IT Drive - http://www.itdrive.com
Free Data Carving Tool. From the Airforce?
http://www.itdrive.com/articles/528/1/Free-Data-Carving-Tool-From-the-Airforce/Page1.html
By Jeremy Monroe
Published on 09/18/2007
 
Foremost is an Open Source tool developed by the U.S. Air Force Office of Special Investigations, in partnership with The Center for Information Systems Security Studies and Research. This Data Acquisition application is a console program to recover files based on their headers, footers, and internal data structures. Leave it to the Government to come up with the data mining tools...
Airforce Provides Open Source Data Carving Application
Foremost 1.5 is an Open Source tool developed by the U.S. Air Force Office of Special Investigations, in partnership with The Center for Information Systems Security Studies. This Data Acquisition application is a console program to recover files based on their headers, footers, and internal data structures. Leave it to the Government to come up with the data mining tools...

Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.

What Is Data Carving?


Data carving is the process of extracting a collection of data from a larger data set. Data carving techniques frequently occur during a digital investigation when the unallocated file system space is analyzed to extract files. The files are "carved" from the unallocated space using file type-specific header and footer values. File system structures are not used during the process.

Carving is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. File carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, as may be the case with old files that have been deleted or when performing an analysis on damaged media. Memory carving is a useful tool for analyzing physical and virtual memory dumps when the memory structures are unknown or have been overwritten.

Comparable Data Acquisition Tools


Scalpel - (A program has derived from Foremost 0.69) is less resource hungry than Foremost; therefore, it can used in very low-end machines. Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions.

Magic Rescue - This program uses the 'magic bytes' in the file contents in order to recognize file types. Magic Rescue scans a block device for file types it knows how to recover and calls an external program to extract them.

The Sleuth Kit (a set of command line tools) and Autopsy Forensic Browser (graphical interface) can be used to investigate a hard disk. These are not for everyday data recovery measures, but rather apply to forensic analysis and serious examination of the partition itself or of the linear representation of the file activity that has occured..