BulkExtractor & BulkExtractor-Rec
Last updated
Last updated
Additionally can parse:
EVTX - Carves windows Evtx logs
NTFSINDX - INDX records of $INDEX_ALLOCATION
UTMP - UTMP Structure records (for unix)
Bulk-extractor is not filesystem-aware, ( by design) so when we want to narrow our focus to unallocated space, we need to use different tooling such as blks by sleuth kit,
Blks
To run bulk_extractor on a disk image or directory, use the following command:
<output_directory>: Directory where the output will be stored.
<input_file_or_directory>: The disk image file or directory you want to analyze.
bulk_extractor includes various scanners for extracting different types of information. You can enable or disable scanners using the -e (enable) or -x (disable) options.
Enabling Specific Scanners
Disabling Specific Scanners
Enable only the email scanner:
Disable the ccn (credit card number) scanner:
If you need to set a specific sector size for the input file, use the -S option:
After running bulk_extractor, the output directory will contain several files. The most important ones include:
Feature files: Contain extracted information such as email addresses, URLs, and credit card numbers.
Histogram files: Provide a summary of the occurrences of different features.
Report files: Summarize the findings and provide an overview of the analysis.
Feature files are named after the type of data they contain (e.g., email.txt, url.txt). Open these files with any text editor to review the extracted information.
Histograms provide a statistical overview of the data. For example, the email_histogram.txt file shows the frequency of each extracted email address.
NTFSLOG - TSTR/TCRD records of
NTFSMFT - index of
NTFSUN - USN_RECORD structure of and
