top of page
Search
Writer's pictureBrian
May 20, 20202 min read

Data Carving with Foremost

Foremost is a Linux command line tool which can be used to parse out files from a disk image.


In this post, I go over how I used Foremost to extract JPG images from .vmem files.

 

First, I copied the Foremost config file from /etc/foremost.conf/ to the directory in which I was working in. 

cp /etc/foremost.conf .

Next, I used Vim to edit the file and remove the # symbol from in front of the file type which I wanted to parse for.

 

It can be seen in the image above that each file type is matched with various hexadecimal values. These values make up the file signature. The file signature is consisted of both the file header and the file footer. The file signature tell the operating system where the file starts and ends on the storage media. Foremost functions by looking for these file signatures, and returning results when a match is located.

 

Once the config file was correctly configured to look for JPG file signatures (Checkout the green outlined box in the image above), I then proceeded to analyze the .vmem files I had handy.


I have included the command I used for each iteration, and the output shown by Foremost in the terminal.

 
foremost -v -c foremost.conf -o foremost.before mem_samples/CYB652.Weeks2-4.Before.vmem
 
foremost -v -c foremost.conf -o foremost.during mem_samples/CYB652.Weeks2-4.During.vmem
 
foremost -v -c foremost.conf -o foremost.after mem_samples/CYB652.Weeks2-4.After.vmem

The first .vmem file contained 9 JPEG files which matched the file signature specified in the config file, The second contained 331, and the third contained 25.


I think it is worth mentioning the syntax which Foremost uses.

foremost [-h] [-V] [-d] [-vqwQT] [-b <blocksize>] [-o <dir>] [-t <type>] [-s <num>] [-i <file>]

The Foremost searches I used utilized the -v -c and -o flags.

  • -v specifies that the user wants verbose output

    • -c specifies the config file which Foremost is to use.

  • -o specifies the output directory

  • The final argument was the file to be parsed by Foremost. 

foremost -v -c foremost.conf -o foremost.before mem_samples/CYB652.Weeks2-4.Before.vmem

If you want to data carve a particular file type from a disk image, try Foremost!


Thanks for reading!

527 views0 comments

Recent Posts

See All

Comments

bottom of page