debian/0000755000000000000000000000000011777552103007176 5ustar debian/source/0000755000000000000000000000000011776673427010512 5ustar debian/source/format0000644000000000000000000000001411776673427011720 0ustar 3.0 (quilt) debian/control0000644000000000000000000000150511776673427010616 0ustar Source: foremost Section: admin Priority: optional Maintainer: Raúl Benencia Build-Depends: debhelper (>= 9) Standards-Version: 3.9.3 Homepage: http://foremost.sourceforge.net/ Package: foremost Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Description: forensic program to recover lost files Foremost is a forensic program to recover lost files based on their headers, footers, and internal data structures. . Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery. debian/patches/0000755000000000000000000000000011777552361010633 5ustar debian/patches/fix-config-file-path.patch0000644000000000000000000000071011776673427015560 0ustar Description: Look in /etc for config file by default Origin: vendor Forwarded: no Author: Gürkan Sengün Last-update: 2012-05-13 --- a/config.c +++ b/config.c @@ -288,7 +288,7 @@ #ifdef __WIN32 set_config_file(s, "/Program Files/foremost/foremost.conf"); #else - set_config_file(s, "/usr/local/etc/foremost.conf"); + set_config_file(s, "/etc/foremost.conf"); #endif if ((f = fopen(get_config_file(s), "r")) == NULL) { debian/patches/fix-hurd-and-kfreebsd-build.patch0000644000000000000000000000046611777552336017032 0ustar Fixed hurd-i386, kfreebsd-i386 and kfreebsd-amd64 build by adding its respective rules to Makefile. --- a/Makefile +++ b/Makefile @@ -76,6 +76,8 @@ netbsd: unix openbsd: unix freebsd: unix +gnu: unix +gnu/kfreebsd: unix unix: goals #Fore some reasons BSD variants get confused on how to build engine.o debian/patches/series0000644000000000000000000000017211777552131012043 0ustar fix-config-file-path.patch fix-lintian-hardening-warnings.patch fix-hurd-and-kfreebsd-build.patch fix-hurd-max-path.patch debian/patches/fix-hurd-max-path.patch0000644000000000000000000000035311777552361015120 0ustar Fix FTBFS of hurd-i386 by defining the missing PATH_MAX macro. --- a/Makefile +++ b/Makefile @@ -76,7 +76,10 @@ netbsd: unix openbsd: unix freebsd: unix + +gnu: CC += -DPATH_MAX=4096 gnu: unix + gnu/kfreebsd: unix unix: goals debian/patches/fix-lintian-hardening-warnings.patch0000644000000000000000000000131411776731646017664 0ustar Add hardening flags to compilation. Fix a format string in order to do so.--- a/Makefile +++ b/Makefile @@ -37,7 +37,9 @@ WINCC = $(RAW_CC) $(RAW_FLAGS) -D__WIN32 # Generic "how to compile C files" -CC = $(RAW_CC) $(RAW_FLAGS) -D__UNIX +CC = $(RAW_CC) $(RAW_FLAGS) -D__UNIX $(shell dpkg-buildflags --get CFLAGS)\ + $(shell dpkg-buildflags --get CPPFLAGS) \ + $(shell dpkg-buildflags --get LDFLAGS) .c.o: $(CC) -c $< --- a/extract.c +++ b/extract.c @@ -2145,7 +2145,7 @@ ret_time->tm_sec); chop(ascii_time); - sprintf(comment, ascii_time); + sprintf(comment, "%s", ascii_time); strcat(needle->comment, comment); exe_char = htos(&foundat[22], FOREMOST_LITTLE_ENDIAN); if (exe_char & 0x2000) debian/changelog0000644000000000000000000000636711777547154011076 0ustar foremost (1.5.7-4) unstable; urgency=low * Fix FTBFS on hurd by defining missing PATH_MAX macro -- Raúl Benencia Thu, 12 Jul 2012 09:47:42 -0300 foremost (1.5.7-3) unstable; urgency=low * Fix lintian hardening warnings * Fix build system for hurd and freebsd -- Raúl Benencia Tue, 10 Jul 2012 00:48:13 -0300 foremost (1.5.7-2) unstable; urgency=low * New maintainer (Closes: #661488) * Bump standards version to 3.9.3. * Upgraded debian/copyright to a machine-readable format. * Renamed and cleaned debian-changes-1.5.7-1 patch. * Added watch file -- Raúl Benencia Mon, 14 May 2012 11:31:03 -0300 foremost (1.5.7-1) unstable; urgency=low * New upstream version. * Bump standards version to 3.8.4. * Switch