bulk_extractor: extract useful information without parsing the file system

A fast and thorough forensic tool


bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system structure.
Using this approach, bulk_extractor is more fast than other forensic tools and can process different parts of the disk in parallel, splitting the disk up into 16MiByte pages and processes one page on each available core.

Furthermore, bulk_extractor can be used to process any digital media, like hard drives, SSDs, optical media, camera cards, cell phones, network packet dumps, and other kinds of digital information.


Which kind of information can be extracted?

bulk_extractor can extract a lot of informations:

  • Credit card numbers
  • Credit card “track 2″ information
  • Internet domains found on the drive, including dotted-quad addresses found in text.
  • Email addresses
  • Ethernet MAC addresses found through IP packet carving of swap files and compressed system hibernation files and file fragments.
  • EXIFs from JPEGs and video segments.
  • Results of specific regular expression search requests.
  • IP addresses found through IP packet carving.
  • US and international telephone numbers.
  • URLs, typically found in browser caches, email messages, and pre-compiled into executables.
  • A histogram of terms used in Internet searches from services such as Google, Bing, Yahoo, and others.
  • A list of all “words” extracted from the disk, useful for password cracking.
  • A list of every ZIP file component found on the media.

The results can be easily inspected, parsed, or processed with automated tools.


Is there a frontend?


Yep! bulk_extractor is packaged with some useful tools and with a simple graphical frontend that helps user with the long option list of the tool.

You can read this good tutorial on BitCurator.net:

https://wiki.bitcurator.net/index.php?title=Using_Bulk_Extractor_Viewer_to_Find_Potentially_Sensitive_Information_on_a_Disk_Image


Example usage

On Security-sleuth.com I’ve found a simple tutorial on command line usage of bulk_extractor:

https://wiki.bitcurator.net/index.php?title=Using_Bulk_Extractor_Viewer_to_Find_Potentially_Sensitive_Information_on_a_Disk_Image

Furthermore, in this video Jeremy Dillman describes how bulk_extractor can be used to discover social networking activities from a hard disk scan


More information and downloads

https://wiki.bitcurator.net/index.php?title=Using_Bulk_Extractor_Viewer_to_Find_Potentially_Sensitive_Information_on_a_Disk_Image


Suggested readings

https://wiki.bitcurator.net/index.php?title=Using_Bulk_Extractor_Viewer_to_Find_Potentially_Sensitive_Information_on_a_Disk_Image

Comments