foremost is a linux based tool for recovering deleted files
DESCRIPTION
Foremost is a Linux based program data for recovering deleted files . The program uses a configuration file to specify headers and footers to search for. Intended to be run on disk images, foremost can search through most any kind of data without worrying about the format.TRANSCRIPT
Foremost
Foremost is a Linux based program data for recovering deleted files . The program uses a configuration file to specify headers and footers to search for. Intended to be run on disk images, foremost can search through most any kind of data without worrying about the format.
Below are the screen shots
Fig. Foremost help options
Fig. Foremost Manual and the format types it can recover
Fig. Checks for the HD partitions
Fig. Foremost Usage
Usage: foremost -t [type of files want to recover] –o [output dir] –I [input file(disk img/partition)]
Fig. The output file is generated on the desktop “ntfsoutput”
Fig. Recovered JPG files from the HD partition /dev/sda1
Fig. Recovered PNG files from the HD partition /dev/sda1
Fig. Audit.txt contains the Report of foremost
DCFLDD
Dcfldd is a tool designed to acquire images. Dcfldd was designed to be an open sources computer forensic tool that would improve some of the shortcomings of the dd application. When the hashwindows=0 option is specified, the dcfldd will calculate the md5sum while the data is being copied, this options eliminate the extra step of having to use md5sum afterward to calculate the md5sum of the bitstream copy. This can save a lot of time as hashing the drive with md5sum can take a while. Another feature of the dcfldd command is the status bar, this is an important feature as it indicates how long the process it’s going to take.
#fdisk –l
/dev/sda1 HD partition
/dev/sdb1 -> External HD
#mkdir /mnt/pdrive (make dir in the /mnt to mount the external HD)
#mount /dev/sdb1 /mnt/data (mounting the external HD )
#md5sum /dev/sda1 > /mnt/pdrive/md5hash1.txt ( Taking the hash value of sda1)
Now comes to acquire the image of the /dev/sda1 partition in the external HD using DCFLDD tool
#dcfldd if=/dev/sda1 of=/mnt/pdrive/image.dd hashlog=/mnt/pdrive/md5hash2.txt
Above if represent “input file”
Of represent “output file”
Hashlog , by default is the Md5hash
Fig. Dcflff acquires the image of /dev/sda1 in the external HD /mnt/pdrive
Now check the both the hash values Md5hash1.txt and Md5hash2.txt in the /mnt/pdrive , it should be the same.