--- foremost-1.5.5.orig/config.c +++ foremost-1.5.5/config.c @@ -288,7 +288,7 @@ #ifdef __WIN32 set_config_file(s, "/Program Files/foremost/foremost.conf"); #else - set_config_file(s, "/usr/local/etc/foremost.conf"); + set_config_file(s, "/etc/foremost.conf"); #endif if ((f = fopen(get_config_file(s), "r")) == NULL) { --- foremost-1.5.5.orig/foremost.8 +++ foremost-1.5.5/foremost.8 @@ -0,0 +1,272 @@ +.TH FOREMOST "8" "v1.4 - Jan 2007" + +.SH NAME +foremost \- Recover files using their headers, footers, and data structures + +.SH SYNOPSIS +.B foremost +.RB [ \fB-h\fR ] +.RB [ \fB-V\fR ] +.RB [ \fB-d\fR ] +.RB [ \fB-vqwQT\fR ] +.RB [ \fB-b\fR +.IR ] +.RB [ \fB-o\fR +.IR ] +.RB [ \fB-t\fR +.IR ] +.RB [ \fB-s\fR +.IR ] +.RB [ \fB-i\fR +.IR ] + +.SH BUILTIN FORMATS +.PP +Recover files from a disk image based on file types specified by the +user using the -t switch. + +.TP +.B jpg +Support for the JFIF and Exif formats including implementations used +in modern digital cameras. + + +.TP +.B gif +.TP +.B png +.TP +.B bmp +Support for windows bmp format. +.TP +.B avi +.TP +.B exe +Support for Windows PE binaries, will extract DLL and EXE files along +with their compile times. +.TP +.B mpg +Support for most MPEG files (must begin with 0x000001BA) +.TP +.B wav +.TP +.B riff +This will extract AVI and RIFF since they use the same file +format (RIFF). note faster than running each separately. +.TP +.B wmv +Note may also extract -wma files as they have similar format. +.TP +.B mov +.TP +.B pdf +.TP +.B ole +This will grab any file using the OLE file structure. This includes +PowerPoint, Word, Excel, Access, and StarWriter +.TP +.B doc +Note it is more efficient to run OLE as you get more bang for your buck. +If you wish to ignore all other ole files then use this. +.TP +.B zip +Note is will extract .jar files as well because they use a similar format. +Open Office docs are just zip'd XML files so they are extracted as well. +These include SXW, SXC, SXI, and SX? for undetermined OpenOffice files. +.TP +.B rar +.TP +.B htm +.TP +.B cpp +C source code detection, note this is primitive and may +generate documents other than C code. +.TP +.B all +Run all pre-defined extraction methods. [Default if no -t is specified] + +.SH DESCRIPTION +.PP +Recover files from a disk image based on headers and footers specified by the +user. + +.TP +\fB\-h\fR +Show a help screen and exit. + +.TP + +\fB\-V\fR +Show copyright information and exit. +.TP + +\fB\-d\fR +Turn on indirect block detection, this works well for Unix file systems. +.TP +\fB\-T\fR +Time stamp the output directory so you don't have to delete the output +dir when running multiple times. + +.TP +\fB\-v\fR +Enables verbose mode. This causes more information regarding the current +state of the program to be displayed on the screen, and is highly recommended. + + +.TP +\fB\-q\fR +Enables quick mode. In quick mode, only the start of each sector is +searched for matching headers. That is, the header is searched only up to +the length of the longest header. The rest of the sector, usually about 500 +bytes, is ignored. This mode makes foremost run considerably faster, but it +may cause you to miss files that are embedded in other files. For example, +using quick mode you will not be able to find JPEG images embedded in +Microsoft Word documents. + +Quick mode should not be used when examining NTFS file systems. Because +NTFS will store small files inside the Master File Table, these files will +be missed during quick mode. +.br + +.TP +\fB\-Q\fR +Enables Quiet mode. Most error messages will be suppressed. +.br + +.TP +\fB\-w\fR +Enables write audit only mode. No files will be extracted. +.br + +.TP +\fB\-a\fR +Enables write all headers, perform no error detection in terms of corrupted files. +.br + +.TP +\fB\-b\fR \fInumber\fR +Allows you to specify the block size used in foremost. This is relevant for +file naming and quick searches. The default is 512. + ie. foremost -b 1024 image.dd +.br +.TP +\fB\-k\fR \fInumber\fR +Allows you to specify the chunk size used in foremost. This can improve +speed if you have enough RAM to fit the image in. It reduces the checking +that occurs between chunks of the buffer. For example if you had > 500MB of RAM. + ie. foremost -k 500 image.dd +.br + +.TP +\fB\-i\fR \fIfile\fR +The \fIfile\fR is used as the input file. If no input file is specified +or the input file cannot be read