bulk_extractor new file processing approach

new file processing approach

Open simsong opened this issue 5 years ago • 3 comments

Find every file on the disk with SleuthKit, process each file with bulk_extractor.
Next, process every run of sectors that wasn't handled with bulk_extractor.

Computers are very different today in 2020 than in 2006 when bulk_extractor was first designed. They have much more memory, for example. Disks are bigger too. What would this new way of processing a disk do?

Jun 26 '20 00:06 simsong

This would be awesome because you could theoretically provide file context around any hits, such as file name, or slack.

Integrating be with tsk will also open up the possibility of carving from specific files like evtx records which would be far more efficient than the whole disk.

Jun 26 '20 00:06 scudette

It shouldn't be hard. Most of the code already exists in fiwalk.

Jun 26 '20 00:06 simsong

I can make it an option. The big question is what to do if sleuthkit crashes, but I think that i can handle that too.

Jun 26 '20 00:06 simsong

bulk_extractor bulk_extractor copied to clipboard

new file processing approach

bulk_extractor
bulk_extractor copied to clipboard