Special Thanks: This article was made possible by support from Linux Professional Institute

It is common knowledge that once you remove a file on a *nix filesystem, it’s gone—gone forever, and you can’t get it back. Well, that’s not exactly true anymore, and I’m not 100 percent convinced that it ever was true, but that’s a whole separate discussion. There are some effective methods for recovering files on all filesystems, including *nix ones. This article covers one of the methods using the forensics tool, Foremost. That’s right, we have to turn to one of the “pro” methods for restoring files. Foremost can restore certain files based on their headers, footers, and data structures. Foremost is a forensics tool used by law enforcement to restore deleted files, but it is freely available for anyone to use.

Foremost restores a somewhat limited list of files that includes some document types, zipped files, sound files, graphics images, C source, OLE files, and some movie formats. These types of files are the ones that are most targeted by law enforcement and associated with illegal activity.

Installation

Red Hat, CentOS, and Fedora users will have to first add the RepoForge repository and then install it with:

$ sudo rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/
  rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm

$ sudo yum –y install foremost

This also installs the necessary dependencies for Foremost.

On Debian-based systems, the installation is easy:

$ sudo apt install foremost

Note: On my Ubuntu 18.04 system,

apt install foremost

didn’t work, so I had to work around the issue by doing the following:

$ wget http://launchpadlibrarian.net/205815060/
  foremost_1.5.7-6_amd64.deb

$ sudo dpkg –i foremost_1.5.7-6_amd64.deb

Usage

To demonstrate how Foremost works, I have removed (deleted) one of my files (MAZ1.jpg) from my home directory:

$ rm MAZ1.jpg

Before you run Foremost, you should have a separate partition or external disk to use for file recovery. If you don’t, then there’s a chance that your recovered files will be overwritten, and you won’t be able to recover anything. This is also why you should attempt recovery as soon as you realize (or the file’s owner realizes) that a file has been errantly removed. A very busy filesystem that is also low on available disk space might yield no results, although it’s worth a try.

In the following command, I run foremost on the partition containing the deleted file, which is /dev/sda2. I designate /recover as the output location. My /recover directory is actually an additional disk (1GB) that I setup specifically for file recovery.

$ sudo foremost –t jpg /dev/sda2 –o /recover
Processing: /dev/sda2
|**************************************************************************|

You can now browse the /recover directory that contains two files: audit.txt and a jpg directory. In the JPG directory, you find a listing of all the JPG type files recovered from /dev/sda2. In my case, there are 244 of them, which is unfortunate because ordinarily I’d have to look at each file individually to find the one I’m interested in recovering. This time I know the approximate size of the file, which is 2.4MB. You have to list these files using sudo because the jpg directory is only executable by root, meaning that regular users cannot cd into it (Listing 1).

$ sudo ls –lS /recover/jpg
ls -lS
total 44096
-rw-r--r-- 1 root root 9659197 Sep  3 17:24 15564800.jpg
-rw-r--r-- 1 root root 3613391 Sep  3 17:24 15613952.jpg
-rw-r--r-- 1 root root 3563772 Sep  3 17:24 15593472.jpg
-rw-r--r-- 1 root root 3085681 Sep  3 17:24 15556608.jpg
-rw-r--r-- 1 root root 2975375 Sep  3 17:24 15585280.jpg
-rw-r--r-- 1 root root 2880578 Sep  3 17:24 15540224.jpg
-rw-r--r-- 1 root root 2794666 Sep  3 17:24 15622144.jpg
-rw-r--r-- 1 root root 2463714 Sep  3 17:24 19415032.jpg
-rw-r--r-- 1 root root 2313724 Sep  3 17:24 15601664.jpg
-rw-r--r-- 1 root root 1977539 Sep  3 17:24 15609856.jpg

The file, 19415032.jpg, is the one of interest and has been recovered. I can copy this file back to its original location and change its permissions so that the original file owner has access to it.

I then removed a document file, ATP.doc, and attempted recovery:

$ rm ATP.doc

$ sudo foremost –t doc /dev/sda2 –o /recover
Processing: /dev/sda2
|**************************************************************************|

However, this time, there was no doc directory under /recover. The audit file output is shown in Listing 2.

$ sudo cat /recover/audit.txt
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Tue Sep  3 19:27:07 2019
Invocation: foremost -t doc /dev/sda2 -o /recover
Output directory: /recover
Configuration file: /etc/foremost.conf
------------------------------------------------------------------
File: /dev/sda2
Start: Tue Sep  3 19:27:07 2019
Length: 9 GB (10734272512 bytes)

Num  Name (bs=512)        Size  File Offset  Comment

Finish: Tue Sep  3 19:27:52 2019

0 FILES EXTRACTED

 ------------------------------------------------------------------

Foremost finished at Tue Sep  3 19:27:52 2019

So, you see that Foremost is not always successful in file recovery using certain file types. But, certain file types are better recovered in OLE format, such as Microsoft Office files:

$ sudo foremost –t ole /dev/sda2 –o /recover
Processing: /dev/sda2
|**************************************************************************|

This time recovery was successful. Knowing the approximate file size is a big help in determining the file of interest that was successfully recovered. My file was approximately 6MB in size; of the 39 extracted files, only one fits that profile: 19611640.ole. I renamed the file as ATP.doc and opened it to see that the file had indeed been recovered.

More Information

Check SourceForge and the Foremost man page for more information for usage and examples. My examples are generic but very useful. There are a few extra switches (options) that you can use, such as -v for verbose mode, which is recommended. You can also simply perform an audit without extracting any files with the -w switch.

Also note that you can customize the /etc/foremost.conf file to include other file types for recovery. Many of the ones included in the configuration file are default recoverable files. Using the current entries as templates, you can add new entries to the configuration file.