Linux command
bulk_extractor 命令
文件
复制后可按需替换文件名、目录或参数。
常用示例
Extract data from disk image
bulk_extractor -o [output_dir] [image.dd]
Scan with multiple threads
bulk_extractor -o [output_dir] -j [8] [image.dd]
Enable specific scanner
bulk_extractor -o [output_dir] -e [exif] [image.dd]
Disable specific scanner
bulk_extractor -o [output_dir] -x [email] [image.dd]
Scan specific byte range
bulk_extractor -o [output_dir] -Y [0-1000000000] [image.dd]
Recursively scan directory
bulk_extractor -o [output_dir] -R [directory]
Search for specific pattern
bulk_extractor -o [output_dir] -f "[pattern]" [image.dd]
List available scanners
bulk_extractor -H
说明
bulk_extractor is a high-performance digital forensics tool that scans disk images, files, or directories and extracts structured information without parsing file system structures. It extracts email addresses, credit card numbers, URLs, EXIF metadata, and other artifacts directly from raw data streams. The tool processes data in parallel across multiple CPU cores, making it significantly faster than traditional forensic tools. It operates on raw bytes rather than file system metadata, allowing it to find data in unallocated space, slack space, and within compressed or encoded content. Each scanner plugin generates a separate feature file in the output directory, making results easy to filter and analyze.
参数
- -o _directory_
- Output directory (required)
- -e _scanner_
- Enable specific scanner
- -x _scanner_
- Disable specific scanner
- -j _threads_
- Number of threads to use
- -G _bytes_
- Page size (default: 16777216)
- -M _depth_
- Maximum recursion depth (default: 7)
- -R
- Recursively scan directory
- -f _pattern_
- Search for specific pattern
- -F _file_
- Read patterns from file
- -Y _start-end_
- Scan specific byte range
- -z _pagestart_
- Start processing at a specific page number
- -Z
- Wipe output directory before starting
- -q
- Quiet mode (no status output)
- -H
- List available scanners with info
FAQ
What is the bulk_extractor command used for?
bulk_extractor is a high-performance digital forensics tool that scans disk images, files, or directories and extracts structured information without parsing file system structures. It extracts email addresses, credit card numbers, URLs, EXIF metadata, and other artifacts directly from raw data streams. The tool processes data in parallel across multiple CPU cores, making it significantly faster than traditional forensic tools. It operates on raw bytes rather than file system metadata, allowing it to find data in unallocated space, slack space, and within compressed or encoded content. Each scanner plugin generates a separate feature file in the output directory, making results easy to filter and analyze.
How do I run a basic bulk_extractor example?
Run `bulk_extractor -o [output_dir] [image.dd]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.
What does -o _directory_ do in bulk_extractor?
Output directory (required)