In today's digital forensic tutorial we learn how we can find sensitive data from digital evidence files using bulk-extractor.

bulk-extractor is a program that extracts data like email-address, credit card numbers, URL's and other type of information from any disk, disk image, drive, directory or any other digital evidence. bulk-extractor comes pre-installed with Kali Linux.


It is a very useful forensic investigation tool for many tasks such as malware and intrusion investigations, identity investigations and cyber investigations, as well as analyzing imagery and password cracking.

It can find e-mail address, URLs and credit card numbers that other tools miss because it can work through compressed data like ZIP, PDF and GZIP files.

It also can process incomplete and partially corrupted data.

we can make customized word list based on all of the words found within the data, even those in compressed files that are in unallocated space. Those word lists can be useful for password cracking.

Bulk-extractor is a multi-threaded tool, so it consumes very less time compared to other similar tools.

Let's see the help menu of this tool by using following command :
bulk_extractor -h

We can see the screenshot following:


We can see options we can use in the screenshot. These options can be extract information from drive, directory, OS image.


We can enable scanners by using -e flag. Some scanners are disabled by default.
To disable an enabled scanners we can use -f flag. Let's see how we can scan a digital evidence using bulk extractor. If we want to scan a disk image then we need to acquire it. We have previous tutorial how we can acquire a disk image. here we have acquired our pen drive in a disk image. So for the default scan we use following command:
bulk_extractor -o test-case pendriveimage.000

Here -o is the name of output folder. Then it will start scanning like following screenshot :


This scanning process will take some time depending enabled scanners and the size of drive we are scanning. If we want a faster scanning then we need to manually disable unnecessary scanners.

Now we directly scan our pen drive without making a disk image. To do that first plug the drive with our system and check the partition of our thumb drive by using following command :
fdisk -l


In the above screenshot we can see the drives attached with our system and our pen drive is /dev/sdb

If we scan with a specific scanner then it took very little time, so we are going to show an example with wordlist scanner. This scanner will generate a wordlist from our pen drive's documents. So the command will be following:
bulk_extractor -o kali-pendrive /dev/sdb -E wordlist

This command will make a output folder called "kali-pendrive" and scans for wordlist. We can see the output in the following screenshot:


This is how we can run bulk_extractor in our Kali Linux for digital forensic jobs.
For more tutorials follow us in Twitter. For any help or suggestion comment down we are happy to help you.