bulk_extractor is a tool that can be used to scan and extract data from disk images, files, and other devices. It looks for patterns matching credit cards numbers, email addresses, domain names, and many other things and sort its results into files which are easy to analyze. Additionally, it is incredibly fast and thorough.

Although bulk_extractor is a command line based tool, a GUI version is available (BEViewer). Both bulk_extractor and BEViewer are available for Windows, Mac, and Linux.

In the words of the author:

"bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important." (Source: https://github.com/simsong/bulk_extractor/wiki/Introducing-bulk_extractor)

 

By: Moshe Caplan

The "NIST Hacking Case" is a great publicly available Forensics challenge to work on. To complete it NIST provides a dd image of a disk, split into eight parts. Run bulk_extractor and BEViewer on the dd image and answer the questions below.

The "NIST Hacking Case" is available here: https://sites.google.com/a/isis.poly.edu/cyfor/modules/nist-hacking-case

After completing this challenge I strongly encourage you to work your way through the entire "NIST Hacking Case."

You can find more disk images, memory dumps, and other forms of data to analyze at: http://digitalcorpora.org/

Questions:
1. How many times was the term "hacking" searched for?
2. What is the most commonly occuring email address and how many times does it appear on the disk?
3. Whose phone number is 847-240-9111?

Answers can be found in the resources section in the file called "BE_Challenge_Answers"

Further information on this module can be found at the following links.

BE_Challenge_Answers.pdf(195.11 KB) marcbudofsky, Mar 17 2013, 9:42 PM

You must Sign-In to post a comment.