ohmygodlin / foremost Goto Github PK

WINDOWS:
Requires path to MinGW.
Makefile defaults MinGW gcc path to /opt/mingw32/bin
If you installed mingw32 in different location modify line 13 in Makefile.
Requires libiberty.a to compile

MingGW: http://sourceforge.net/projects/mingw-w64/files/Toolchains%20targetting%20Win32/Automated%20Builds/

$ make cross


----------------------------------------------------------------------


FOREMOST 
----------------------------------------------------------------------

Foremost is a Linux program to recover files based on their headers and
footers. Foremost can work on image files, such as those generated by dd,
Safeback, Encase, etc, or directly on a drive. The headers and footers are
specified by a configuration file, so you can pick and choose which
headers you want to look for.



--------------------------------------------
INSTALL FOREMOST
--------------------------------------------

To run foremost, you must:

- uncompress the archive
- compile
- install

Here's how to do it:

LINUX:
$ tar zxvf foremost-xx.tar.gz
$ cd foremost-xx
$ make
$ make install

BSD:
$ tar zxvf foremost-xx.tar.gz
$ cd foremost-xx
$ make unix
$ make install

SOLARIS:
$ tar zxvf foremost-xx.tar.gz
$ cd foremost-xx
$ make solaris
$ make install

OSX:
$ tar zxvf foremost-xx.tar.gz
$ cd foremost-xx
$ make mac
$ make macinstall

On systems with older versions of glibc (earlier than 2.2.0), you will get 
some harmless warnings about ftello and fseeko not being defined. You can 
ignore these.


If you ever need to remove foremost from your system, you can do this:

$ make uninstall



--------------------------------------------
USING FOREMOST
--------------------------------------------

A description of the command line arguments can be found in the man page. 
To view it:

$ man foremost



--------------------------------------------
CONFIGURATION FILE FORMAT
--------------------------------------------

The configuration file is used to control what types of files foremost
searches for. A sample configuration file, foremost.conf, is included with
this distribution. For each file type, the configuration file describes
the file's extension, whether the header and footer are case sensitive,
the maximum file size, and the header and footer for the file. The footer
field is optional, but header, size, case sensitivity, and extension are
not!

Any line that begins with a '#' is considered a comment and ignored. Thus,
to skip a file type just put a '#' at the beginning of that line

Headers and footers are decoded before use. To specify a value in
hexadecimal use \x[0-f][0-f], and for octal use \[1-9][1-9][1-9].  Spaces
can be represented by \s. Example: "\x4F\123\I\sCCI" decodes to "OSI CCI".

To match any single character (aka a wildcard) use a '?'. If you need to
search for the '?' character, you will need to change the 'wildcard' line
*and* every occurrence of the old wildcard character in the configuration
file. Don't forget those hex and octal values! '?' is equal to 0x3f and
\063.

Here's a sample set of headers and footers:

# extension  case-sens  max-size   header			footer		(option)
#
# GIF and JPG files (very common)
	gif	y	155000	\x47\x49\x46\x38\x37\x61	\x00\x3b
  	gif	y 	155000	\x47\x49\x46\x38\x39\x61	\x00\x00\x3b
  	jpg	y	200000	\xff\xd8\xff			\xff\xd9

Note: the option is a method of specifying additional options.  Current the following options exist:

FORWARD: Specify to search from the header to the footer (optional) up to the max-size.
REVERSE: Specify to search from the footer to the header up to the max-size.
NEXT: Specify to search from the header to the data just past the footer.  This allows you to  specify data that you know is 'NOT' in the data you are looking for and should terminated the search, up to the max-size.

--------------------------------------------
BUG REPORTING
--------------------------------------------

Please report ALL bugs to nick dot mikus AT gmail d0t com. Please include a 
description of the bug, how you found it, and your contact information.




--------------------------------------------
CREDITS AND THANKS
--------------------------------------------

Foremost was written by Special Agent Kris Kendall and Special Agent Jesse
Kornblum of the United States Air Force Office of Special Investigations
starting in March 2001. This program would not be what it is today without
help from (in no particular order): Rob Meekins, Dan Kalil, and Chet
Maciag. This project was inspired by CarvThis, written by the Defense
Computer Forensic Lab in 1999.


--------------------------------------------
LEGAL NOTICE
--------------------------------------------

dd, Safeback, and Encase are copyrighted works and any questions regarding 
these tools should be directed to the copyright holders. The United States 
Government does not endorse the use of these or any other imaging tools.