Project 6: Data Carving with

Foremost (15 Points)

What You Need for This Project
A Kali Linux machine, real or virtual.

Purpose
Foremost was written by US Air Force special agents, and it's free
and open-source. It is very efficient at file carving--it rapidly scans
through disk images and reconstructs the files, using a list of known
headers and footers.

This makes it possible to recover the contents of files even after the
directory information for them is lost, often by reformatting the disk.
The filenames cannot be recovered by this technique, but the file
contents can.

And it's outrageously easy to use. Simply invoking Foremost with no

options looks for all possible file types and puts the files it finds in a
folder named "output".

Downloading the Evidence File

On your Kali Linux machine, in a Terminal window, execute these
commands:
cd cd Desktop curl https://samsclass.info/121/proj/p15.zip >
p15.zip unzip p15.zip

Examine your Kali desktop and make sure there isn't a folder
named "output".

If there is one, right-click it and click "Move to Trash".

Viewing the Foremost Help Message

On your Kali Linux machine, in a Terminal window, execute this
command:

foremost -h

A list of options appears. We don't need any of them for this project,
but the most interesting one to note is -q which makes the scan
quicker by assuming every file will start on a sector boundary, which
seems like a very safe assumption.
File Carving with Foremost
On your Kali Linux machine, in a Terminal window, execute this
command:

foremost p15.dd

Foremost prints some strange binary stuff, as shown below, but

that's OK--it worked.
That's it. Close or minimize your Terminal window.

Viewing the Results

On your Kali Linux desktop, double-click the output folder to open
it.

An "output" window opens, containing three items, as shown below.

The "jpg" and "zip" folders contain the recovered files, and the
audit.txt file contains a list of all files recovered.
Double-click the audit.txt file.

A list of the recovered files appears, as shown below.

Resize or scroll the window to show this text (your date and time will
be different):

8 FILES EXTRACTED

jpg:= 5 zip:= 3 ------------------------------------------------------------------

Foremost finished at Mon Apr 7 16:30:26 2014

Viewing the Recovered Images
On your Kali Linux desktop, close the "audit.txt" window.

In the "output" window, double-click the jpg folder.

You should see five images, as shown below.

Notice that the images were recovered, but not the filenames--all
the files have numerical names now.

Foremost recovered two files that ProDiscover did not--a Guy

Fawkes mask, and an image of the "Anarchist Cookbook".
Viewing the Recovered DOCX Files
On your Kali Linux desktop, in the "jpg" window, click output.

In the "output" window, double-click the zip folder.

You should see three files, as shown below.

These files were recovered as ZIP files, because that's how

Microsoft's XML files are structured.

Double-click one of the recovered ZIP files. Kali Linux can't open it.

The easiest way to view these files is to install LiberOffice on Kali.

In a Terminal window, execute this command:

rm -rf /var/lib/apt/lists

apt-get update

apt-get install kali-archive-keyring

apt-get install libreoffice -y

Right-click one of the Zip files and click Rename. Change the file
extension to DOCX and press the Enter key.

Repeat the process for the other two ZIP files.

Double-click each of the DOCX files to open it in Libre Office Writer.

Two of the files are the ones ProDiscover found--the Hacker's

Manifesto and the Bill of Rights.

Find the third file--a recipe for making Crank Meth, as shown below.
Recording Your Success
A name is redacted in the image above. Find it and use the form
below to put your name on the WINNERS PAGE.

Your Name:

SUBMIT

Last Modified: 5-18-18

Password: