How to Recover Deleted Files Using Foremost

In this tutorial, you’ll learn how to recover deleted files from a drive. This technique is very useful for both personal and career endeavors (especially for people aspiring to work in digital forensics).

You may be wondering how it’s possible to recover deleted files from a drive. To satisfy your curiosity, you should know that deleted files can often be recovered because when a file is deleted, the data isn’t immediately erased; only the reference to it in the filesystem is removed. The data remains on the disk until it’s overwritten. Recovery tools scan the disk for recognizable file signatures or patterns to locate and reconstruct these files, effectively “carving” them out from the remaining data.

There are alot of data recovery tools. One of my favorites is Foremost (which is what I’ll use in this demonstration). Foremost is a forensic data recovery tool used to recover deleted files based on their headers, footers, and internal data structures. It scans a storage device for specific file signatures, extracts those files, and reconstructs them even after deletion, provided they haven’t been overwritten. Originally developed by the U.S. Air Force, it’s widely used for digital forensics. This process is known as Data or File carving.

Now, let’s see it in practice. I’ll be performing this demonstration using my Kali Linux as a Virtual Machine, and my 32GB flash drive. You can use any pluggable storage drive (like a hard drive) of your choice.

As mentioned earlier, we’ll be using foremost. So to install foremost, open up your terminal and run:

$ apt update
$ apt-install foremost

apt update: Refreshes the package list on your system to ensure you have the latest information on available software and updates.

apt install foremost: Installs the `foremost` tool on your system using the package manager, allowing you to recover deleted files.

A very good practice to observe when you don’t know how to use a package is to use the --help or -h command. This will help you understand how to use the tool. It’s not practical to memorize the usage of all available tools. The ones you use frequently will automatically stick.

So, to see the usage of the tool, we run:

$ foremost -h

Now that we have seen the various options available within the tool, we can easily craft our command. But before we do that, notice that the -i flag refers to our input file. This is the device we are trying to recover deleted files from (in my case, my flash drive). To access the drive on Kali, first of all of you plug it in (obviously) and run:

$ fdisk -l

This command lists all the disk partitions on your system, showing details like device names, sizes, and partition types. It’s used for viewing the structure of connected storage devices.

Here’s my result after running it:

This screenshot shows the output of the fdisk -l command, listing two disk devices:

1. /dev/sda: An 80.1 GB disk with a single Linux partition (/dev/sda1). Basically, my Kali VM.

2. /dev/sdb: A 29.3 GB disk with a single FAT32 partition (/dev/sdb1). This is my Flash drive.

Notice the naming conventions. This is specific to Linux. In Linux, disk devices are named as follows:

- /dev/sda: The first detected hard disk or SSD (usually the primary disk).

- /dev/sdb: The second detected disk (could be another internal disk, an external drive, etc.).

The letters (`a`, `b`, etc.) indicate the order in which the system detected the drives.

Each disk’s size, sector information, and partition layout are displayed.

Now that we know the identifier of our drive, let’s go ahead and begin the recovery process. You can clear/split your screen and run:

$ foremost -t pdf,png -i /dev/sdb/ -o recovered-files

This command runs foremost to recover files from the /dev/sdb disk:

-t pdf,png: Specifies the file types to recover (PDF and PNG files).

-i /dev/sdb/: Indicates the input source, which is the /dev/sdb disk (my flash drive).

-o recovered-files: Specifies the output directory where the recovered files will be saved. You do not need to create this beforehand. Foremost will do that for you

Here’s a screenshot of the command:

After running the command, please give the tool some time to work. It may take a bit of time depending on the size of your drive and your computational power.

Also, please note that if you have an idea of the files you want to recover, say PDFs, you can specify only “pdf” to the -t flag. If it’s more than one file type, specify by separating with commas (as we did above). And if you have no idea what file types were on, you can simply remove the -t flag entirely or specify -t all to search for all supported file types.

Note: You can see all the supported file types by running (as root):

$ nano /etc/foremost.conf

When the tool is done working, you’ll notice that there’s a new folder created in your working directory. This folder will be named after what you specified in the -o flag. In our case, the folder is recovered-files.

So basically, it searches for and recovers PDF and PNG files from /dev/sdb and saves them in the recovered-files directory.

I was in my Desktop directory so that’s my folder with the lock icon. The lock icon is there because that folder can only be viewed by the root user. So right click and open as root.

When you open the folder, you’ll see subfolders for the file types you specified. Similar to:

The audit.txt file contains a log of the recovery process. The file is useful for reviewing the results of the recovery operation and troubleshooting any issues that may have occurred.

When you go further and open any of the subfolders, you’ll find the recovered files.

Recovered PDF and PNG files. Ignore the message in orange. Kali is just telling you to be careful when you access files as root.

There you have it. We have successfully recovered deleted files from the Flash drive. I don’t know about you, but this is a pretty exciting skillset to possess. One thing to note is that the file names may not come back as they were. They mostly carry new names, but the file content is usually intact.

Please note that when a deleted file is overwritten, the original data is replaced by new data. This makes recovery much more difficult because the previous file’s content is lost. A good practice is to avoid tampering or plugging (unnecessarily) your drive into computers before you attempt to recover the deleted files.

In this guide, I used foremost. However, there are other tools like Magicrescue, Scalpel. Feel free to research and try them out. Let me know when you do!

I really hope you enjoyed this one. If you have any questions, observations or contributions, please let me know in the comment section. And if you enjoyed this tutorial, consider following me to receive an update whenever I upload similar tutorials.

Till next time!