The rm
command is one of the most dangerous of those available to Linux users. If you delete the wrong file or folder, you could render your entire operating system inoperable. Recovering lost files isn’t easy, but it isn’t impossible, either. Foremost is designed to forensically search your drive in an attempt to recover any files you’ve deleted. This article gives a tutorial of how to use it.
What Is Foremost?
Originally developed by U.S. federal agents, Foremost is open source and in the public domain. Rather than trying to retrieve files from within your drive’s file system, Foremost attempts to recreate the files directly.
Most operating systems don’t erase files completely from file systems. They remove the metadata, leaving the data underneath to be written over. Searching the drive a piece at a time, Foremost will copy and analyze the drive for this information.
It’ll store the information temporarily using your PC’s internal memory. From there, it will search for certain file segments until it matches it with others, piecing them together like a jigsaw puzzle.
Foremost supports certain filetypes. Image files like JPG and GIF, Windows binary files like EXE, document files like DOC and PDF files, as well as compressed files like ZIP or RAR are all supported.
Installing Foremost in Linux
Foremost is available as a package for installation in most default Linux repositories. You can install it from the terminal using the package manager your Linux distribution uses.
Debian and Ubuntu-based distributions can install Foremost by opening the terminal and typing the following:
sudo apt install foremost
If you’re running Arch Linux, you can install Foremost by typing:
pacman -S foremost
Fedora users can install Foremost from the terminal by typing:
dnf install foremost
How to Use Foremost
If you delete a file and wish to retrieve it, you can use Foremost to attempt to search for all files of the same file type that have previously been deleted.
First, you’ll need to know your drive partition name in Linux, for example “/dev/sda1.” If you don’t know your partition, type the following in the terminal:
df -h
You’ll see a list of drive partitions listed. Locate the drive you want Foremost to search, listed under “Filesystem.”
Once you know your drive partition, you can use Foremost to search the drive. For example, if you were searching for a deleted PNG file, open a terminal window and type the following:
foremost -v -t png -i /dev/sda1 -o ~/recovery/
Replace “/dev/sda1” with your drive partition. The -t
flag lets you select the type of file you’re looking to recover. The -i
flag selects the drive you want to search, while the -o
flag lists the folder where any recovered files are saved.
You can use a similar process for any file type you wish to use. Replace png
with your file type. You can search your entire drive, or you can search through specific folders.
Once Foremost completes its search, any files it locates will be saved in the folder you listed as the output folder under the -o
flag. If you’re struggling, you can search through the Foremost manual by typing in the terminal:
man foremost
Retrieving Your Deleted Data in Linux
There are no guarantees that Foremost can recover any data you’ve lost or deleted. It’s still one of the best free tools available for retrieving data, however.
Unless you’re prepared to pay, Foremost is one of the best options available for you to retrieve data in Linux. If Foremost doesn’t work for you, there are other Linux recovery tools available that you can try instead.
Our latest tutorials delivered straight to your inbox