then stdin is used. + +.TP +\fB-o\fR \fIdirectory\fR +Recovered files are written to the directory +\fIdirectory\fR. + +.TP +\fB-c\fR \fIfile\fR +Sets the configuration file to use. If none is specified, the file +"foremost.conf" from the current directory is used, if that doesn't +exist then "/etc/foremost.conf" is used. The format for +the configuration file is described in the default configuration +file included with this program. See the \fICONFIGURATION FILE\fR +section below for more information. + +.TP + +\fB-s\fR \fInumber\fR +Skips \fInumber\fR blocks in the input file before beginning the search +for headers. + ie. foremost -s 512 -t jpeg -i /dev/hda1 +.TP + + +.PP + +.SH CONFIGURATION FILE +The configuration file is used to control what types of files foremost +searches for. A sample configuration file, foremost.conf, is included with +this distribution. For each file type, the configuration file describes +the file's extension, whether the header and footer are case sensitive, +the maximum file size, and the header and footer for the file. The footer +field is optional, but header, size, case sensitivity, and extension are +not! + +Any line that begins with a pound sign +is considered a comment and ignored. Thus, +to skip a file type just put a pound sign at the beginning of that line + +Headers and footers are decoded before use. To specify a value in +hexadecimal use \\x[0-f][0-f], and for octal use \\[1-9][1-9][1-9]. Spaces +can be represented by \\s. Example: "\\x4F\\123\\I\\sCCI" decodes to "OSI CCI". + +To match any single character (aka a wildcard) use a ?. If you need to +search for the ? character, you will need to change the wildcard line +*and* every occurrence of the old wildcard character in the configuration +file. Do not forget those hex and octal values! ? is equal to \\x3f and +\\063. + +There is a sample set of headers in the README file. + +.SH EXAMPLES +.TP +.SH Search for jpeg format skipping the first 100 blocks +foremost -s 100 -t jpg -i image.dd +.TP +.SH Only generate an audit file, and print to the screen (verbose mode) +foremost -av image.dd +.TP +.SH Search all defined types +foremost -t all -i image.dd +.TP +.SH Search for gif and pdf's +foremost -t gif,pdf -i image.dd +.TP +.SH Search for office documents and jpeg files in a Unix file system in verbose mode. +foremost -vd -t ole,jpeg -i image.dd +.TP +.SH Run the default case +foremost image.dd +.PP + +.SH AUTHORS +Original Code written by Special Agent Kris Kendall and Special Agent Jesse Kornblum of +the United States Air Force Office of Special Investigations. + +Modification by Nick Mikus a Research Associate at the Naval Postgraduate +School Center for Information Systems Security Studies and Research. The modification +of Foremost was part of a masters thesis at NPS. + +.SH BUGS +When compiling foremost on systems with versions of glibc 2.1.x or older, +you will get some (harmless) compiler warnings regarding the implicit +declaration of fseeko and ftello. You can safely ignore these warnings. +.PP + +.SH "REPORTING BUGS" +Because Foremost could be used to obtain evidence for criminal +prosecutions, we +take all bug reports \fIvery\fR seriously. Any bug that jeopardizes the +forensic integrity of this program could have serious consequenses. When submitting a bug report, please include a description +of the problem, how you found it, and your contact information. +.PP +Send bug reports to: +.br +namikus AT users d0t sf d0t net +.PP +.SH COPYRIGHT +This program is a work of the US Government. In accordance with 17 USC 105, +copyright protection is not available for any work of the US Government. +.PP +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +.SH "SEE ALSO" +There is more information in the README file. +.PP +Foremost was originally designed to imitate the functionality of CarvThis, +a DOS program written by the Defense Computer Forensics Lab in in 1999. --- foremost-1.5.5.orig/debian/copyright +++ foremost-1.5.5/debian/copyright @@ -0,0 +1,48 @@ +This package was debianized by Niall Sheridan on +Sun, 7 Nov 2004 16:03:43 +0000. +Gürkan Sengün took over on +Sun, 2 Apr 2006 18:12:56 +0200 + +It was downloaded from http://foremost.sourceforge.net + +Upstream Authors: + + Kris Kendall , + Jesse Kornblum , + Nick Mikus , + Charles Wyble (chicago.sf.net, api.c/ole.h) + +Copyright: + + Copyright (C) 2005 Nick Mikus (extract.c) + Copyright (C) 2005-2006 Charles Wyble (chicago.sf.net, api.c/ole.h) + +License (except api.c, ole.h): + + This is a work of the US Government. In accordance with 17 USC 105, + copyright protection is not available for any work of the US Government. