FOREMOST - Recover Deleted Files Easily in Kali Linux

[x32x01]

In this detailed tutorial we are going to learn digital forensic using our Kali Linux machine. Today we are going to recover permanently deleted or lost files using foremost forensic tool even it can recover files from formatted media drives.

Foremost is a forensic tool that can recover lost files based on their headers, footers and internal data structures. Foremost can recover data from flash drives like hard disks, pen drives, memory cards etc.

It can recover images files, video files, exe files, pdf files, office files, etc, even it can also recover those files which can generated by application like dd, Encase, safeback. This tool is very effective for forensic use like recover any data from criminal's pen drive.

Foremost is a command line tool, it previously comes pre-loaded with Kali Linux. But now we have to install it by applying following command:

sudo apt-get install foremost

Now we check the help of foremost tool by using following command:

foremost -h

The screenshot of the command is following:

Using those options we can easily recover important files from our data storage.

Let we connect our pen drive in our system. There are some files in our USB drive.

There are 3 image files, a video file and a pdf file. Now we delete those files from our drive.

Then we come on on trash folder and remove those files from trash folder also.

Now those files are permanently deleted, or we can use Shift+Delete key to delete them permanently.

Okey, now it's time to recover our permanently deleted data. To recover our permanently deleted data from pen drive we need to know our pen drive's disk path by opening terminal window and applying following command:

fdisk -l

The screenshot of the command is following:

Here we can see our pen drive's location is /dev/sdb and the main partition of our pen drive is /dev/sdb1. This /dev/sdb1 is the memory storage partition. We can copy this path(/dev/sdb1) or just remember this.

Now we run the recovery process by entering following command:

foremost -t jpg,pdf,mp4 -v -q -i /dev/sdb1 -o /root/Desktop/recovered

The screenshot of this command is following:

In this above command we use -t flag to specify file types if we did not use this, foremost will recover all known file types, and we choose -v for verbose mode,this mode will display all the process in screen. We choose the -q for quick mode, -i is for input devices in our case our input device is our pen drive and the path is /dev/sdb1 . We have also chosen -o, -o is to set the output directory. That means where we want to keep our recovered files. Here we choose recovered folder in our Desktop.

This process will take time because it will analyze the entire disk, small size disks can recovered very quickly. It also take time if we are recovering many data or we are not in quick mode.

If the deleted files are overwrite by other files then we may get trouble to recover, those deleted files and may we got corrupted files. Now we check our recovered folder in Desktop.
Here we have successfully recovered our deleted data in our pen drive.

Not in only digital forensic we can use this free tool to recover data for our personal uses, like we can recover data from our camera memory card or any other flash drives. We will got many paid tools for this job but when we have a very powerful free tool then why we pay for recovery tools. So we have learned how to use foremost in Kali Linux and recover permanently deleted data. Will this tutorial was helpful ? For any questions or problem fell free to ask, we always happy to help you. Let comment how much you liked this tutorial ?