Foremost – Recover files using their headers, footers, and data structures.
Please follow below steps to recover the files.
Step 1: Download and install foremost
[root@server ~]# cd /tmp/ && wget http://apt.sw.be/redhat/el6/en/i386/rpmforge/RPMS/foremost-1.5.7-1.el6.rf.i686.rpm
--2015-05-14 08:48:20-- http://apt.sw.be/redhat/el6/en/i386/rpmforge/RPMS/foremost-1.5.7-1.el6.rf.i686.rpm
Resolving apt.sw.be... 193.1.193.67
Connecting to apt.sw.be|193.1.193.67|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 42100 (41K) [application/x-redhat-package-manager]
Saving to: `foremost-1.5.7-1.el6.rf.i686.rpm'
100%[======================================>] 42,100 --.-K/s in 0.08s
2015-05-14 08:48:21 (534 KB/s) - `foremost-1.5.7-1.el6.rf.i686.rpm' saved [42100/42100]
[root@server tmp]# yum localinstall foremost-1.5.7-1.el6.rf.i686.rpm
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Local Package Process
Examining foremost-1.5.7-1.el6.rf.i686.rpm: foremost-1.5.7-1.el6.rf.i686
Marking foremost-1.5.7-1.el6.rf.i686.rpm to be installed
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package foremost.i686 0:1.5.7-1.el6.rf will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
foremost i686 1.5.7-1.el6.rf /foremost-1.5.7-1.el6.rf.i686 86 k
Transaction Summary
================================================================================
Install 1 Package(s)
Total size: 86 k
Installed size: 86 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : foremost-1.5.7-1.el6.rf.i686 1/1
Verifying : foremost-1.5.7-1.el6.rf.i686 1/1
Installed:
foremost.i686 0:1.5.7-1.el6.rf
Complete!
Step 2: Delete the file
[root@server ~]# cd /data
[root@server data]# ls
a1.txt a2.txt a3.txt chart.jpg lost+found
Here i’m going to delete the chart.jpg file.
[root@server data]# rm -f chart.jpg
Step 3: Recover the deleted file using foremost
[root@server data]# foremost -t jpeg -i /dev/sda1
Processing: /dev/sda1
|**|
where,
-t ==> type of file ( eg., jpg, gif, png, bmp, avi ,exe, mpg, wav, riff, wmv, mov, pdf, ole, Excel, Access, doc, zip, XML, SXW, SXC, SXI, SX, rar, htm, cpp)
-i ==> mounted file system
Once foremost has finished, you will find a folder called output
[root@server data]# cd output/
[root@server output]# ls -l
total 2
-rw-r--r-- 1 root root 680 May 14 13:02 audit.txt
drwxr-xr-- 2 root root 1024 May 14 13:02 jpg
The audit file shows the history of the recovered file
[root@server output]# cat audit.txt
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File
Foremost started at Thu May 14 13:02:34 2015
Invocation: foremost -t jpeg -i /dev/sda1
Output directory: /data/output
Configuration file: /usr/local/etc/foremost.conf
------------------------------------------------------------------
File: /dev/sda1
Start: Thu May 14 13:02:34 2015
Length: 109 MB (115015680 bytes)
Num Name (bs=512) Size File Offset Comment
0: 00016904.jpg 629 B 8654848
Finish: Thu May 14 13:02:35 2015
1 FILES EXTRACTED
jpg:= 1
------------------------------------------------------------------
Foremost finished at Thu May 14 13:02:35 2015
[root@server output]# cd jpg/
[root@server jpg]# ls
00016904.jpg
Suppose if you want to run foremost the next time from the same directory, you should delete/rename the current output/ directory (because foremost will not start if there’s already an output/ directory) or use the -T options for output directory with time stamp.
[root@server data]# foremost -t jpeg -T -i /dev/sda1
Linux System Administrator's Blog 