Skip to content

cristianzsh/foremost-ng

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

49 Commits
screenshots
screenshots
 
 
src
src
 
 
windows_dlls
windows_dlls
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

foremost-ng

foremost-ng is a Linux-based file recovery tool that extracts files from disk images or devices by scanning for configurable file headers and footers. It supports common forensic formats (e.g., .dd, Safeback, Encase) and can operate on both image files and live devices.

⚡ This fork aims to modernize the codebase, improve terminal output with ANSI styling, and introduce new features for forensic analysis and data recovery.

Features

  • 🧩 Recover files based on headers and footers.
  • ⚙️ Configurable file signatures via a plain-text configuration file.
  • 🪛 Supports header-only or header–footer scans.
  • 🧱 Works on forensic images or live drives.
  • 🦠 VirusTotal lookup by file hash (requires a VT API key).

Installation

Clone or download the foremost-ng archive, then build and install according to your platform:

# Common steps
tar xzvf foremost-ng-<version>.tar.gz
cd foremost-ng-<version>/src

Linux

make
sudo make install

BSD

Make sure curl is installed:

pkg_add curl # OpenBSD
pkg install curl # FreeBSD
make unix
sudo gmake install

macOS

Install OpenSSL:

brew install openssl@3
make mac
sudo make macinstall

Cross compiling for Windows

Install MinGW in your Linux distribution and cross-compile:

make cross

Required DLLs can be found in the windows_dlls directory of this repository.

Note: On systems with glibc < 2.2.0, you may see harmless warnings about ftello and fseeko. These can be safely ignored.

Usage

Run foremost-ng with the appropriate command-line options. For full details, refer to the manual page:

man foremost-ng

Basic syntax:

foremost-ng [options] [image_or_device]

VirusTotal API

foremost-ng supports automatic file reputation checks using the VirusTotal API via the -x command-line option. This allows you to analyze recovered files for potential threats by submitting their hashes to VirusTotal.

To enable this feature, follow these steps:

  1. Create a free VirusTotal account.
  2. Obtain your personal API key.
  3. Set the key as an environment variable named VT_API_KEY.
# Unix-like systems
export VT_API_KEY=yourkey

# Windows CMD
set VT_API_KEY=yourkey

# Windows PowerShell
$env:VT_API_KEY="yourkey"

Uninstallation

To remove foremost-ng from your system:

cd foremost-ng-<version>/src
sudo make uninstall

About

My fork of Foremost

Topics

incident-response forensics dfir foremost data-carving

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

v1.5.7 Latest
May 22, 2025

Packages

No packages published

Languages