bulk_extractor: extract useful information without parsing the file system
A fast and thorough forensic tool
bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system structure.
Using this approach, bulk_extractor is more fast than other forensic tools and can process different parts of the disk in parallel, splitting the disk up into 16MiByte pages and processes one page on each available core.
Furthermore, bulk_extractor can be used to process any digital media, like hard drives, SSDs, optical media, camera cards, cell phones, network packet dumps, and other kinds of digital information.
Which kind of information can be extracted?
bulk_extractor can extract a lot of informations:
- Credit card numbers
- Credit card “track 2″ information
- Internet domains found on the drive, including dotted-quad addresses found in text.
- Email addresses
- Ethernet MAC addresses found through IP packet carving of swap files and compressed system hibernation files and file fragments.
- EXIFs from JPEGs and video segments.
- Results of specific regular expression search requests.
- IP addresses found through IP packet carving.
- US and international telephone numbers.
- URLs, typically found in browser caches, email messages, and pre-compiled into executables.
- A histogram of terms used in Internet searches from services such as Google, Bing, Yahoo, and others.
- A list of all “words” extracted from the disk, useful for password cracking.
- A list of every ZIP file component found on the media.
The results can be easily inspected, parsed, or processed with automated tools.
Is there a frontend?
Yep! bulk_extractor is packaged with some useful tools and with a simple graphical frontend that helps user with the long option list of the tool.
You can read this good tutorial on BitCurator.net:
On Security-sleuth.com I’ve found a simple tutorial on command line usage of bulk_extractor:
Furthermore, in this video Jeremy Dillman describes how bulk_extractor can be used to discover social networking activities from a hard disk scan