from a harddrive with a faulty partition table :

sudo foremost -dT -i /dev/md2 -t jpeg -o /path/to/restore2/

This scans /dev/md2 hd, looking for jpeg files and puts the restored files in /path/to/restore2/
Foremost can retrieve a lot of different file types (including images, MS Office files, PDF's and zipfiles), look at the man pages for a complete list. It is also possible to define your own filters.

Modify (or copy first) the foremost.conf file and add a line  for every file type fe. :

ex1   y   4096000  \x50\x4b\x03          \x74\x78\x74
ex2   y   4096000  \x50\x4b\x03???\x44   \x74\x78\x74

where you specify :
  • file extension
  • case sensitive pattern (if ASCII codes are used in the pattern)
  • maximum size of a file in bytes
  • starting pattern
  • end pattern
The pattern can be in hex code or ASCII, use a ? as a wildcard for one character. In the second example above, a wildcard for 3 characters is added.

Now run foremost, using the custom config file :

sudo foremost -dT -i /dev/md2 -c /tmp/foremost.conf -o /path/to/restore2/

This scans /dev/md2 hd, using the rules in /tmp/foremost.conf and puts the restored files in /path/to/restore2/