Backtrack 3: DF II – Data Carving with Foremost.

      No Comments on Backtrack 3: DF II – Data Carving with Foremost.

This tutorial is the second part of the Digital Forensic series. Digital Forensics is a relative new discipline that has captivated my attention. For this demo I plan to do some data carving with backtrack 3 distribution and foremost targeting specific files like images, word docs and pdfs, although I’m only extracting three types of files, foremost comes with a configuration file which provides a preset number of supported files types…you should look at this file and become familiar with it before actually using it; however foremost is very simple to use.

File or data carving is the process of reconstruct files based on their headers or footers and how the data is arranged. Files can be reconstructed from images, raw images, RAM, virtual memory, and file systems that have been damaged. Criminals often change the extension on their files in an attempt to thwart detection. File extensions can be changed on hundreds of files at once with the use of one simple command. Examiners use computer forensic software to determine whether suspects have used this technique in an attempt to cover their tracks. This process known as file signature analysis, looks at the file headers to help identify the accurate file type.

For example a suspect could change the file extension in an attempt to prevent detection, lets say that a file with the name cutegirl.jpg could be renamed to win32.dll and placing it into the system32 directory could make it much harder to detect. The file signature header and footer are extremely useful in assisting in the file carving and recovery process. A hex view of a file shows the header information as shown in this figure. Here’s a website that contains an extensive list of common file headers.

File carving involves finding the header and footer of a file and in a stream of data, and using those two values to help extract and reconstruct the file.

The Tools:

Foremost was developed by Jesse Kornblum, who works at the DoD Cyber Crime Center in Maryland. It is a command-line file-carving tool that will reconstruct files based on their headers, footers, and data format when using foremost specify the type of file you are trying to recover and the location of the raw image file. Foremost uses its configuration file foremost.conf as a database for know files types and headers as you can see in the figure.

After foremost is finished, it creates a text file called audit.txt and output folder where extracted files will be located. You do not need any knowledge of file carving to use the program, if you use the program with the appropriate switches the files will be extracted automatically.


Dcfldd is a tool designed to acquire images. This tool was developed by Nick Harbour when he worked for General Dynamics at the Defense Cyber Forrensics lab in Maryland. Dcfldd was designed to be an open sources computer forensic tool that would improve some of the shortcomings of the dd application. When the hashwindows=0 option is specified, the dcfldd will calculate the md5sum while the data is being copied, this options eliminate the extra step of having to use md5sum afterward to calculate the md5sum of the bitstream copy. This can save a lot of time as hashing the drive with md5sum can take a while. Another feature of the dcfldd command is the status bar, this is an important feature as it indicates how long the process it’s going to take.

Ok…let’s get hacking!

click here to watch video

Share This!

Leave a Reply

Your email address will not be published.