Recover deleted files with foremost

Table of Contents

• Basic usage
• Parameters

In this tutorial I will teach you how to use foremost to recover deleted files from a disk.

Basic usage

A basic example of foremost usage is:

foremost -i /dev/sdb1

• It will recover files from /dev/sdb1 and it will create an output folder in the current directory with those files and an audit file.
• In this case, you will need to be a root user or use sudo. Recovered files will be owned by root (you can change the owner with chown when the process finishes).
• Never use the same disk partition for searching and retrieving the files.
• You can also use foremost with disk images (you don’t need to run the command as root).

Parameters

You can add more parameters to customise the searching:

• -t <type>: recover only files of a specific format (jpg, png, pdf, etc.). More information on the man page.
• -T: adds a timestamp to the output folder. By default, you need to rename or delete the output folder when running foremost multiple times.
• -o <directory>: specify an output directory. If, for example, <directory> is /media/usb/out and -T parameter is used, foremost will create a folder named /media/usb/out_<date>.
• -v: enables verbose mode.
• -q: enables quick mode.
• You can find more info about all available parameters on the man page (man foremost).

If you have any suggestion, feel free to contact me via social media or email.