Below is a snippet of output from my Kali Linux session. I am trying to recover files from a USB thumb drive and I am having some success.
root@kali:/home/root/Desktop/files# foremost /dev/sdb1 -v -o /home/root/Desktop/files/ Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus Audit File Foremost started at Thu Mar 12 11:12:06 2015 Invocation: foremost /dev/sdb1 -v -o /home/root/Desktop/files/ Output directory: /home/root/Desktop/files Configuration file: /etc/foremost.conf Processing: /dev/sdb1 |------------------------------------------------------------------ File: /dev/sdb1 Start: Thu Mar 12 11:12:06 2015 Length: 3 GB (3995140096 bytes) Num Name (bs=512) Size File Offset Comment 0: 00188665.gif 387 B 96596831 (16 x 16) 1: 00188751.gif 51 B 96640709 (4 x 4) 2: 00188751_1.gif 89 B 96640789 (23 x 21) 3: 00188822.gif 49 B 96677335 (3 x 42) 4: 00188919.gif 50 B 96726845 (2 x 2) 5: 00189023.gif 43 B 96780061 (5 x 1) 6: 00189104.gif 474 B 96821315 (23 x 21) 7: 00189359.gif 43 B 96952013 (4 x 1) 8: 00189570.gif 89 B 97059895 (20 x 21) |
At the end of the process you will get a count of all the files that were recovered.
****************| Finish: Thu Mar 12 12:08:52 2015 9296 FILES EXTRACTED jpg:= 7257 gif:= 413 bmp:= 3 mov:= 1 mp4:= 9 htm:= 19 zip:= 9 rar:= 1 exe:= 42 png:= 1542 |
The files are organised in the files/ directory, with subfolders for each file type. This really does work well when you are forensically examining a USB thumb drive you found. Never know what you might find. Works for hard disks as well. Just ensure the drive you are saving found files to has enough disk space to fit everything. And mounting the drive to be examined read-only would be a very good idea.