Foremost Data Carving
This is my first post on these boards, although I have been "lurking" for a few weeks.
I decided to try and learn about Forensics as it looks like a very interesting area of IT to study and it is certainly an area I would like to point my career in.
I have been playing with the "Sleuthkit" and "Autopsy" recovering files off a compact flash card that I have deliberatley deleted, this seemed like the best way to learn.
I have also been using the Foremost tool available here. The Formost tool "carves" data out of a disk image by looking at a filetypes header and data structure. Foremost contains inbuilt support for common filetypes such as .JPEG or .MPG
You can also define your own filetypes by configuring your own header, this is where I am struggling. I am trying to recover a .asf file (which I did not deliberatley delete ( ). I have quickly scanned the .asf file specification available here. But I am still unsure how to determine and consequentley configure the file header in the foremost.conf file.
This is the example for a .mpg file.
mpg y 20000000 \x00\x00\x01\xba \x00\x00\x01\xb9
Would I be able to obtain the header by opening two random .asf files in a HEX editor and looking for some commonality?
Can anybody please advise? I have Googled the subject to death and cannot find any usefull information to help me.
Any help is greatly appreciated.
Please ignore the above post, I have since worked it out correctly. Thanks anyway.