to dpkg-source format version 3 (quilt). -- Gürkan Sengün Fri, 26 Mar 2010 16:06:19 +0100 foremost (1.5.6-1) unstable; urgency=low * New upstream version. * Bump standards version. * Bump debhelper version. * Updated debian/copyright. -- Gürkan Sengün Fri, 08 May 2009 00:39:18 +0200 foremost (1.5.5-1) unstable; urgency=low * New upstream version. -- Gürkan Sengün Thu, 08 Jan 2009 11:04:43 +0100 foremost (1.5.4-1) unstable; urgency=low * New upstream version. * Updated my email address. -- Gürkan Sengün Tue, 20 May 2008 09:31:54 +0200 foremost (1.5.3-1) unstable; urgency=low * New upstream version. (Closes: #454588) * debian/control: Updated standards version. -- Gürkan Sengün Thu, 06 Dec 2007 14:28:56 +0100 foremost (1.5.2-1) unstable; urgency=low * New upstream version. -- Gürkan Sengün Fri, 09 Nov 2007 00:28:14 +0100 foremost (1.5.1-1) unstable; urgency=low * New upstream version. (Closes: #441924) -- Gürkan Sengün Thu, 01 Nov 2007 00:05:20 +0100 foremost (1.5-1) unstable; urgency=low * New upstream version. -- Gürkan Sengün Thu, 26 Apr 2007 00:14:04 +0200 foremost (1.4-1) unstable; urgency=low * New upstream verion. -- Gürkan Sengün Sun, 18 Feb 2007 09:45:26 +0100 foremost (1.3-1) unstable; urgency=low * New upstream version. * Bump standards version (no changes needed). * Bump DH compat level to 5. * Updated debian/copyright. * Removed co-maintainer. -- Gürkan Sengün Sun, 3 Sep 2006 19:57:55 +0200 foremost (1.2-1) unstable; urgency=low * New upstream version. -- Gürkan Sengün Thu, 4 May 2006 14:07:34 +0200 foremost (1.1-2) unstable; urgency=low * Look in /etc for config file by default. * Added homepage to long description. -- Gürkan Sengün Wed, 12 Apr 2006 11:00:56 +0200 foremost (1.1-1) unstable; urgency=low * New upstream version. (Closes: #355808) * New Maintainer with permission of co-maintainer. -- Gürkan Sengün Sun, 2 Apr 2006 18:12:56 +0200 foremost (0.69-1) unstable; urgency=low * Initial release (closes: #280193) -- Niall Sheridan Fri, 19 Nov 2004 13:56:48 +0000 debian/copyright0000644000000000000000000000373411776673427011154 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: foremost Upstream-Contact: Kris Kendall , Jesse Kornblum Nick Mikus Charles Wyble Source: http://foremost.sourceforge.net/pkg/foremost-1.5.7.tar.gz Files: * Copyright: This work is in the public domain License: public-domain This is a work of the US Government. In accordance with 17 USC 105, copyright protection is not available for any work of the US Government. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. . The software has been placed in the public domain. Files: debian/* Copyright: 2004-2006 Niall Sheridan 2006-2010 Gürkan Sengün 2012 Raúl Benencia License: GPL-2+ Files: api.c ole.h Copyright: 2005-2006, Charles Wyble License: GPL-2+ License: GPL-2+ This is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301 USA . On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL-2 file.debian/foremost.10000644000000000000000000001741211776673427011137 0ustar .TH FOREMOST "8" "v1.5 - May 2009" .SH NAME foremost \- Recover files using their headers, footers, and data structures .SH SYNOPSIS .B foremost .RB [ \fB-h\fR ] .RB [ \fB-V\fR ] .RB [ \fB-d\fR ] .RB [ \fB-vqwQT\fR ] .RB [ \fB-b\fR .IR ] .RB [ \fB-o\fR .IR ] .RB [ \fB-t\fR .IR ] .RB [ \fB-s\fR .IR ] .RB [ \fB-i\fR .IR ] .SH BUILTIN FORMATS .PP Recover files from a disk image based on file types specified by the user using the \-t switch. .TP .B jpg Support for the JFIF and Exif formats including implementations used in modern digital cameras. .TP .B gif .TP .B png .TP .B bmp Support for windows bmp format. .TP .B avi .TP .B exe Support for Windows PE binaries, will extract DLL and EXE files along with their compile times. .TP .B mpg Support for most MPEG files (must begin with 0x000001BA) .TP .B wav .TP .B riff This will