Lab 5: Recovering Files and Data Carving (To find out some data or Specif Data

Type)

Tools to be Used - Foremost

Platform : Kali Linux

Points to Understand or Remember:

1. File carving is retrieving data and files from unallocated space
With the help of some specicific arachterstics
ex: Indexing-File Header - File Structure
Metadata - Data about the data (Always created with filesystems)
2.) Unallocated Space : Is Some space that is being considered as the empty space.
(it could be some fresh disk. - Not to be considered for Cyber Forensics Matter)

Steps:
1.)
Download File required to be carved:
http://dftt.sourceforge.net/test11/index.html
2.) Install Foremost in Kali Environment.
Go to root or use sudo command.
apt-get install foremost
3.)MAN - Manual
4.)General command for using Foremost
foremost -i(Input) -o(Output) -options

5.) Output : Test1_Foremost (FOlder Type)

Some more Folders (gif,jpg,pdf,mov,wmv...)
audit.text(Give you the details for every individual file-14 Files (0-
13)
Num Name Size Offset Remarks
Finish Status :

6.)Next Command tht can be used for carving specific type of file.
foremost -t (Type of file) -i(Input) -o(Output) -options
foremost -t jpg -i -0

7.) Change the permission of the file so that it could not be affected by anyone.
command is chmod options options options.......(UGO)
1-read
4-execute
2-write
7

https://www.digital-detective.net/digital-forensics-
documents/ACPO_Good_Practice_Guide_for-Digital_Evidence-v5.pdf

https://www.cfreds.nist.gov/FileCarving/index.html