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + + The software has been placed in the public domain. + +License (api.c, ole.h): + + This is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301 USA + +On Debian systems, the complete text of the GNU General Public License +can be found in /usr/share/common-licenses/GPL file. --- foremost-1.5.5.orig/debian/changelog +++ foremost-1.5.5/debian/changelog @@ -0,0 +1,81 @@ +foremost (1.5.5-1) unstable; urgency=low + + * New upstream version. + * Update Standards-Version to 3.8.0. + * Move manpage to section 8. + + -- Gürkan Sengün Thu, 08 Jan 2009 11:04:43 +0100 + +foremost (1.5.4-1) unstable; urgency=low + + * New upstream version. + * Updated my email address. + + -- Gürkan Sengün Tue, 20 May 2008 09:31:54 +0200 + +foremost (1.5.3-1) unstable; urgency=low + + * New upstream version. (Closes: #454588) + * debian/control: Updated standards version. + + -- Gürkan Sengün Thu, 06 Dec 2007 14:28:56 +0100 + +foremost (1.5.2-1) unstable; urgency=low + + * New upstream version. + + -- Gürkan Sengün Fri, 09 Nov 2007 00:28:14 +0100 + +foremost (1.5.1-1) unstable; urgency=low + + * New upstream version. (Closes: #441924) + + -- Gürkan Sengün Thu, 01 Nov 2007 00:05:20 +0100 + +foremost (1.5-1) unstable; urgency=low + + * New upstream version. + + -- Gürkan Sengün Thu, 26 Apr 2007 00:14:04 +0200 + +foremost (1.4-1) unstable; urgency=low + + * New upstream verion. + + -- Gürkan Sengün Sun, 18 Feb 2007 09:45:26 +0100 + +foremost (1.3-1) unstable; urgency=low + + * New upstream version. + * Bump standards version (no changes needed). + * Bump DH compat level to 5. + * Updated debian/copyright. + * Removed co-maintainer. + + -- Gürkan Sengün Sun, 3 Sep 2006 19:57:55 +0200 + +foremost (1.2-1) unstable; urgency=low + + * New upstream version. + + -- Gürkan Sengün Thu, 4 May 2006 14:07:34 +0200 + +foremost (1.1-2) unstable; urgency=low + + * Look in /etc for config file by default. + * Added homepage to long description. + + -- Gürkan Sengün Wed, 12 Apr 2006 11:00:56 +0200 + +foremost (1.1-1) unstable; urgency=low + + * New upstream version. (Closes: #355808) + * New Maintainer with permission of co-maintainer. + + -- Gürkan Sengün Sun, 2 Apr 2006 18:12:56 +0200 + +foremost (0.69-1) unstable; urgency=low + + * Initial release (closes: #280193) + + -- Niall Sheridan Fri, 19 Nov 2004 13:56:48 +0000 --- foremost-1.5.5.orig/debian/control +++ foremost-1.5.5/debian/control @@ -0,0 +1,19 @@ +Source: foremost +Section: admin +Priority: optional +Maintainer: Gürkan Sengün +Build-Depends: debhelper (>= 5) +Homepage: http://foremost.sourceforge.net/ +Standards-Version: 3.8.0 + +Package: foremost +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Forensics application to recover data + This is a console program to recover files based on their headers and footers + for forensics purposes. + . + Foremost can work on disk image files, such as those generated by dd, + Safeback, Encase, etc, or directly on a drive. The headers and footers are + specified by a configuration file, so you can pick and choose which headers + you want to look for. --- foremost-1.5.5.orig/debian/rules +++ foremost-1.5.5/debian/rules @@ -0,0 +1,57 @@ +#!/usr/bin/make -f +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +CFLAGS = -Wall -g + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif + +build: build-stamp + +build-stamp: + dh_testdir + $(MAKE) CFLAGS="$(CFLAGS)" BIN=/usr/bin CONF=/etc MAN=/usr/share/man/man1 + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp + $(MAKE) clean + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + install -D -m 755 foremost $(CURDIR)/debian/foremost/usr/bin/foremost + install -D -m 644 foremost.conf $(CURDIR)/debian/foremost/etc/foremost.conf + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot + dh_installchangelogs CHANGES + dh_installdocs + dh_installman foremost.8 + dh_link + dh_strip + dh_compress + dh_fixperms + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install --- foremost-1.5.5.orig/debian/compat +++ foremost-1.5.5/debian/compat @@ -0,0 +1 @@ +5 --- foremost-1.5.5.orig/debian/docs +++ foremost-1.5.5/debian/docs @@ -0,0 +1 @@ +README