Project 16: Data Carving with Foremost (15 Points)

What You Need for This Project

Purpose

Foremost was written by US Air Force special agents, and it's free and open-source. It is very efficient at file carving--it rqpidly scans through disk images and reconstructs the files, using a list of known headers and footers.

This makes it possible to recover the contents of files even after the directory information for them is lost, often by reformatting the disk. The filenames cannot be recovered by this technique, but the file contents can.

And it's outrageously easy to use. Simply invoking Foremost with no options looks for all possible file types and puts the files it finds in a folder named "output".

Downloading the Evidence File

On your Kali Linux machine, in a Terminal window, execute these commands:
cd

cd Desktop

curl https://samsclass.info/121/proj/p15.zip > p15.zip

unzip p15.zip

Examine your Kali desktop and make sure there isn't a folder named "output".

If there is one, right-click it and click "Move to Trash".

Viewing the Foremost Help Message

On your Kali Linux machine, in a Terminal window, execute this command:
foremost -h
A list of options appears. We don't need any of them for this project, but the most interesting one to note is -q which makes the scan quicker by assuming every file will start on a sector boundary, which seems like a very safe assumption.

File Carving with Foremost

On your Kali Linux machine, in a Terminal window, execute this command:
foremost p15.dd
Foremost prints some strange binary stuff, as shown below, but that's OK--it worked.

That's it. Close or minimize your Terminal window.

Viewing the Results

On your Kali Linux desktop, double-click the output folder to open it.

An "output" window opens, containing three items, as shown below.

The "jpg" and "zip" folders contain the recovered files, and the audit.txt file contains a list of all files recovered.

Double-click the audit.txt file.

A list of the recovered files appears, as shown below.

Resize or scroll the window to show this text (your date and time will be different):

8 FILES EXTRACTED
	
jpg:= 5
zip:= 3
------------------------------------------------------------------

Foremost finished at Mon Apr  7 16:30:26 2014

Saving a Screen Image

Make sure your screen shows these two items:

Click on your host system's taskbar to make it the active system.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL CREDIT!

Open Paint and paste in the image.

Save the image with the filename "Your Name Proj 16a". Use your real name, not the literal text "Your Name".

Viewing the Recovered Images

On your Kali Linux desktop, close the "audit.txt" window.

In the "output" window, double-click the jpg folder.

You should see five images, as shown below.

Notice that the images were recovered, but not the filenames--all the files have numerical names now.

Foremost recovered two files that ProDiscover did not--a Guy Fawkes mask, and an image of the "Anarchist Cookbook".

Saving a Screen Image

Make sure your screen shows these two images:

Click on your host system's taskbar to make it the active system.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL CREDIT!

Open Paint and paste in the image.

Save the image with the filename "Your Name Proj 16b". Use your real name, not the literal text "Your Name".

Viewing the Recovered DOCX Files

On your Kali Linux desktop, in the "jpg" window, click output.

In the "output" window, double-click the zip folder.

You should see three files, as shown below.

These files were recovered as ZIP files, because that's how Microsoft's XML files are structured.

Double-click one of the recovered ZIP files. Kali Linux can't open it.

The easiest way to view these files is to install LiberOffice on Kali.

In a Terminal window, execute this command:

rm -rf /var/lib/apt/lists

apt-get update

apt-get install kali-archive-keyring

apt-get install libreoffice -y

Right-click one of the Zip files and click Rename. Change the file extension to DOCX and press the Enter key.

Repeat the process for the other two ZIP files.

Double-click each of the DOCX files to open it in Libre Office Writer.

Two of the files are the ones ProDiscover found--the Hacker's Manifesto and the Bill of Rights.

Find the third file--a recipe for making Crank Meth, as shown below.

Saving a Screen Image

Make sure your screen shows the text "Crank Meth Recipes".

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL CREDIT!

Open Paint and paste in the image.

Save the image with the filename "Your Name Proj 16c". Use your real name, not the literal text "Your Name".

Turning in your Project

Email the images to cnit.121@gmail.com with the subject line: Proj 16 from YOUR NAME


Last Modified: 4-13-15