extract AVI and RIFF since they use the same file format (RIFF). note faster than running each separately. .TP .B wmv Note may also extract wma files as they have similar format. .TP .B mov .TP .B pdf .TP .B ole This will grab any file using the OLE file structure. This includes PowerPoint, Word, Excel, Access, and StarWriter .TP .B doc Note it is more efficient to run OLE as you get more bang for your buck. If you wish to ignore all other ole files then use this. .TP .B zip Note is will extract .jar files as well because they use a similar format. Open Office docs are just zip'd XML files so they are extracted as well. These include SXW, SXC, SXI, and SX? for undetermined OpenOffice files. Office 2007 files are also XML based (PPTX,DOCX,XLSX) .TP .B rar .TP .B htm .TP .B cpp C source code detection, note this is primitive and may generate documents other than C code. .TP .B all Run all pre-defined extraction methods. [Default if no \-t is specified] .SH DESCRIPTION .PP Recover files from a disk image based on headers and footers specified by the user. .TP \fB\-h\fR Show a help screen and exit. .TP \fB\-V\fR Show copyright information and exit. .TP \fB\-d\fR Turn on indirect block detection, this works well for Unix file systems. .TP \fB\-T\fR Time stamp the output directory so you don't have to delete the output dir when running multiple times. .TP \fB\-v\fR Enables verbose mode. This causes more information regarding the current state of the program to be displayed on the screen, and is highly recommended. .TP \fB\-q\fR Enables quick mode. In quick mode, only the start of each sector is searched for matching headers. That is, the header is searched only up to the length of the longest header. The rest of the sector, usually about 500 bytes, is ignored. This mode makes foremost run considerably faster, but it may cause you to miss files that are embedded in other files. For example, using quick mode you will not be able to find JPEG images embedded in Microsoft Word documents. Quick mode should not be used when examining NTFS file systems. Because NTFS will store small files inside the Master File Table, these files will be missed during quick mode. .br .TP \fB\-Q\fR Enables Quiet mode. Most error messages will be suppressed. .br .TP \fB\-w\fR Enables write audit only mode. No files will be extracted. .br .TP \fB\-a\fR Enables write all headers, perform no error detection in terms of corrupted files. .br .TP \fB\-b\fR \fInumber\fR Allows you to specify the block size used in foremost. This is relevant for file naming and quick searches. The default is 512. ie. foremost \-b 1024 image.dd .br .TP \fB\-k\fR \fInumber\fR Allows you to specify the chunk size used in foremost. This can improve speed if you have enough RAM to fit the image in. It reduces the checking that occurs between chunks of the buffer. For example if you had > 500MB of RAM. ie. foremost \-k 500 image.dd .br .TP \fB\-i\fR \fIfile\fR The \fIfile\fR is used as the input file. If no input file is specified or the input file cannot be read then stdin is used. .TP \fB-o\fR \fIdirectory\fR Recovered files are written to the directory \fIdirectory\fR. .TP \fB-c\fR \fIfile\fR Sets the configuration file to use. If none is specified, the file "foremost.conf" from the current directory is used, if that doesn't exist then "/etc/foremost.conf" is used. The format for the configuration file is described in the default configuration file included with this program. See the \fICONFIGURATION FILE\fR section below for more information. .TP \fB-s\fR \fInumber\fR Skips \fInumber\fR blocks in the input file before beginning the search for headers. ie. foremost \-s 512 \-t jpeg \-i /dev/hda1 .TP .PP .SH CONFIGURATION FILE The configuration file is used to control what types of files foremost searches for. A sample configuration