OpenSkillIndex← back to search
claude-code

Skills foremost

install
source · Clone the upstream repo
git clone https://github.com/TerminalSkills/skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/TerminalSkills/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/foremost" ~/.claude/skills/terminalskills-skills-foremost && rm -rf "$T"
manifest: skills/foremost/SKILL.md
safety · automated scan (medium risk)
This is a pattern-based risk scan, not a security review. Our crawler flagged:
  • dd raw disk write
  • uses sudo
Always read a skill's source content before installing. Patterns alone don't mean the skill is malicious — but they warrant attention.
source content

Foremost

Overview

Foremost is a file carving tool: it scans raw disk images, memory dumps, or any blob byte-by-byte for magic headers and footers, then writes out the recovered files into neat per-type directories. It doesn't care about filesystem metadata — it looks for the on-disk bytes that identify a JPEG, PNG, PDF, ZIP, Office document, MP3, and so on. That makes it the right tool for recovering files the filesystem has forgotten or for CTF challenges where a blob hides multiple embedded files.

Instructions

Step 1: Create a Disk Image (Never Carve the Live Device)

# Always work from an image, never the source device
sudo dd if=/dev/sdb of=disk.img bs=4M status=progress conv=noerror,sync

# Or use dcfldd (forensic fork of dd with hashing)
sudo dcfldd if=/dev/sdb of=disk.img bs=4M hash=sha256 hashlog=disk.sha256

# Verify integrity before working
sha256sum disk.img
cat disk.sha256

Step 2: Run Foremost

# Default run — uses built-in config, all supported types
foremost -i disk.img -o recovered/

# Specific types only (jpg, png, pdf, zip, doc, mp3, ...)
foremost -t jpg,png,pdf -i disk.img -o recovered/

# Verbose + quick mode (scan only file headers, faster)
foremost -v -q -t all -i disk.img -o recovered/

# Output tree
tree -L 2 recovered/
# recovered/
# ├── audit.txt
# ├── jpg/
# │   ├── 00000001.jpg
# │   └── 00000125.jpg
# ├── pdf/
# │   └── 00000007.pdf
# └── zip/
#     └── 00000042.zip

Step 3: Review the Audit File

# Summary of what was carved
cat recovered/audit.txt
# Foremost version 1.5.7 by Jesse Kornblum ...
# Num      Name (bs=512)         Size      File Offset     Comment
# 0:       00000001.jpg          185 KB    16384
# 1:       00000007.pdf          1 MB      67108864

# Count files by type
find recovered -type f -not -name audit.txt | awk -F/ '{print $(NF-1)}' | sort | uniq -c

Step 4: Custom File Types with foremost.conf

# Copy the default config
cp /etc/foremost.conf ./foremost.conf

# Add a signature: extension  case  max-size  header  footer
# Example: a custom "FLAG" binary starting with 'CTFFLAG' and ending with 'END'
cat >> foremost.conf <<'EOF'
flag y 5000 CTFFLAG END
EOF

# Run with the custom config
foremost -c ./foremost.conf -i challenge.bin -o out/
ls out/flag/

Step 5: Combine with Other Carvers

# scalpel is foremost's faster fork; use it when foremost is too slow
sudo apt install scalpel
scalpel -c /etc/scalpel/scalpel.conf -o scalpel-out disk.img

# binwalk — better for firmware and embedded filesystems
binwalk -e firmware.bin

# photorec — interactive, stronger for photo/video recovery
sudo photorec /dev/sdb

# strings + file — first-pass triage
strings -a disk.img | less
file recovered/jpg/00000001.jpg

Examples

Example 1: Recover Photos from a Formatted SD Card

# Plug in the SD card — DO NOT mount and DO NOT write anything to it
lsblk
# sdb     1  29.8G  0 disk
# └─sdb1  1  29.8G  0 part

# Image the card
sudo dd if=/dev/sdb of=sdcard.img bs=4M status=progress
sudo sha256sum sdcard.img > sdcard.sha256

# Unplug the card and work from the image only
foremost -t jpg,png,raw,mov,mp4 -i sdcard.img -o photos/

ls photos/jpg | wc -l
# 842

# Sort by size to spot real photos vs thumbnails
find photos/jpg -type f -printf '%s %p\n' | sort -nr | head

Example 2: CTF — Files Hidden Inside a PNG

# The challenge: "Something is hidden inside this harmless image."
file challenge.png
# challenge.png: PNG image data, 1920 x 1080, ...

# Foremost scans through the whole blob, not just the top PNG
foremost -t all -i challenge.png -o carved/

cat carved/audit.txt
# 0: 00000000.png   2 MB    0
# 1: 00000001.zip   45 KB   2097664
# 2: 00000002.pdf   1 MB    2143000

# Inspect the carved ZIP
unzip -l carved/zip/00000001.zip
# flag.txt
unzip -p carved/zip/00000001.zip flag.txt
# flag{foremost_carves_everything}

Guidelines

  • Never run Foremost against a live mounted device. Always image first, hash the image, then carve.
  • Write-block the source media (physical write blocker, or at minimum mount read-only) to preserve chain of custody.
  • Carving is signature-based — it cannot recover file names or directory structure. Metadata is lost.
  • Overlapping or fragmented files are reconstructed poorly. For heavily fragmented disks, try 
    photorec
    or a filesystem-aware tool like 
    extundelete
    /
    testdisk
    first.
  • The output directory must NOT exist beforehand — Foremost refuses to overwrite it.
  • Foremost is single-threaded and slow on big images. 
    scalpel
    is a faster fork for the same job.
  • For CTFs, always try 
    foremost -t all -i challenge.blob
    as a reflex — it finds embedded ZIPs, PDFs, and images that 
    binwalk
    sometimes misses.
  • Pair with 
    exiftool
    , 
    strings
    , and 
    file
    on the recovered artifacts to pull metadata and hidden content.