What is Foremost?
Foremost is a file carving tool originally developed by the US Air Force Office of Special Investigations. It recovers deleted or hidden files from disk images, memory dumps, or raw storage devices by scanning for known file headers and footers — without needing a filesystem. It is commonly used in CTF forensics challenges and real-world incident response to retrieve images, documents, and archives from evidence images.
⚠ Legal Notice
Only use on systems you own or have explicit written permission to test. Unauthorized use violates Pakistan's PECA 2016 and international cybercrime laws.
Installation
# Update packages sudo apt update # Install (if not already on Kali) sudo apt install foremost -y # Verify installation foremost -h
Basic Usage
# Carve all supported file types from a disk image foremost -i image.dd -o ./output/ # Carve only specific file types (jpg and png) foremost -t jpg,png -i image.dd -o ./output/ # Carve from a raw device (e.g. USB drive) sudo foremost -i /dev/sdb -o ./recovered/ # Run in verbose mode to see progress foremost -v -i image.dd -o ./output/ # Carve from a .pcap network capture foremost -i capture.pcap -o ./extracted/ # View the audit log after carving cat ./output/audit.txt
Supported File Types (-t flag)
jpg/png/gif/bmp— Imagespdf— PDF documentsdoc/docx— Microsoft Word fileszip/rar— Compressed archivesmp4/avi— Video filesmp3— Audio filesexe— Windows executables- Omitting
-tcarves all supported types at once
Common Use Cases
- CTF (Capture The Flag) forensics challenges
- Recovering deleted files from disk images
- Incident response and digital forensics investigations
- Extracting embedded files from network captures
Further Reading
Practice on legal targets like TryHackMe, HackTheBox, or hackzia.site labs. Always read the official documentation before using in a live engagement.