file recovery with ...
 
Notifications
Clear all

file recovery with foremost

8 Posts
3 Users
0 Likes
1,525 Views
(@ibernato)
Posts: 28
Eminent Member
Topic starter
 

Hello to all,
I'm using the foremost tool to keep files from a vmdk file. (It is an experiment for my thesis work). The problem is that the tool also retrieves the default windows 10 images. Is there a way to prevent wondows 10 default images from appearing?

 
Posted : 24/09/2019 12:00 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Have you tried modifying the configuration file?

 
Posted : 24/09/2019 1:12 pm
(@ibernato)
Posts: 28
Eminent Member
Topic starter
 

Have you tried modifying the configuration file?

No, i'm new with this tool.
Can you help me?

Another question.
I am currently using a vmdk file. Is it correct or should I first convert it to raw?

 
Posted : 24/09/2019 4:31 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

https://www.systutorials.com/docs/linux/man/8-foremost/

https://wiki.archlinux.org/index.php/Foremost

 
Posted : 24/09/2019 7:24 pm
(@ibernato)
Posts: 28
Eminent Member
Topic starter
 

https://www.systutorials.com/docs/linux/man/8-foremost/

https://wiki.archlinux.org/index.php/Foremost

Thanks, but not work….

Is it good practice to analyze the vmdk file directly? Or is it better to convert it to a raw format?

 
Posted : 25/09/2019 1:09 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Is it good practice to analyze the vmdk file directly? Or is it better to convert it to a raw format?

Ok, you actually asked for it.

The answer is "it depends".

It depends on which specific (among the zillion available ones) format of vmdk is used and how (exactly) the image is created and populated.

Here is an overview of vmdk formats, some are EXACTLY the same as a RAW image, some are very unlike it
http//sanbarrow.com/vmdk-handbook.html
http//sanbarrow.com/vmdk-basics.html#sparseandflat

See also

https://github.com/libyal/libvmdk/blob/master/documentation/VMWare%20Virtual%20Disk%20Format%20(VMDK).asciidoc

About your original question

Hello to all,
I'm using the foremost tool to keep files from a vmdk file. (It is an experiment for my thesis work). The problem is that the tool also retrieves the default windows 10 images. Is there a way to prevent wondows 10 default images from appearing?

I cannot understand it, can you try better explaining what is the issue at hand?

What do you mean by "keep files"?
What do you mean by "default windows 10 images"?
Do you mean the pictures (image files such as .png, .bmp and .jpg) that are included in a "default" Windows 10 install?

jaclaz

 
Posted : 25/09/2019 1:37 pm
(@ibernato)
Posts: 28
Eminent Member
Topic starter
 

Is it good practice to analyze the vmdk file directly? Or is it better to convert it to a raw format?

Ok, you actually asked for it.

The answer is "it depends".

It depends on which specific (among the zillion available ones) format of vmdk is used and how (exactly) the image is created and populated.

Here is an overview of vmdk formats, some are EXACTLY the same as a RAW image, some are very unlike it
http//sanbarrow.com/vmdk-handbook.html
http//sanbarrow.com/vmdk-basics.html#sparseandflat

See also

https://github.com/libyal/libvmdk/blob/master/documentation/VMWare%20Virtual%20Disk%20Format%20(VMDK).asciidoc

I cannot understand it, can you try better explaining what is the issue at hand?

What do you mean by "keep files"?
What do you mean by "default windows 10 images"?
Do you mean the pictures (image files such as .png, .bmp and .jpg) that are included in a "default" Windows 10 install?

jaclaz

Yes, default image included in Windows 10 install.

 
Posted : 25/09/2019 9:47 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Yes, default image included in Windows 10 install.

Easiest - assuming that you won't need to boot the image again (let's start calling "image" the actual filesystem image - the .vmdk - and "pictures" the image files such as .jpg, etc.) would be to fill the picture files with 00's, they will still appear as files but they won't be carved by foremost anymore as pictures.

jaclaz

 
Posted : 26/09/2019 10:38 am
Share: