KEMBAR78
Bulk Extractor Linux Guide | PDF | Text File | Computer File
Scribd
Upload
31 views8 pages

Bulk Extractor Linux Guide

This document outlines the procedures for using Bulk Extractor, a command-line digital forensics tool, in a Linux environment to extract data features from a forensic image file. The examination of the image file terry-work-usb-2009-12-11.E01 revealed various data types, including email addresses and credit card numbers, with results stored in an output directory. The report emphasizes the tool's efficiency in quickly identifying embedded data, suggesting further analysis is needed to understand the context of the findings.

Uploaded by

perezraprap15
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
31 views8 pages

Bulk Extractor Linux Guide

This document outlines the procedures for using Bulk Extractor, a command-line digital forensics tool, in a Linux environment to extract data features from a forensic image file. The examination of the image file terry-work-usb-2009-12-11.E01 revealed various data types, including email addresses and credit card numbers, with results stored in an output directory. The report emphasizes the tool's efficiency in quickly identifying embedded data, suggesting further analysis is needed to understand the context of the findings.

Uploaded by

perezraprap15
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

INVESTIGATORS: MC ALESTER SANCHEZ & AISEN ALDERSON QUIA

YEAR AND SECTION: III - CINS

Bulk Extractor Linux Procedures


This document provides a guide on utilizing Bulk Extractor within a Linux environment,
based on the provided visual documentation.

Introduction to Bulk Extractor:

Bulk Extractor is a command-line digital forensics tool used for scanning digital media
to extract various types of data features without parsing the file system.

Section 1: Running Bulk Extractor

Based on the screenshots, a scan is initiated from the command line using a
command similar to:

bulk_extractor -o bulk_output terry-work-usb-2009-12-11.E01


●​ bulk_extractor: The command to execute the program.
●​ -o bulk_output: Specifies the output directory (bulk_output).
●​ terry-work-usb-2009-12-11.E01: The input forensic image file.

Upon execution, the initial output provides scan details:

[Content from Screenshot 2 - Showing the command execution and initial output]

●​ Version: Bulk Extractor version (e.g., 2.1.1).


●​ Input File: Path to the input image.
●​ Output Directory: The specified output location.
●​ Disk Size: Size of the input image.
●​ Scanners: List of enabled data scanners.
●​ Threads: Number of processing threads.
Section 2: Scan Progress and Completion

During the scan, progress metrics are displayed:

[Content from Screenshot 3 - Showing scan progress metrics]

●​ elapsed time: Duration of the scan.


●​ fraction read: Percentage of the image processed.
●​ estimated_time_remaining: Estimated time until completion.
●​ Other metrics like memory usage, bytes queued, etc.
Upon completion, the output confirms the process is finished and provides a
summary:

[Content from Screenshot 3 - Showing scan completion messages and final summary]
●​ "All data read; waiting for threads to finish..."
●​ "All Threads Finished!"
●​ Elapsed time: Total scan time.
●​ Total MB processed: Total data processed.
●​ Overall performance: Processing speed.
●​ Summary of features found: Counts of specific data types discovered (e.g.,
"Total email features found: 3").

Section 3: Analyzing Results

The scan results are stored in the output directory (bulk_output). Listing the contents
shows various files:

[Content from Screenshot 4 and 5 - Showing the directory listing of bulk_output]


Each file corresponds to a scanner and contains extracted data. Examples visible
include:
●​ aes_keys.txt: AES keys.
●​ alerts.txt: Scan alerts.
●​ ccn.txt, ccn_histogram.txt: Credit card numbers and counts.
●​ domain.txt, domain_histogram.txt: Domain names and counts.
●​ email.txt, email_histogram.txt: Email addresses and counts.
●​ exif.txt: EXIF metadata.
●​ httplogs.txt: HTTP logs.
●​ ip.txt, ip_histogram.txt: IP addresses and counts.
●​ json.txt: JSON data.
●​ pii.txt: Potentially Personally Identifiable Information.
●​ report.xml: Scan summary report (XML format).
●​ rfc822.txt: RFC 822 formatted data (like email headers).
●​ sin.txt: Social Insurance Numbers.
●​ sqlite_carved.txt: Carved SQLite data.
●​ telephone_histogram.txt: Frequency count of telephone numbers.
[Content from the last screenshot - Showing the content of telephone_histogram.txt]

Analyzing results involves examining these text files, often using a text editor or a
dedicated viewer like BEViewer.

