Undelete Files in Ubuntu Using Foremost

Foremost is a Linux tool originally developed by the Air Force Office of Special Investigations and the Center for Information Systems Security Studies and Research. Primarily thought of a data forensics tool for law enforcement, the program has been released to the public. Here we'll try using it for a specific purpose. Rather than explore all its capabilities, we'll look at one area particularly helpful to Linux users - file undeletion in Ubuntu.

Many new users of Linux are surprised to learn that no "undelete" application is part of a distribution. If they research the problem a little, they'll find that specialized hard drive searches using Grep or the Linux write command can be used to "dump" part of the contents of the hard drive into a file or folder. This is an inconvenient and lengthy process best done soon after the deletion and run from a Live CD instead of from an active partition.

Technically, the EXT3 file system does not support an undelete method itself, but fortunately, using Foremost works very much like the method using the Grep process, except that it shields us from some of the complexity.

Foremost can do file recovery for many types of files. It's very handy for when realization hits you soon after the event.

Since we tested on an Ubuntu box, we were able to download Foremost from a repository using

sudo apt-get install foremost

Other distributions should have something similar, or Foremost can be downloaded from the project pages at SourceForge.

Foremost works by scanning for and recognizing the file structure of certain types of files. For example, the file structure of a certain file may begin

47 49 46 38 39 61

if you viewed it in a hex editor. (The right side pane of the hex editor would show this as "GIF89a.") Most .gif image files start this way, so Foremost will know what it is when it finds it. Foremost will then try to "carve out" the data to the end of the file and write it to another location. This is how we can use Foremost to recover accidentally deleted files.

In the terminal, you tell Foremost which type of file you want to search for using the -t switch. Supported file types are avi, bmp, dll, doc, exe, gif, htm, jar, jpg, mbd, mov, mpg, pdf, png, ppt, rar, rif, sdw, sx, sxc, sxi, sxw, vis, wav, wmv, xls, zip, and all, which tells it to look for all supported file types. Additionally, the switch "ole" can be used to find all Windows programs that use object linking and embedding, such as Word, Excel, etc.

Other switches include -h show a help screen and quit, -t file types to include, -v show version and quit, -d use indirect block detection,- T timestamp the output directory, -v be verbose in output, -q quick mode, -Q quiet mode, -w write audit only mode, -a write all headers without error detection, -b number for block sizes, -k number for chunk size, -i the input file, block, or partition, -o specify directory to write to, -c set configuration file, and -s number of blocks to skip in the input file.

There are a couple of caveats. One is that Foremost should not be run from the partition that the files to be undeleted are on. If you followed the usual Linux practice of installing the root and home folders on separate partitions, this is not a problem, as you can change to the root directory to run Foremost. The other caveat is that the recovered files should also not be written to the same partition from which they are being undeleted.

Next: Formatting a flash drive to EXT3 to write the recovered files to, the exact command to use to run Foremost in the console, doing a couple of test runs, and showing the results. (It works!)