Also see Steganography tools.
foremost is a simple and effective command line interface (CLI) tool that recovers files by reading their headers and footers.
recoverjpeg can be used to recover
.jpgimages. The recovered files will be saved in the Home folder and will not have their original names, but instead will be named in numerical order, starting from
scalpel, created as an improvement of a much earlier version of
foremost, aims to address the high CPU and RAM usage issues of foremost when carving data. Unlike foremost, file types of interest must be specified by the investigator in the
scalpelconfiguration file (
photorec is a file carving tool, able to recover lost files including video, documents and archives from hard disks (Mechanical Hard drives, Solid State Drives…), CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. It is a companion program to TestDisk, an application for recovering lost partitions on a wide variety of file systems and making non-bootable disks bootable again.
bulk_extractor extracts additional types of information that can be very useful in investigations, such as histograms of disk images, email addresses, credit card numbers, urls visited (or bookmarked), online searches, social media profiles, etc.
bstrings is an improved strings utility
floss is a static analysis tool to automatically deobfuscate strings from malware binaries.
swap_digger is a bash script used to automate Linux swap analysis, automating swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, etc.