Foremost is a valuable tool for Linux Forensics. It is a console tool and you can recover files based on their different properties. This is basicly data carving process. Foremost can work on image files that created by Safeback, Encase, and dd.
As a part of forensic analysis, data carving must be understood. It is a forensic technique of reassembling files from the raw data fragments when no filesystem data is available. For example, in a storage device failure issue, data carving procedures coldu be performed.
In forensic analysis, analysts should be able to extract files from a disk image. Here, I will try to show to do this with Foremost tool in Linux. In Parrot, foremost is a preinstalled tool.
To test, firstly, we create an image of the system with foremost, with the command below;
After the process is complete, the output will be recorded in Desktop/Output folder. Sure, it will take some time to get it.
Navigate to Desktop/Output folder and open audit.txt file. This file will show information about the individual files extracted. Here you will see the formats and the number of files extracted from the disk image.