Terminal.skills
Skills/foremost
>

foremost

Recover deleted files and carve artifacts from disk images and memory dumps with Foremost. Use when a user asks to extract files from a raw disk image, recover accidentally deleted photos, pull embedded files out of a CTF blob, or carve artifacts from unallocated space.

#foremost#file-carving#digital-forensics#data-recovery#ctf
terminal-skillsv1.0.0
Works with:claude-codeopenai-codexgemini-clicursor
Source

Usage

$
✓ Installed foremost v1.0.0

Getting Started

  1. Install the skill using the command above
  2. Open your AI coding agent (Claude Code, Codex, Gemini CLI, or Cursor)
  3. Reference the skill in your prompt
  4. The AI will use the skill's capabilities automatically

Example Prompts

  • "Deploy the latest build to the staging environment and run smoke tests"
  • "Check the CI pipeline status and summarize any recent failures"

Information

Version
1.0.0
Author
terminal-skills
Category
DevOps
License
Apache-2.0

Use Cases

Investigate a Network Intrusion from a PCAP

Documentation

Overview

Foremost is a file carving tool: it scans raw disk images, memory dumps, or any blob byte-by-byte for magic headers and footers, then writes out the recovered files into neat per-type directories. It doesn't care about filesystem metadata — it looks for the on-disk bytes that identify a JPEG, PNG, PDF, ZIP, Office document, MP3, and so on. That makes it the right tool for recovering files the filesystem has forgotten or for CTF challenges where a blob hides multiple embedded files.

Instructions

Step 1: Create a Disk Image (Never Carve the Live Device)

bash
# Always work from an image, never the source device
sudo dd if=/dev/sdb of=disk.img bs=4M status=progress conv=noerror,sync

# Or use dcfldd (forensic fork of dd with hashing)
sudo dcfldd if=/dev/sdb of=disk.img bs=4M hash=sha256 hashlog=disk.sha256

# Verify integrity before working
sha256sum disk.img
cat disk.sha256

Step 2: Run Foremost

bash
# Default run — uses built-in config, all supported types
foremost -i disk.img -o recovered/

# Specific types only (jpg, png, pdf, zip, doc, mp3, ...)
foremost -t jpg,png,pdf -i disk.img -o recovered/

# Verbose + quick mode (scan only file headers, faster)
foremost -v -q -t all -i disk.img -o recovered/

# Output tree
tree -L 2 recovered/
# recovered/
# ├── audit.txt
# ├── jpg/
# │   ├── 00000001.jpg
# │   └── 00000125.jpg
# ├── pdf/
# │   └── 00000007.pdf
# └── zip/
#     └── 00000042.zip

Step 3: Review the Audit File

bash
# Summary of what was carved
cat recovered/audit.txt
# Foremost version 1.5.7 by Jesse Kornblum ...
# Num      Name (bs=512)         Size      File Offset     Comment
# 0:       00000001.jpg          185 KB    16384
# 1:       00000007.pdf          1 MB      67108864

# Count files by type
find recovered -type f -not -name audit.txt | awk -F/ '{print $(NF-1)}' | sort | uniq -c

Step 4: Custom File Types with foremost.conf

bash
# Copy the default config
cp /etc/foremost.conf ./foremost.conf

# Add a signature: extension  case  max-size  header  footer
# Example: a custom "FLAG" binary starting with 'CTFFLAG' and ending with 'END'
cat >> foremost.conf <<'EOF'
flag y 5000 CTFFLAG END
EOF

# Run with the custom config
foremost -c ./foremost.conf -i challenge.bin -o out/
ls out/flag/

Step 5: Combine with Other Carvers

bash
# scalpel is foremost's faster fork; use it when foremost is too slow
sudo apt install scalpel
scalpel -c /etc/scalpel/scalpel.conf -o scalpel-out disk.img

# binwalk — better for firmware and embedded filesystems
binwalk -e firmware.bin

# photorec — interactive, stronger for photo/video recovery
sudo photorec /dev/sdb

# strings + file — first-pass triage
strings -a disk.img | less
file recovered/jpg/00000001.jpg

Examples

Example 1: Recover Photos from a Formatted SD Card

bash
# Plug in the SD card — DO NOT mount and DO NOT write anything to it
lsblk
# sdb     1  29.8G  0 disk
# └─sdb1  1  29.8G  0 part

# Image the card
sudo dd if=/dev/sdb of=sdcard.img bs=4M status=progress
sudo sha256sum sdcard.img > sdcard.sha256

# Unplug the card and work from the image only
foremost -t jpg,png,raw,mov,mp4 -i sdcard.img -o photos/

ls photos/jpg | wc -l
# 842

# Sort by size to spot real photos vs thumbnails
find photos/jpg -type f -printf '%s %p\n' | sort -nr | head

Example 2: CTF — Files Hidden Inside a PNG

bash
# The challenge: "Something is hidden inside this harmless image."
file challenge.png
# challenge.png: PNG image data, 1920 x 1080, ...

# Foremost scans through the whole blob, not just the top PNG
foremost -t all -i challenge.png -o carved/

cat carved/audit.txt
# 0: 00000000.png   2 MB    0
# 1: 00000001.zip   45 KB   2097664
# 2: 00000002.pdf   1 MB    2143000

# Inspect the carved ZIP
unzip -l carved/zip/00000001.zip
# flag.txt
unzip -p carved/zip/00000001.zip flag.txt
# flag{foremost_carves_everything}

Guidelines

  • Never run Foremost against a live mounted device. Always image first, hash the image, then carve.
  • Write-block the source media (physical write blocker, or at minimum mount read-only) to preserve chain of custody.
  • Carving is signature-based — it cannot recover file names or directory structure. Metadata is lost.
  • Overlapping or fragmented files are reconstructed poorly. For heavily fragmented disks, try photorec or a filesystem-aware tool like extundelete/testdisk first.
  • The output directory must NOT exist beforehand — Foremost refuses to overwrite it.
  • Foremost is single-threaded and slow on big images. scalpel is a faster fork for the same job.
  • For CTFs, always try foremost -t all -i challenge.blob as a reflex — it finds embedded ZIPs, PDFs, and images that binwalk sometimes misses.
  • Pair with exiftool, strings, and file on the recovered artifacts to pull metadata and hidden content.