Bulk Extractor
Bulk Extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results can be easily inspected, parsed, or processed with automated tools. Bulk Extractor also created a histograms of features that it finds, as features that are more common tend to be more important. The program can be used for law enforcement, defense, intelligence, and cyber-investigation applications.
bulk_extractor is distinguished from other forensic tools by its speed and thoroughness. Because it ignores file system structure, Bulk Extractor can process different parts of the disk in parallel. In practice, the program splits the disk up into 16MiByte pages and processes one page on each available core. This means that 24-core machines process a disk roughly 24 times faster than a 1-core machine. Bulk Extractor is also thorough. That’s because Bulk Extractor automatically detects, decompresses, and recursively re-processes compressed data that is compressed with a variety of algorithms. Our testing has shown that there is a significant amount of compressed data in the unallocated regions of file systems that is missed by most forensic tools that are commonly in use today.
Another advantage of ignoring file systems is that Bulk Extractor can be used to process any digital media. We have used the program to process hard drives, SSDs, optical media, camera cards, cell phones, network packet dumps, and other kinds of digital information.

Tutorials ::

Compiling for MacOS or Linux :: 
From the downloaded source directory run bootstrap.sh, configure and make:  
  • $ cd bulk_extractor 
  • $ sh bootstrap.sh 
  • $ sh configure 
  • $ make 
  • $ sudo make install
Compiling for Windows :: 
There are three ways to compile for Windows: 
1. Cross-compiling from a Linux or Mac system with mingw. 
2. Compiling natively on Windows using mingw. 
3. Compiling natively on Windows using cygwin (untested)

Cross-compiling for Windows using Debian Testing (wheezy) or Ubuntu 12.04 LTS (with mingw) :: 
You will need to install mingw-w64 and zlib-dev: 
  • $ sudo apt-get update 
  • $ sudo apt-get upgrade 
  • $ sudo apt-get -y install mingw-w64 
Next, download zlib from zlib.net 
  • $ ./configure --host=i686-w64-mingw32 
This allows the cross-compiling of the 64-bit and the 32-bit bulk_extractor.exe, although we do not recommend running the 32-bit version. 
Now you are ready to compile: 
  • $ git clone --recursive https://github.com/simsong/bulk_extractor.git 
  • $ cd bulk_extractor 
  • $ sh bootstrap.sh 
  • $ mingw64-configure

Installing on a Linux/MacOS/Mingw system :: 
  • $ ./configure 
  • $ make 
  • $ sudo make install 
Usages :: 
To get started and send an extract of image.raw to OUTPUT, use this command: 
  • $ /usr/local/bin/bulk_extractor -o OUTPUT image.raw 
For more & Troubleshooting :: Click Here

Download ::

Linux | Mac | Windows :: Bulk Extractor (tarball) | Bulk Extractor (.exe) | Bulk Extractor (.tar.gz)

0 comments :

Post a Comment

 
Top