EN
ENNA

bulk_extractor

๐Ÿ”ฌ Digital Forensics ยท C++

bulk_extractor is a high-performance digital forensics tool that scans disk images, files, or directories and extracts useful information without parsing the file system or file system structures. It finds email addresses, URLs, credit card numbers, JPEG images, JSON fragments, GPS coordinates, Windows registry fragments, AES keys, and other artifacts by scanning raw data. This approach means it can recover data from unallocated space, slack space, compressed archives, and even encrypted volumes where the key is present in memory. bulk_extractor operates on the raw bytes of the input, dividing it into pages that are processed in parallel across all available CPU cores, making it extremely fast - often 10x faster than other carving tools. Its output consists of feature files that can be analyzed with tools like the included bulk_diff utility or imported into other analysis platforms.

1.4kstars
216forks
133issues
Updated 2mo ago
View on GitHubOfficial Website

Installation

apt (Debian/Ubuntu)

$ sudo apt install bulk-extractor

brew (macOS)

$ brew install bulk_extractor

from source

$ git clone https://github.com/simsong/bulk_extractor && cd bulk_extractor && ./configure && make && sudo make install

Use Cases

  • Extracting email addresses, URLs, and credit card numbers from disk images
  • Recovering data from unallocated space and slack space in forensic images
  • Processing large disk images quickly with parallel multi-core scanning
  • Finding encryption keys and passwords in memory dumps
  • Comparing two forensic images with bulk_diff to identify changes over time

Tags

data-carvingdisk-forensicsemail-extractionparallelunallocated-space

Details

Category
๐Ÿ”ฌ Digital Forensics
Language
C++
Platforms
๐Ÿงlinux๐ŸŽmacos๐ŸชŸwindows

Links

GitHub Repository

github.com/simsong/bulk_extractor

Official Website

github.com/simsong/bulk_extractor/releases

Releases

github.com/simsong/bulk_extractor/releases

Issues

github.com/simsong/bulk_extractor/issues

Sponsored

Your ad here

Reach security professionals and developers - ads@en-na.com

Alternatives & Comparisons

Volatility 3

Python

Advanced memory forensics framework. Extracts artifacts from RAM dumps - processes, network connections, registry.

Compare bulk_extractor vs Volatility 3

Autopsy

Java

Digital forensics platform with GUI. Disk image analysis, timeline analysis, keyword search, hash filtering.

Compare bulk_extractor vs Autopsy

The Sleuth Kit

C

Collection of command-line tools for forensic analysis of disk images and file systems.

Compare bulk_extractor vs The Sleuth Kit

RegRipper

Perl

Windows registry forensic parser. Extracts and decodes forensic artifacts from registry hives with extensible plugins.

Compare bulk_extractor vs RegRipper

More in Digital Forensics

Volatility 3

Python

Advanced memory forensics framework. Extracts artifacts from RAM dumps - processes, network connections, registry.

memoryram-dumpartifact-extraction

Autopsy

Java

Digital forensics platform with GUI. Disk image analysis, timeline analysis, keyword search, hash filtering.

disk-forensicsguitimeline

Ghidra

Java

NSA's reverse engineering framework. Disassembly, decompilation, graphing, and scripting for binary analysis.

reverse-engineeringdecompilerbinary-analysis

Binwalk

Python

Firmware analysis tool. Searches binary images for embedded files, executables, and file systems.

firmwarebinaryextraction

YARA

C

Pattern matching swiss knife for malware researchers. Create rules to identify and classify malware samples.

malwarepattern-matchingrules

Velociraptor

Go

Endpoint visibility and collection tool. Hunt for artifacts across thousands of endpoints simultaneously.

endpointhuntingdfir