Section 4: Additional Options

The help/usage information shows various command-line options to customize scans:

[Content from Screenshot 1 - Showing the help/usage options]


Options allow control over aspects like:
●​ Offset addition (-A).
●​ Context window size (-C).
●​ Enabling/disabling scanners (-e, -x, -E).
●​ Searching for patterns (-f, -F).
●​ Number of threads (-j).
●​ Output directory (-o).
●​ Scanning specific ranges (-Y).
●​ Displaying version (-V).
Conclusion:

Bulk Extractor is an effective command-line tool for extracting specific data features
from digital media on Linux. The process involves running the tool with an input image
and output directory, monitoring progress, and then analyzing the generated files
containing the extracted features. Its ability to quickly find embedded data makes it
valuable in digital forensics.
Forensic Report

Case Information:

●​ Case Title: Digital Media Examination


●​ Date of Report: April 22, 2025
●​ Subject Media: terry-work-usb-2009-12-11.E01 forensic image file
●​ Tool Used: Bulk Extractor (Version 2.1.1)
●​ Operating Environment: Linux (Kali, based on screenshots)

Investigators:

●​ MC ALESTER SANCHEZ
●​ AISEN ALDERSON QUIA
●​ Year and Section: III - CINS

Summary of Examination:

A forensic examination was conducted on the provided digital media image file,
terry-work-usb-2009-12-11.E01, using the Bulk Extractor tool (Version 2.1.1)
within a Linux environment. The purpose of this examination was to perform a bulk
extraction of various data features embedded within the image, without relying on file
system parsing.

The Bulk Extractor scan was initiated with the command bulk_extractor -o
bulk_output terry-work-usb-2009-12-11.E01, directing the output to the
bulk_output directory. The scan processed approximately 2097 MB of data with an
overall performance of 83.65 MBytes/sec, completing in 25.27 seconds.

The scan successfully identified and extracted various data features based on the
default enabled scanners. The results are organized into individual files within the
bulk_output directory, categorized by the type of feature found (e.g., email
addresses, domain names, IP addresses, credit card numbers, telephone numbers,
etc.). Notable findings, as indicated by the presence of corresponding output files and
the summary statistics, include email addresses (Total email features found: 3) and
telephone numbers (as evidenced by the telephone_histogram.txt file).

Findings:

The examination yielded a collection of extracted features, detailed in the files within
the bulk_output directory. The specific features found include, but are not limited
to:

●​ Email addresses (3 instances reported in the summary).


●​ Domain names.
●​ IP addresses.
●​ Potential credit card numbers (files ccn.txt, ccn_histogram.txt, etc.
present).
●​ Telephone numbers (histogram data available).
●​ EXIF metadata from images.
●​ HTTP logs.
●​ JSON data.
●​ Potential Personally Identifiable Information (PII).
●​ Social Insurance Numbers (SINs).
●​ Carved data from various file system structures (NTFS) and file types (SQLite,
EVTX, KML).

A detailed analysis of each generated file is required to fully understand the context
and significance of the extracted data. The report.xml file provides an XML
summary of the scan, which can aid in further analysis.

Conclusion:

The application of Bulk Extractor to the terry-work-usb-2009-12-11.E01 image


file successfully extracted various data features. The output, contained within the
bulk_output directory, provides raw data points for further investigation. The
efficiency of Bulk Extractor in rapidly identifying and extracting embedded data makes
it a valuable initial step in the forensic analysis of digital media, particularly when
dealing with unknown or potentially damaged file systems. Further analysis of the
specific feature files is necessary to correlate findings and build a comprehensive
understanding of the data present in the image.

You might also like