Foremost is a digital forensic application that is used to recover lost or deleted files. Foremost can recover the files for hard disk, memory card, pen drive, and another mode of memory devices easily. It can also work on the image files that are being generated by any other Application. It is a free command-line tool that is pre-installed in Kali Linux. This tool comes pre-installed in Kali Linux. Foremost is a very useful software that is used to recover the deleted files, if some files are deleted accidentally or in any case files are deleted. You can recover the deleted files from foremost only if the data in the device is not overridden, which means after deleting the files no more data is added to the storage device because in that case data may be overridden and the chances of recovery also get reduced and data must get corrupted.
Installing the Foremost Tool:
Use the following command to install this tool in any Debian based Linux Operating System or in any other Operating System using the APT package manager.
sudo apt install foremost
Use the following command to install this tool using dnf package manager
sudo dnf install foremost
Use the following command to install this tool using Pacman package manager or in Arch Linux.
sudo pacman -S foremost
Syntax:
foremost [options]
Here you can check the options available and their functions. Let us now see how to recover deleted files using foremost:
Recovering from USB/Hard Disk:
- Connect the External memory storage with the system.
- First, you need to know the path of your external memory device, for that use the command
fdisk -l
- Now from here, you can copy the path of the disk.
- After copying the device path, now we have to recover the files from that device.
Use the options available by the “foremost -h” command.
For example :
foremost -t jpg,pdf,mp4,exe -v -q -i /dev/sdb2 -o /root/desktop/recover
Here I use this command to recover the data from the device.
- -t: It is the type of files we want to recover. Here I want to recover jpg, pdf,mp4, and exe files.
- -q: It is a quick scan for the device
- -i: It means the input as in this case external memory.
- -o: It is the output folder, where to save the recovered files.
Hereafter running this command, all the files will be saved in the folder name as mentioned. Here you can see the folder recover on desktop and all the files will be stored here.
