Join Us!

file recovery with ...
 
Notifications
Clear all

file recovery with foremost  

  RSS
Ibernato
(@ibernato)
Junior Member

Hello to all,
I'm using the foremost tool to keep files from a vmdk file. (It is an experiment for my thesis work). The problem is that the tool also retrieves the default windows 10 images. Is there a way to prevent wondows 10 default images from appearing?

Quote
Posted : 24/09/2019 1:00 pm
keydet89
(@keydet89)
Community Legend

Have you tried modifying the configuration file?

ReplyQuote
Posted : 24/09/2019 2:12 pm
Ibernato
(@ibernato)
Junior Member

Have you tried modifying the configuration file?

No, i'm new with this tool.
Can you help me?

Another question.
I am currently using a vmdk file. Is it correct or should I first convert it to raw?

ReplyQuote
Posted : 24/09/2019 5:31 pm
keydet89
(@keydet89)
Community Legend

https://www.systutorials.com/docs/linux/man/8-foremost/

https://wiki.archlinux.org/index.php/Foremost

ReplyQuote
Posted : 24/09/2019 8:24 pm
Ibernato
(@ibernato)
Junior Member

https://www.systutorials.com/docs/linux/man/8-foremost/

https://wiki.archlinux.org/index.php/Foremost

Thanks, but not work….

Is it good practice to analyze the vmdk file directly? Or is it better to convert it to a raw format?

ReplyQuote
Posted : 25/09/2019 2:09 pm
jaclaz
(@jaclaz)
Community Legend

Is it good practice to analyze the vmdk file directly? Or is it better to convert it to a raw format?

Ok, you actually asked for it.

The answer is "it depends".

It depends on which specific (among the zillion available ones) format of vmdk is used and how (exactly) the image is created and populated.

Here is an overview of vmdk formats, some are EXACTLY the same as a RAW image, some are very unlike it
http//sanbarrow.com/vmdk-handbook.html
http//sanbarrow.com/vmdk-basics.html#sparseandflat

See also

https://github.com/libyal/libvmdk/blob/master/documentation/VMWare%20Virtual%20Disk%20Format%20(VMDK).asciidoc

About your original question

Hello to all,
I'm using the foremost tool to keep files from a vmdk file. (It is an experiment for my thesis work). The problem is that the tool also retrieves the default windows 10 images. Is there a way to prevent wondows 10 default images from appearing?

I cannot understand it, can you try better explaining what is the issue at hand?

What do you mean by "keep files"?
What do you mean by "default windows 10 images"?
Do you mean the pictures (image files such as .png, .bmp and .jpg) that are included in a "default" Windows 10 install?

jaclaz

ReplyQuote
Posted : 25/09/2019 2:37 pm
Ibernato
(@ibernato)
Junior Member

Is it good practice to analyze the vmdk file directly? Or is it better to convert it to a raw format?

Ok, you actually asked for it.

The answer is "it depends".

It depends on which specific (among the zillion available ones) format of vmdk is used and how (exactly) the image is created and populated.

Here is an overview of vmdk formats, some are EXACTLY the same as a RAW image, some are very unlike it
http//sanbarrow.com/vmdk-handbook.html
http//sanbarrow.com/vmdk-basics.html#sparseandflat

See also

https://github.com/libyal/libvmdk/blob/master/documentation/VMWare%20Virtual%20Disk%20Format%20(VMDK).asciidoc

I cannot understand it, can you try better explaining what is the issue at hand?

What do you mean by "keep files"?
What do you mean by "default windows 10 images"?
Do you mean the pictures (image files such as .png, .bmp and .jpg) that are included in a "default" Windows 10 install?

jaclaz

Yes, default image included in Windows 10 install.

ReplyQuote
Posted : 25/09/2019 10:47 pm
jaclaz
(@jaclaz)
Community Legend

Yes, default image included in Windows 10 install.

Easiest - assuming that you won't need to boot the image again (let's start calling "image" the actual filesystem image - the .vmdk - and "pictures" the image files such as .jpg, etc.) would be to fill the picture files with 00's, they will still appear as files but they won't be carved by foremost anymore as pictures.

jaclaz

ReplyQuote
Posted : 26/09/2019 11:38 am
Share: