BulkExtractor & BulkExtractor-Rec

Additional plugins

LogoGitHub - 4n6ist/bulk_extractor-rec: It is based on bulk_extractor (https://github.com/simsong/bulk_extractor) and add scanners for record carvingGitHub

Additionally can parse:

  • EVTX - Carves windows Evtx logs

  • NTFSINDX - INDX records of $INDEX_ALLOCATION

  • NTFSLOG - TSTR/TCRD records of $LogFile

  • NTFSMFT - index of $MFT

  • NTFSUN - USN_RECORD structure of $Extend\$UsnJrnl and $J

  • UTMP - UTMP Structure records (for unix)

Bulk-extractor is not filesystem-aware, ( by design) so when we want to narrow our focus to unallocated space, we need to use different tooling such as blks by sleuth kit,

Blks

-s # extract slack 
blks [options] <image> > image.unallocated
blks -s <image> > image.slack

Basic Usage

Running bulk_extractor

To run bulk_extractor on a disk image or directory, use the following command:

bulk_extractor -o <output_directory> <input_file_or_directory>

  • <output_directory>: Directory where the output will be stored.

  • <input_file_or_directory>: The disk image file or directory you want to analyze.

Advanced Options

Specifying Scanners

bulk_extractor includes various scanners for extracting different types of information. You can enable or disable scanners using the -e (enable) or -x (disable) options.

Enabling Specific Scanners

bulk_extractor -o output -E <scanner_name> <input_file>

Disabling Specific Scanners

bulk_extractor -o output -X <scanner_name> <input_file>

Enable only the email scanner:

bulk_extractor -o output -E email forensic_image.dd

Disable the ccn (credit card number) scanner:

bulk_extractor -o output -X ccn forensic_image.dd

Setting Sector Size

If you need to set a specific sector size for the input file, use the -S option:

bulk_extractor -o output -S <sector_size> <input_file>
bulk_extractor -o output -S 512 forensic_image.dd

Analyzing Results

After running bulk_extractor, the output directory will contain several files. The most important ones include:

  • Feature files: Contain extracted information such as email addresses, URLs, and credit card numbers.

  • Histogram files: Provide a summary of the occurrences of different features.

  • Report files: Summarize the findings and provide an overview of the analysis.

Viewing Feature Files

Feature files are named after the type of data they contain (e.g., email.txt, url.txt). Open these files with any text editor to review the extracted information.

Example

bash
cat output/email.txt

Viewing Histograms

Histograms provide a statistical overview of the data. For example, the email_histogram.txt file shows the frequency of each extracted email address.

Example

bash
cat output/email_histogram.txt

LogoGitHub - simsong/bulk_extractor: This is the development tree. Production downloads are at:GitHub
PreviousFTKNextLinux

Last updated