bulk_extractor can be used on Windows, Linux, and Macintosh OS X platforms.
This page contains instructions for downloading, building and installing bulk_extractor on Linux and OS X, and for downloading and installing the bulk_extractor binary on Windows. If you would like to build your own Windows binary, a Linux system must be used; see Cross-compiling for Windows below.
For additional information on bulk_extractor see Forensics Wiki Entry: http://www.forensicswiki.org/wiki/Bulk_extractor
- Download the latest bulk_extractor Windows installer from here.
- Install bulk_extractor by running the downloaded Windows installer.
At the present time, your best bet is to clone the bulk_extractor git repository and build bulk_extractor from sources. To build the program you will need to have many dependencies installed inside the `etc/` top-level directory you will find shell-scripts for configuring Amazon Linux and Ubuntu Linux.
When you build bulk_extractor, you need to decide which of the optional components you wish to build and install. These include:
- AFFLIB (no longer recommended)
- libewf (you'll need this for reading encase disk images).
- hashdb (if you are working on hash-based carving)
Once the VM is configured, run the `boostrap` script and then `./configure && make && sudo make install`.
The install process for Mac users is similar to that for Fedora users. We recommend using MacPorts:
sudo port install flex autoconf automake pkgconfig
The following might be helpful, but development code might be required. The -devel ports might not be available for OS X, but you try to install these ports anyhow (as they will be updated eventually):
sudo port install libewf openssl tre libxml2
At present, libewf is too old to provide the support needed to process E01 files. However, for OS X, libewf-devel is not available in ports. Therefore, please download and install libewf as described for CentOS / RHEL Users, above.
If you wish to use hashdb, you will need to build and install the hashdb library:
Build hashdb next
Now make and install bulk_extractor with hashdb included. In the bulk_extractor directory"
./configure make sudo make install
Try using ASan:
make gitfixup # brings every submodule to master CXXFLAGS="-fsanitize=address" ./configure # Runs with ASan (requires clang & libasan to be installed)
- Run -E with all of the scanners one-by-one with ASan to find scanner-specific bugs. Currently there seems to be a bug in email in the histogram generation process and in scan_hex
To keep bulk_extractor and its submodules current with the latest code on GitHub, type:
cd to the bulk_extractor directory make pull
To change your repository to make it use a new master branch of a submodule:
cd to the submodule git pull origin master cd back to the bulk_extractor directory git add submodule directory, then commit and push the bulk_extractor change using the latest new submodule
1. bulk_extractor builds with the GNU auto tools.
2. We recommend compiling bulk_extractor with -O3 and that is the
default. You can disable all optimization flags by specifying the configure option --with-noopt.
3. Building with a different glibc In creating the bulk_extractor.so, it may be necessary to build with an older glibc. We're not sure how to do it, but one of these links may help:
4. The following directories will NOT be installed with the commands provided:
python/ - bulk_extractor python tools. Copy them where you wish and run them directly.
These tools are experimental.
plugins/ - This is for C/C++ developers only. You can develop your own bulk_extractor plugins which will then be run at run-time
if the .so or .dll files are in the same directory as the bulk_extractor executable.
The Windows configuration of bulk_extractor can be cross-compiled on a Fedora 20 or newer system using mingw. A script is provided in the src_win directory for configuring a Fedora virtual machine to cross-compile to windows. Some users have also reported success at compiling on Ubuntu, but it is harder.
If you downloaded bulk_extractor using git (rather than downloading the .tar.gz file), run bootstrap.sh:
If you have previously run configure for a native build, please clean up:
Install MinGW and the libraries required for cross-compilation. This will take some time and will require the root password:
cd src_win ./CONFIGURE_F20.bash
To include hashdb, follow the build instructions on the hashdb github page: https://github.com/simsong/hashdb/wiki/Download
Finally, cross-compile bulk_extractor to build the Windows installer:
Please install the generated bulk_extractor windows installer .exe file onto your Windows system.