I'm trying to recover a deleted file on an ext3 file system using the foremost utility. The file I want to recover is a hpp C++ source code file. However, foremost does not automatically support the hpp file extension, so I have to add it to the config file. So, following the instructions on the man page, I add the following line to the config file:
hpp n 50000 include include ASCII
Then I run foremost as follows:
$foremost -v -T -t hpp -i /dev/md0 -o /home/recover/
Instead of doing anything, it just displays the help message. If I change the hpp to htm or jpg, it works. So apparently foremost isn't accepting the custom file type I added into the config file. But I've looked over this dozens of times now, and I can't see what I'm doing wrong. I'm following the instructions exactly. Why doesn't foremost recognize the new file type I added to the config file?
I stumbled across the exact same issue and dug a little deeper into it by looking through the
foremostsources.It turns out custom types added using the configuration file cannot be selected with the
-toption. Your files will be found if you define thehpptype in/etc/foremost.confand useThis will also recover files matching all builtin types which will probably mean a lot of files. To work around that, patch the sources to not include any of the builtin types when using
-t all(equivalent to not using-tat all). Instate.c, at the end of theset_search_deffunction,init_allis called ifstrcmp(ft, "all") == 0. Simply comment out the call toinit_alland the builtin types will not be used anymore.Create a new .conf file and remove everything in it except the settings for the type you need. an example would be (foremost_pde.conf):
make sure you delete all tab or space characters at the start of the line or otherwise the line will not be recognised. Save and close the conf file at a user location (e.g. ~/Desktop). Now use:
Did you try to use
-c config fileoption?