|
foremost是一个根据文件头和内部数据恢复文件的一个工具。
最初代码是由(OSI)的两个调查员编写的,主要是为了犯罪调查。
它可以恢复的文件类型: jpg Support for the JFIF and Exif formats including implementations used in modern digital cameras. gif png bmp Support for windows bmp format. avi exe Support for Windows PE binaries, will extract DLL and EXE files along with their compile times mpg Support for most MPEG files (must begin with 0x000001BA) wav riff This will extract AVI and RIFF since they use the same file for‐ mat (RIFF). note faster than running each separately. wmv Note may also extract wma files as they have similar format. mov ole This will grab any file using the OLE file structure. This includes PowerPoint, Word, Excel, Access, and StarWriter doc Note it is more efficient to run OLE as you get more bang for your buck. If you wish to ignore all other ole files then use this. zip Note is will extract .jar files as well because they use a simi‐ lar format. Open Office docs are just zip'd XML files so they are extracted as well. These include SXW, SXC, SXI, and SX? for undetermined OpenOffice files. Office 2007 files are also XML based (PPTX,DOCX,XLSX) rar htm cpp C source code detection, note this is primitive and may generate documents other than C code. mp4 Support for MP4 files. all Run all pre-defined extraction methods. [Default if no -t is specified]
Kali Linux默认安装了foremost;如果你使用的是Ubuntu,可以执行如下命令安装: # apt-get install foremost
使用foremost恢复文件 假如你误删了一个png文件: # rm -f test.png 恢复: # foremost -t png -i /dev/sda1 恢复的文件默认保存在当前的output目录。 如果你不知道要恢复的文件在哪个分区,可以使用mount命令查看。
注:它也支持Windows的文件系统;如果文件所在的硬盘块区已经被其他数据覆盖,那么这个文件就不可恢复了。
如果硬盘很大也许需要用很长时间执行。执行完成之后,去output目录找到已恢复的文件。 output根目录有一个audit.txt的文件,它保存了foremost执行的汇总信息。 如果要恢复所有支持的文件,使用all: # foremost -t all -i /dev/sda1
关于foremost的更多信息,查看帮助: # man foremost |
