Foremost is a simple and effective CLI tool that recovers files by reading the headers and footers of the files. We can start Foremost by clicking on Applications | 11-Forensics | foremost:
Once Foremost is successfully started, a Terminal opens, displaying the program version, creators, and some of the many switches for usage:
To have a better understanding of Foremost and the switches used, try browsing the Foremost System Manager's Manual. This can be done by entering the following command:
man foremost
The syntax for using Foremost is as follows:
foremost -i (forensic image) -o (output folder) -options
In this example, we have specified the 11-carve-fat.dd file located on the desktop as the input file (-i) and specified an empty folder named Foremost_recovery as the output file (-o). Additionally, other switches can also be specified as needed.
To begin carving the 11-carve-fat.dd image with Foremost, we type the following command in the Terminal:
foremost -i 11-carve-fat.dd -o Foremost_recovery
Although the characters found look quite unclear while processing, the results will be clearly categorized and summarized in the specified output folder.
It is important that the specified output folder be empty or you will encounter problems, as shown in the following screenshot: