FOREMOST -- Recover Permanently Deleted Files Easily in Kali Linux

In this detailed tutorial we are going to learn digital forensic using our Kali Linux machine. Today we are going to recover permanently deleted or lost files using foremost forensic tool even it can recover files from formatted media drives.

Foremost is a forensic tool that can recover lost files based on their headers, footers and internal data structures. Foremost can recover data from flash drives like hard disks, pen drives, memory cards etc.
It can recover images files, video files, exe files, pdf files, office files, etc, even it can also recover those files which can generated by application like dd, Encase, safeback. This tool is very effective for forensic use like recover any data from criminal's pen drive.

foremost kali linux


Foremost is a command line tool, it previously comes pre-loaded with Kali Linux. But now we have to install it by applying following command:

sudo apt-get install foremost
Now we check the help of foremost tool by using following command:

foremost -h
The screenshot of the command is following:

Foremost Kali Linux

Using those options we can easily recover important files from our data storage.

Let we connect our pen drive in our system. There are some files in our USB drive.

delete files


There are 3 image files, a video file and a pdf file. Now we delete those files from our drive.

Then we come on on trash folder and remove those files from trash folder also.

empty the trash folder

Now those files are permanently deleted, or we can use Shift+Delete key to delete them permanently.

Okey, now it's time to recover our permanently deleted data. To recover our permanently deleted data from pen drive we need to know our pen drive's disk path by opening terminal window and applying following command:

fdisk -l
The screenshot of the command is following:

disk partations

Here we can see our pen drive's location is /dev/sdb and the main partition of our pen drive is /dev/sdb1. This /dev/sdb1 is the memory storage partition. We can copy this path(/dev/sdb1) or just remember this.

Now we run the recovery process by entering following command:

foremost -t jpg,pdf,mp4 -v -q -i /dev/sdb1 -o /root/Desktop/recovered
The screenshot of this command is following:
foremost in kali linux

In this above command we use -t flag to specify file types if we did not use this, foremost will recover all known file types, and we choose -v for verbose mode,this mode will display all the process in screen. We choose the -q for quick mode, -i is for input devices in our case our input device is our pen drive and the path is /dev/sdb1 . We have also chosen -o, -o is to set the output directory. That means where we want to keep our recovered files. Here we choose recovered folder in our Desktop.

This process will take time because it will analyze the entire disk, small size disks can recovered very quickly. It also take time if we are recovering many data or we are not in quick mode.

If the deleted files are overwrite by other files then we may get trouble to recover, those deleted files and may we got corrupted files. Now we check our recovered folder in Desktop.
Here we have successfully recovered our deleted data in our pen drive.

recovered data by foremost


Not in only digital forensic we can use this free tool to recover data for our personal uses, like we can recover data from our camera memory card or any other flash drives. We will got many paid tools for this job but when we have a very powerful free tool then why we pay for recovery tools. So we have learned how to use foremost in Kali Linux and recover permanently deleted data. Will this tutorial was helpful ? For any questions or problem fell free to ask, we always happy to help you. Let comment how much you liked this tutorial ?

16 comments:

  1. Can it possible to recover from phone memory?

    ReplyDelete
    Replies
    1. same process as showed in the place of pen-drive connect your phone with a USB and turn on data transfer. Same process

      Delete
  2. For me it finds a lot of files, jpg, mp4 etc. But they are all 0 bytes and useless.
    I tried it with two different disks. Any suggestions?

    ReplyDelete
    Replies
    1. have you enough space in your PC. This happens that time and we have corrupted or overwritten files.

      Delete
  3. Fdisk -i command not showing my phone path. I'm using kali linux by vm box. Please help

    ReplyDelete
  4. Fdisk -i command not showing my phone path. I'm using kali linux by vm box. Please help

    ReplyDelete
  5. i have deleted some root file system and i cant run terminal as root what i can do ? please answer

    ReplyDelete
    Replies
    1. Reinstall the system no other option left.

      Delete
  6. Recovery is finished with many files but in the output folder it is showing empty

    ReplyDelete
  7. I need to export the output to External Drive without actually moving to the place where the OS is installed? Is there a way?

    ReplyDelete
    Replies
    1. The question is not clear to us ? Do you want recovered data on external drive ? Use the -o flag with the location of external hard drive.

      Delete
  8. Tell me how to connect my mobile in that usb place...tell me the example path..

    ReplyDelete
  9. fdisk -l not showing my phone path

    ReplyDelete
    Replies
    1. did you turned your mobile's usb data transfer ? Is it showing as a drive in file manager ?

      Delete

Please do not spam here. It is comment box not a spambox. Promotional links are not allowed.

Powered by Blogger.