I'm using foremost to find data from an image file created with dd, but the outlook express files which contain the dbx extension it's not recognized by foremost… it wont do the search, I looked in the configuration files for defined search extensions and it is there, yet it is not doing the search, what I'm doing wrong?
thanks in advance
http//
Are you searching through the entire image or unallocated space?
If you are going through the entire image, the "find" command would be better suited to finding any particular file type in the live set. If you are going through unallocated space, I don't think foremost (fabulous tool that it is) is going to get you where you want to be. If any .dbx files are present in unallocated, chances are they are going to be fragmented meaning file carving will probably recover only the first portion in contiguous blocks.
I guess that what you are really interested in is the recovery of emails. You would probably be better doing some greping for regular expressions for terms associated with email headers. RFC 2822 should give you all you need to know to formulate the appropriate regular expressions.
It might be useful to compare your results between searching for regular expressions and file carving with foremost. When you launch foremost have you uncommented the .dbx entry in your config file? What command syntax are you using to launch Foremost?
yes it was already uncommented…and the search I'm using is
foremost -t dbx /mnt/share/image.img
thanks for the help
Hi mia-tech
Your problem is that you are mounting the image. Foremost works on flat files, it doesn't understand file systems, so will just hang if you ask it to scan a mounted file system. When used correctly, foremost simply searches the flat disk image looking for file headers/footers.
To locate .dbx files in a mounted file system, just use the "find" command. To recover .dbx files from an unmounted image then just point foremost at the flat unmounted image. Bear in mind that it most likely will not recover complete .dbx files, even the ones in the live file set, your best option is still doing keyword searches through unallocated space for email header terms (IMHO).
Have you tried using FTK Imager to explore the image file and the extract the dbx files from the directory tree.?
Hi mia-tech
Your problem is that you are mounting the image. Foremost works on flat files, it doesn't understand file systems, so will just hang if you ask it to scan a mounted file system. When used correctly, foremost simply searches the flat disk image looking for file headers/footers.
To locate .dbx files in a mounted file system, just use the "find" command. To recover .dbx files from an unmounted image then just point foremost at the flat unmounted image. Bear in mind that it most likely will not recover complete .dbx files, even the ones in the live file set, your best option is still doing keyword searches through unallocated space for email header terms (IMHO).
I've tried without mounting the image same results…it doesn't scan the image file…and even when I use the image mounted on a remote system, if I use jpg or pdf, it will scan and find those docs even if the image is accessed through a mounted file…I think is got something to do with the config file, there are a lot of file extensions that foremost says it can scan and you'll try them and some of them do not work….
thanks
Hi mia-tech
You need to go back to the man pages for foremost. You can't specify .dbx files with the "-t" switch. You will have to use a config file with just the .dbx file line uncommented. Use the "-c" switch to set your customised config file. Again I have to ask, what are you trying to achieve? It is likely that you only going to get only the starting blocks of any .dbx files, not the complete files in unallocated space.
I think I made a wrong assumption earlier. Is it the case that you have mounted the file system in your image with a loopback device or that you have just got your flat disk image on a mounted network share?
Hi mia-tech
You need to go back to the man pages for foremost. You can't specify .dbx files with the "-t" switch. You will have to use a config file with just the .dbx file line uncommented. Use the "-c" switch to set your customised config file. Again I have to ask, what are you trying to achieve? It is likely that you only going to get only the starting blocks of any .dbx files, not the complete files in unallocated space.
I think I made a wrong assumption earlier. Is it the case that you have mounted the file system in your image with a loopback device or that you have just got your flat disk image on a mounted network share?
stumpy, thanks for the help, I finally got it working it was missing the -c switch, I didn't understand your question in th previous post about mounting the image, but no I'm accesing the image through a network share which is mounted as /mnt/share…
about what you're saying that foremost is going to retrieve the starting blocks of the dbx files and not the entire file, if this is the case, then it wouldn't be useful for this kind of work of retrieving mail files…I guess I would have to mount the image and use the old "find" command
thanks