Forensics Tools Reference

9 October 2025 · Updated 9 October 2025

commandsdata-recoveryforensicssecurityreference

Commands I keep on hand for data recovery and digital forensics. Companion to the DC3DD Tool note.

File Recovery (Foremost)

Recover Specific File Types from Disk Image

foremost -t png,jpg,pdf -i image.dd

Source: Foremost File Recovery

Use when: Recovering deleted files from disk images

Options:

  • -t - Specify file types to recover (png, jpg, pdf, doc, zip, etc.)
  • -i - Input file (disk image)
  • -o - Output directory (default: ./output)

Common file types:

  • png,jpg,gif,bmp - Images
  • pdf,doc,docx,xls,xlsx - Documents
  • zip,rar,gz - Archives
  • exe,dll - Executables
  • mp3,mp4,avi,mov - Media files

Example with output directory:

foremost -t jpg,png -i /dev/sdb1 -o /recovery/photos/

Disk Imaging (DC3DD)

Create Forensic Disk Image

dc3dd if=/dev/sdb1 of=/root/Desktop/image.dd

Source: DC3DD Tool

Use when: Creating forensic copies of drives or partitions

Options:

  • if= - Input file (source device)
  • of= - Output file (destination image)

Why DC3DD over dd?

  • Progress indicator during imaging
  • Hash calculation (MD5/SHA) built-in
  • Error logging
  • Verification options
  • Designed for forensics

Complete example with hashing:

dc3dd if=/dev/sdb1 of=/evidence/case123.dd hash=md5 hash=sha256 log=/evidence/case123.log

Options:

  • hash=md5 - Calculate MD5 hash
  • hash=sha256 - Calculate SHA256 hash
  • log= - Log file for verification
  • vf= - Verify file (compare source to output)

File Deletion Process

See: File Deletion Process

Key concept: Files aren’t truly deleted immediately, just marked as deleted in the file system. Data remains until overwritten.

Common Forensics Workflow

1. Evidence Collection

# List available drives
lsblk
fdisk -l

# Create forensic image with verification
dc3dd if=/dev/sdb of=/evidence/drive.dd hash=sha256 log=/evidence/drive.log

# Verify image
sha256sum /evidence/drive.dd

2. File Recovery

# Recover all supported file types
foremost -i /evidence/drive.dd -o /recovery/all/

# Recover specific types only
foremost -t jpg,png,pdf,docx -i /evidence/drive.dd -o /recovery/documents/

3. Analysis

# Mount image read-only
mkdir /mnt/evidence
mount -o ro,loop /evidence/drive.dd /mnt/evidence

# Search for specific content
grep -r "keyword" /mnt/evidence/

# List files with timestamps
find /mnt/evidence -type f -ls > /evidence/file_list.txt

# Unmount when done
umount /mnt/evidence

Alternative Tools

dd (Standard disk copy)

# Basic disk imaging
dd if=/dev/sdb of=/path/to/image.dd bs=4M status=progress

# Create compressed image
dd if=/dev/sdb bs=4M | gzip > /path/to/image.dd.gz

# Restore from image
dd if=/path/to/image.dd of=/dev/sdb bs=4M status=progress

ddrescue (For damaged drives)

# Recover from failing drive
ddrescue -d -r3 /dev/sdb /path/to/image.dd /path/to/logfile

# Resume interrupted recovery
ddrescue -d -r3 /dev/sdb /path/to/image.dd /path/to/logfile

Use ddrescue when:

  • Drive has bad sectors
  • Previous imaging attempts failed
  • Need to skip unreadable areas
  • Want to retry failed sectors

TestDisk (Interactive recovery)

# Launch TestDisk
testdisk /dev/sdb

# Launch PhotoRec (file carving)
photorec /dev/sdb

Use TestDisk for:

  • Recovering lost partitions
  • Rebuilding boot sectors
  • Fixing partition tables

Use PhotoRec for:

  • File carving (like foremost)
  • More file types supported
  • Interactive interface
  • Linux Command Reference - General Linux commands
  • File Deletion Process - Understanding deletion
  • Foremost File Recovery - Detailed guide
  • DC3DD Tool - Detailed guide

Tips and Best Practices

  1. Only work on authorized systems - Get written permission
  2. Maintain chain of custody - Document everything
  3. Work on copies, not originals - Preserve evidence
  4. Document all actions - Keep detailed logs
  5. Use write blockers - Prevent accidental modifications

Technical Best Practices

Before Imaging:

  • Use hardware write blocker if available
  • Document drive information (serial, model, size)
  • Calculate original drive hash if possible
  • Ensure sufficient destination space (at least 1.5x source size)

During Imaging:

  • Use forensic tools (dc3dd, ddrescue) not standard dd
  • Calculate hashes during imaging
  • Monitor for errors
  • Keep detailed logs

After Imaging:

  • Verify image integrity (compare hashes)
  • Store original drive securely
  • Work only on image copies
  • Document all findings

File Recovery Tips

  1. Stop using drive immediately when data loss discovered
  2. Don’t write to the drive being recovered
  3. Recover to different drive than source
  4. Try multiple tools - Each has strengths
  5. Foremost is automatic - PhotoRec allows interactive selection

Storage Considerations

# Check available space before imaging
df -h /evidence/

# For large drives, use compression
dc3dd if=/dev/sdb | gzip > /evidence/drive.dd.gz

# Or use split to create manageable chunks
dc3dd if=/dev/sdb | split -b 4G - /evidence/drive.dd.part-

Last Updated: 2025-10-09 Commands: 2 core forensics commands + comprehensive toolkit reference

Warning: These tools are for legitimate data recovery and digital forensics only. Always obtain proper authorization before accessing any systems or data.

© Copyright 2026 Kyle Phillips