brunnhilde icon indicating copy to clipboard operation
brunnhilde copied to clipboard

Published 20 hours ago verified publisher icon tw4l

Bulk_extractor options

Open nconnizzo-cosa opened this issue 2 years ago • 7 comments

Hi all-

Just wondering if it is possible to use some of the more advanced options of bulk_extractor when running Brunnhilde? (such as enabling/disabling scanners, including custom ones, using stop and alert lists, and so on)

Second question: does Brunnhilde run bulk_extractor on directories or only on disk images? My testing has shown that there are no BE outputs when run on an identical set of records packaged as an E01 versus as a nested directory, but I could be doing something wrong! (running Ubuntu 22.04, 64-bit)

Thanks so much for all your work on this tool!

nconnizzo-cosa avatar Nov 02 '23 13:11 nconnizzo-cosa

I can only answer the second question. I’ve only ever really used it on directory inputs but I assumed bulk extractor via Brunnhilde would work on disk images too? Is your issue that you’re seeing no BE outputs with directory input? Or is the issue with disk images?

kieranjol avatar Nov 02 '23 13:11 kieranjol

It's the latter -- when I ran Brunnhilde targeting a directory, BH worked fine (siegfried outputs looked good) but there were no BE reports. When I targeted a disk image (E01) I got both the BH outputs and all the bulk-extractor reports. Perhaps I was missing a flag? Let me re-test with the same data and report back. Could be user error!

nconnizzo-cosa avatar Nov 02 '23 14:11 nconnizzo-cosa

What was your command line that you used? I always use

brunnhilde.py -b -n path/to/input_folder path/to/output

kieranjol avatar Nov 02 '23 14:11 kieranjol

I have been using brunnhilde.py -b -l -z -o --hash SHA256 path-to-input/ path-to-output/

Run on a directory of emails (MBOX format) and attachments (separated out)

nconnizzo-cosa avatar Nov 02 '23 15:11 nconnizzo-cosa

I have been using brunnhilde.py -b -l -z -o --hash SHA256 path-to-input/ path-to-output/

Run on a directory of emails (MBOX format) and attachments (separated out)

Huh, Bulk Extractor should run in that case! Is there any mention of it in the terminal output? Is there a logs/bulk_extractor-log.txt file in the output directory?

tw4l avatar Nov 02 '23 15:11 tw4l

I ran your command on windows, using bulk_extractor 2.0.2 and brunnhilde v 1.9.6 and I get BE outputs!

kieranjol avatar Nov 02 '23 15:11 kieranjol

Hmm, ok I will test again. For what it's worth, I am running Ubuntu in a VM and using some test data that I created in a BitCurator deployment so I wonder if my configuration is wonky. Thank you all for your help and I will try to replicate again tomorrow and let you know.

nconnizzo-cosa avatar Nov 02 '23 19:11 nconnizzo-cosa