Additional plugins
Additionally can parse:
EVTX - Carves windows Evtx logs
NTFSINDX - INDX records of $INDEX_ALLOCATION
UTMP - UTMP Structure records (for unix)
Bulk-extractor is not filesystem-aware, ( by design) so when we want to narrow our focus to unallocated space, we need to use different tooling such as blks by sleuth kit,
Blks
Running bulk_extractor
To run bulk_extractor on a disk image or directory, use the following command:
<output_directory>: Directory where the output will be stored.
<input_file_or_directory>: The disk image file or directory you want to analyze.
Advanced Options
Specifying Scanners
bulk_extractor includes various scanners for extracting different types of information. You can enable or disable scanners using the -e (enable) or -x (disable) options.
Enabling Specific Scanners
Disabling Specific Scanners
Enable only the email scanner:
Disable the ccn (credit card number) scanner:
Setting Sector Size
If you need to set a specific sector size for the input file, use the -S option:
Analyzing Results
After running bulk_extractor, the output directory will contain several files. The most important ones include:
Feature files: Contain extracted information such as email addresses, URLs, and credit card numbers.
Histogram files: Provide a summary of the occurrences of different features.
Report files: Summarize the findings and provide an overview of the analysis.
Viewing Feature Files
Feature files are named after the type of data they contain (e.g., email.txt, url.txt). Open these files with any text editor to review the extracted information.
Viewing Histograms
Histograms provide a statistical overview of the data. For example, the email_histogram.txt file shows the frequency of each extracted email address.