file, foremost.conf, is included with this distribution. For each file type, the configuration file describes the file's extension, whether the header and footer are case sensitive, the maximum file size, and the header and footer for the file. The footer field is optional, but header, size, case sensitivity, and extension are not! Any line that begins with a pound sign is considered a comment and ignored. Thus, to skip a file type just put a pound sign at the beginning of that line Headers and footers are decoded before use. To specify a value in hexadecimal use \\x[0-f][0-f], and for octal use \\[1-9][1-9][1-9]. Spaces can be represented by \\s. Example: "\\x4F\\123\\I\\sCCI" decodes to "OSI CCI". To match any single character (aka a wildcard) use a ?. If you need to search for the ? character, you will need to change the wildcard line *and* every occurrence of the old wildcard character in the configuration file. Do not forget those hex and octal values! ? is equal to \\x3f and \\063. There is a sample set of headers in the README file. .SH EXAMPLES .TP .SH Search for jpeg format skipping the first 100 blocks foremost \-s 100 \-t jpg \-i image.dd .TP .SH Only generate an audit file, and print to the screen (verbose mode) foremost \-av image.dd .TP .SH Search all defined types foremost \-t all \-i image.dd .TP .SH Search for gif and pdf's foremost \-t gif,pdf \-i image.dd .TP .SH Search for office documents and jpeg files in a Unix file system in verbose mode. foremost \-vd \-t ole,jpeg \-i image.dd .TP .SH Run the default case foremost image.dd .PP .SH AUTHORS Original Code written by Special Agent Kris Kendall and Special Agent Jesse Kornblum of the United States Air Force Office of Special Investigations. Modification by Nick Mikus a Research Associate at the Naval Postgraduate School Center for Information Systems Security Studies and Research. The modification of Foremost was part of a masters thesis at NPS. .SH BUGS When compiling foremost on systems with versions of glibc 2.1.x or older, you will get some (harmless) compiler warnings regarding the implicit declaration of fseeko and ftello. You can safely ignore these warnings. .PP .SH "REPORTING BUGS" Because Foremost could be used to obtain evidence for criminal prosecutions, we take all bug reports \fIvery\fR seriously. Any bug that jeopardizes the forensic integrity of this program could have serious consequenses. When submitting a bug report, please include a description of the problem, how you found it, and your contact information. .PP Send bug reports to: .br namikus AT users d0t sf d0t net .PP .SH COPYRIGHT This program is a work of the US Government. In accordance with 17 USC 105, copyright protection is not available for any work of the US Government. .PP This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. .SH "SEE ALSO" There is more information in the README file. .PP Foremost was originally designed to imitate the functionality of CarvThis, a DOS program written by the Defense Computer Forensics Lab in in 1999. debian/watch0000644000000000000000000000016711776673427010247 0ustar # Compulsory line, this is a version 3 file version=3 http://foremost.sourceforge.net/ \ pkg/foremost-(.*)\.tar\.gz debian/compat0000644000000000000000000000000211776673427010410 0ustar 9 debian/foremost.manpages0000644000000000000000000000002211776673427012557 0ustar debian/foremost.1 debian/rules0000755000000000000000000000051611776673427010274 0ustar #!/usr/bin/make -f # -*- makefile -*- # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 export DEB_BUILD_MAINT_OPTIONS=hardening=+all %: dh $@ override_dh_auto_install: install -D -m 644 foremost.conf $(CURDIR)/debian/foremost/etc/foremost.conf install -D -m 755 foremost $(CURDIR)/debian/foremost/usr/bin/foremost debian/docs0000644000000000000000000000000711776673427010062 0ustar README