foremost
foremost is a forensic file carving tool originally developed for the US Air Force. It scans a file byte by byte for known headers and footers (JPEG, PNG, ZIP, PDF, ...) and carves out every match — ideal for files hidden inside an image.
What Aperi'Solve runs
$ foremost -o output/ -i image.png
-iis the input image,-othe directory receiving carved files.- Every carved file is sorted into a subdirectory named after its type
(
jpg/,zip/,pdf/, ...).
Anything carved is offered on the result page as a foremost.7z download.
Reading the output
Foremost writes an audit.txt in the output directory summarizing what it
found:
Num Name (bs=512) Size File Offset Comment
0: 00000105.zip 1 KB 54187
1: 00000000.jpg 52 KB 0
The first entry is often the carrier image itself. Any additional file —
here a Zip starting at offset 54187 — is what you are after. The carved
copies live next to audit.txt, ready to open.
foremost vs binwalk
Both find embedded files, but differently:
- foremost does pure signature carving: it matches header/footer byte patterns and copies everything in between, format-blind.
- binwalk parses file structures and recurses
into extracted archives (
--matryoshka).
Their signature databases differ, so each can catch files the other misses. Aperi'Solve runs both — always compare the two results.
Installing locally
$ apt install foremost
Limitations
- Only formats in its signature database are carved, and footer-less formats rely on a maximum size guess — expect trailing junk.
- Payloads without a recognizable header (LSB steganography, encrypted blobs) stay invisible — try zsteg for those.
Common CTF patterns
- A Zip or JPEG appended after the PNG
IENDchunk — foremost carves it directly, no manualddneeded. - Several files concatenated into one blob: each shows up as its own entry
in
audit.txt. - A carved archive that asks for a password → it hides elsewhere in the challenge (metadata, strings, another layer).