Project 6: Data Carving with Foremost (15 Points)

What You Need for This Project


Foremost was written by US Air Force special agents, and it's free and open-source. It is very efficient at file carving--it rqpidly scans through disk images and reconstructs the files, using a list of known headers and footers.

This makes it possible to recover the contents of files even after the directory information for them is lost, often by reformatting the disk. The filenames cannot be recovered by this technique, but the file contents can.

And it's outrageously easy to use. Simply invoking Foremost with no options looks for all possible file types and puts the files it finds in a folder named "output".

Downloading the Evidence File

On your Kali Linux machine, in a Terminal window, execute these commands:
cd Desktop
curl >
Examine your Kali desktop and make sure there isn't a folder named "output".

If there is one, right-click it and click "Move to Trash".

Viewing the Foremost Help Message

On your Kali Linux machine, in a Terminal window, execute this command:
foremost -h
A list of options appears. We don't need any of them for this project, but the most interesting one to note is -q which makes the scan quicker by assuming every file will start on a sector boundary, which seems like a very safe assumption.

File Carving with Foremost

On your Kali Linux machine, in a Terminal window, execute this command:
foremost p15.dd
Foremost prints some strange binary stuff, as shown below, but that's OK--it worked.

That's it. Close or minimize your Terminal window.

Viewing the Results

On your Kali Linux desktop, double-click the output folder to open it.

An "output" window opens, containing three items, as shown below.

The "jpg" and "zip" folders contain the recovered files, and the audit.txt file contains a list of all files recovered.

Double-click the audit.txt file.

A list of the recovered files appears, as shown below.

Resize or scroll the window to show this text (your date and time will be different):

jpg:= 5
zip:= 3

Foremost finished at Mon Apr  7 16:30:26 2014

Viewing the Recovered Images

On your Kali Linux desktop, close the "audit.txt" window.

In the "output" window, double-click the jpg folder.

You should see five images, as shown below.

Notice that the images were recovered, but not the filenames--all the files have numerical names now.

Foremost recovered two files that ProDiscover did not--a Guy Fawkes mask, and an image of the "Anarchist Cookbook".

Viewing the Recovered DOCX Files

On your Kali Linux desktop, in the "jpg" window, click output.

In the "output" window, double-click the zip folder.

You should see three files, as shown below.

These files were recovered as ZIP files, because that's how Microsoft's XML files are structured.

Double-click one of the recovered ZIP files. Kali Linux can't open it.

The easiest way to view these files is to install LiberOffice on Kali.

In a Terminal window, execute this command:

rm -rf /var/lib/apt/lists

apt-get update

apt-get install kali-archive-keyring

apt-get install libreoffice -y

Right-click one of the Zip files and click Rename. Change the file extension to DOCX and press the Enter key.

Repeat the process for the other two ZIP files.

Double-click each of the DOCX files to open it in Libre Office Writer.

Two of the files are the ones ProDiscover found--the Hacker's Manifesto and the Bill of Rights.

Find the third file--a recipe for making Crank Meth, as shown below.

Recording Your Success

A name is redacted in the image above. Find it and use the form below to put your name on the WINNERS PAGE.
Your Name:

Last Modified: 5-18-18