Foremost -- Recover Permanently Deleted Files Easily on Kali Linux

In this detailed tutorial we are going to learn digital forensic using our Kali Linux machine. Today we are going to recover permanently deleted or lost files using foremost forensic tool even it can recover files from formatted media drives.

Foremost is a forensic tool that can recover lost files based on their headers, footers and internal data structures. Foremost can recover data from flash drives like hard disks, pen drives, memory cards etc.

recover premanently deleted files on kali linux

It can recover image files, video files, exe files, pdf files, office files, etc, even it can also recover those files which can generated by application like dd, Encase, safeback. This tool is very effective for forensic use like recover any data from criminal's pen drive.

Foremost is a command line tool, it previously comes pre-loaded with Kali Linux. But now we have to install it by applying following command:

sudo apt-get install foremost -y

After the installation process is done, we can check the help of foremost tool by using following command:

foremost -h

We can see the help options of foremost in the following screenshot:

foremost help options on Kali Linux

We can see the flags carefully. Now we are going to restore data from our Thumb Drive. Let we connect our pen drive in our system. There are some files in our USB drive, as we can see in the following screenshot:

Files on my Pendrive

In the above screenshot we can see that we have some images and a video and a PDF file on our 32GB thumb drive. Now we select all these files and delete them.

Then we come on on trash folder and remove those files from trash folder also, as we can see in the following screenshot:

deleting files form our system

Now those files are permanently deleted, or we can use Shift+Delete key to delete them permanently.

Recovering file using Foremost on Kali Linux

OK, now it's time to recover our permanently deleted data. To recover our permanently deleted data from our pen drive we need to know our pen drive's disk path by opening terminal window and applying following command:

sudo fdisk -l

We can see the output on the following screenshot:

Fdisk to know drives on my system

In the above screenshot we can see that our 32GB disk's device name is "dev/sdb", and the main partition of our pen drive is "/dev/sdb1". This /dev/sdb1 is the memory storage partition. We can copy this path(/dev/sdb1) or just remember this path.

Now we can just run the simple command to start our recovery process by using following command:

sudo foremost -t jpg,pdf,mp4 -v -q -i /dev/sdb1 -o /home/Desktop/recovered

In this above command we use -t flag to specify file types if we did not use this, foremost will recover all known file types (which will consume a lot of times, so it will be better to provide file types we want to recover), and we choose -v for verbose mode,this mode will display all the process in screen. We choose the -q for quick mode, -i is for input devices in our case our input device is our pen drive and the path is /dev/sdb1. We have also chosen -o, -o is to set the output directory. That means where we want to keep our recovered files. Here we choose recovered folder in our Desktop.

This process will take time because it will analyze the entire disk, small sized disks can recovered very quickly. It also take time if we are recovering many data or we are not in quick mode. If the deleted files are overwrite by other files then we may get
trouble to recover, those deleted files and may we got corrupted files. Coffee Break 🍵.

After the process is complete we can see the recovered directory and we can see that in the directory that we had successfully recovered our deleted files on this directory, as we can see in the following screenshot:

recoverd deleted files on kali linux

In the above screenshot we can see that we had recovered our deleted files from USB drive. Not in only digital forensic we can use this free tool to recover data for our personal uses, like we can recover data from our camera memory card or any other flash drives. We will got many paid tools for this job but when we have a very powerful free tool then why we pay for recovery tools. So we have learned how to use foremost on Kali Linux and recover permanently deleted data. Was this tutorial helpful?

Love our articles? Make sure to follow us on Twitter and GitHub, we post article updates there. To join our KaliLinuxIn family, join our Telegram Group. We are trying to build a community for Linux and Cybersecurity. For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.

AIX

Posting Komentar

Lebih baru Lebih lama