Bulk Extractor News and Downloads

File bulk_extractor-1.3.1.zip contains the source code for bulk_extractor v1.3.1.  bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.  bulk_extractor is typically downloaded on a Fedora system and compiled or cross-compiled to Linux, Mac, or Windows using autotools.  Please see https://github.com/simsong/bulk_extractor/wiki/Introducing-bulk_extractor.

BEViewer.jar is an executable bulk_extractor viewer user interface.
Bulk Extractor Viewer (BEViewer) provides a graphical user interface for browsing features that have been extracted via the bulk extractor feature extraction tool.  Please see https://github.com/simsong/bulk_extractor/wiki/BEViewer.

be_installer-1.3.exe is a Windows installer for installing bulk_extractor and BEViewer v1.3 on a Windows system.

bulk_extractor.pdf, “Digital media triage with bulk data analysis and bulk-extractor,” discusses how the bulk_extractor tool is effective in providing bulk data analysis.

2012-08-08 bulk_extractor Tutorial.pdf describes how to use the BEViewer tool.  Although some of the parameters for running bulk_extractor have changed, the majority of the tutorial remains current..

Source: The information above and links were received from Bruce Allen <bdallen@nps.edu>, Naval Postgraduate School

See other bulk_extractor downloads here: http://digitalcorpora.org/downloads/bulk_extractor/

Hash Codes

The following post is now obsolete. The file frequent_hashcodes_and_paths_rdc.xml has been removed from the corpus as explained in a more recent post. Please see:


Deprecated Post from Mar 29, 2013 @ 13:13

The file frequent_hashcodes_and_paths_rdc.xml contains SHA1 hashcode and path data derived from the Real Drive Corpus collected by the DEEP Project at the U.S. Naval Postgraduate School. The file provides two kinds of data useful to forensic investigators: (1) SHA1 hashcodes that occurred for undeleted files on at least five different drives in the corpus but did not occur in the National Software Reference Library (http://www.nsrl.nist.gov). These are likely to indicate files uninteresting and excludable in most forensic investigations. File sizes and names are also given. (2) Path names (file name plus all directories) for paths that occurred on at least twenty different drives in the corpus on undeleted files. These usefully supplement the hashcodes in indicating recurring files uninteresting for investigators. However, occurrences of these files could include viruses and other malware, or could be hiding illegal content although it is unlikely.

Read more …  http://digitalcorpora.org/corp/hashes/nus-deidentified/README-frequent-hashcodes-and-paths-rdc.txtDownload XML File (HAS BEEN REMOVED): http://digitalcorpora.org/corp/hashes/nus-deidentified/frequent-hashcodes-and-paths-rdc.xml   (102 MB)

Forensic Innovations, Inc., analyzes the million file corpus

Forensic Innovations, Inc., makers of File Investigator TOOLS, has performed an analysis of the 986,278 files in the “1 million file corpus”. (13,722 files in the corpus were removed earlier this year because they were from California State Government web servers that were in the .gov domain and mistakingly collected as part of the original collection effort.)

We would like to thank Forensic Innovations for their work in support of this project. We have made available their summary report and will be making available their file-by-file analysis as soon as we deploy an appropriate database on this website.

ISO 9660 disk images from anti-forensics.ru posted

Our friends at anti-forensics.ru have given us seven very small disk images that are designed to demonstrate failings of particular open source Linux distributions.

You can view all of the images at http://digitalcorpora.org/corp/images/aor/. The images you will find there includes:

These images should be directly copied to a hard drive or a partition. Forensic Linux distributions would use them as root file systems and execute proof-of-concept code during the boot.

Details of why these images are useful can be found on the author’s website, at: Linux_for_computer_forensic_investigators_2.pdf