tw4l
bulk_extractor carving options
First of all thank you for providing this amazing tool.
I was wondering if there might be a way to run bulk extractor, as apart of Brunnhilde, but exclude file carving components of bulk_extractor. BE is a great tool for tracking down so many files that contain sensitive information, but recovering files/file carving is not something I necessarily need. Moreover there always tends to be hang ups when bulk extractor is carving out files, is computationally very heavy, and I would like to avoid the process altogether, if it's possible. essentially this could mean excluding certain scanners that involve carving files
I am typically running brunnhilde on a mac through CLI.
Hi @ohl95, sure, that's a very reasonable request!
It looks like the carvers may need to be disabled independently, e.g. -S evtx_carved_carve_mode=0 -S jpeg_carve_mode=0 .... Would you want to be able to pick and choose which carvers to set at what level, or would a single Brunnhilde flag that disables them all be sufficient?
thank you for the response!!
I think for my purposes, it would be very convenient to just turn off all scanners that involve file carving, with a single flag. However I say that without a full understanding of how BE works. I am mainly using BE to identify PII, Accts, CCN, SNN, emails, phone numbers etc.--all Identity related scans. I don't want to speak for other people that use this tool, who might like the ability to pick and choose specific scanners.
Like I said, I'm no expert on BE, so Im not entirely sure what scanners govern these carved files, but the carved files I am frequently getting are: jpeg (from jpeg scanner: -S jpeg_carve_mode= [0,1,2]), sqlite_carved (-S sqlite_carve_mode=[0,1,2]), utmp_carved (unsure which scanner governs this), winpe_carved (unsure which scanner this is), and zip (-S unzip_carve_mode=[0,1,2]).
One other very important reason why it would be great to turn these off!!!! (see below for a quote from their documentation) Because bulk_extractor can carve files and preserve original file extensions, there is a real possibility that bulk_extractor might be carving out malware. There is no protection in bulk_extractor against putting malware in a file on your hard drive. Users running bulk_extractor to look for malware should turn off all anti-virus software because the anti-virus program will think its creating malware and stop it. Then the user should carefully scan the results looking for malware before re-enabling the anti-virus.
That's all helpful context, and yes, a very good point about the file carving and malware!
I have a pretty packed next few days but am making a note for myself to look into this Monday and will try to get a PR in next week :)
Hi @ohl95, sorry for taking longer than expected on this, but I have a pull request open for this feature: https://github.com/tw4l/brunnhilde/pull/69.
As I point out there, it seems like the Bulk Extractor option to disable JPEG file carving isn't working, at least for me locally with Bulk Extractor 2.1.1. I'm going to investigate a little further, it's possible this is a bug in BE.
@tw4l no worries at all!! i appreciate yall looking into this!! I think I was actually experiencing the exact same issue when I was running it locally too. I think that there might be one scanner that does carving even though it doesn't mention it their documentation. However its been a while since I've played with it and my memory may not be serving me correctly--but ill poke around and see if I can figure anything out that might help. Thanks again!!
Edit/update: looks like you already mentioned it on the BE github page. Thanks again for looking into this!!