Installing bulk_extractor

Simson L. Garfinkel edited this page Jun 28, 2018 · 95 revisions


bulk_extractor can be used on Windows, Linux, and Macintosh OS X platforms.

This page contains instructions for downloading, building and installing bulk_extractor on Linux and OS X, and for downloading and installing the bulk_extractor binary on Windows. If you would like to build your own Windows binary, a Linux system must be used; see Cross-compiling for Windows below.

For additional information on bulk_extractor see Forensics Wiki Entry:

Windows Users

  1. Download the latest bulk_extractor Windows installer from here.
  2. Install bulk_extractor by running the downloaded Windows installer.
Note: Temporarily turn off your virus checker if it refuses to download and/or install bulk_extractor.

Linux and OS X Users

Downloading the Latest Release

At the present time, your best bet is to clone the bulk_extractor git repository and build bulk_extractor from sources. To build the program you will need to have many dependencies installed inside the `etc/` top-level directory you will find shell-scripts for configuring Amazon Linux and Ubuntu Linux.

When you build bulk_extractor, you need to decide which of the optional components you wish to build and install. These include:

  • AFFLIB (no longer recommended)
  • libewf (you'll need this for reading encase disk images).
  • hashdb (if you are working on hash-based carving)

Once the VM is configured, run the `boostrap` script and then `./configure && make && sudo make install`.

Mac OS X Users =

The install process for Mac users is similar to that for Fedora users. We recommend using MacPorts:

 sudo port install flex autoconf automake pkgconfig

The following might be helpful, but development code might be required. The -devel ports might not be available for OS X, but you try to install these ports anyhow (as they will be updated eventually):

 sudo port install libewf openssl tre libxml2

At present, libewf is too old to provide the support needed to process E01 files. However, for OS X, libewf-devel is not available in ports. Therefore, please download and install libewf as described for CentOS / RHEL Users, above.


If you wish to use hashdb, you will need to build and install the hashdb library:

Build hashdb next

Now make and install bulk_extractor with hashdb included. In the bulk_extractor directory"

   sudo make install

Debugging new modules

Try using ASan:

   make gitfixup   # brings every submodule to master
   CXXFLAGS="-fsanitize=address" ./configure   # Runs with ASan (requires clang & libasan to be installed)

- Run -E with all of the scanners one-by-one with ASan to find scanner-specific bugs. Currently there seems to be a bug in email in the histogram generation process and in scan_hex

To keep bulk_extractor and its submodules current with the latest code on GitHub, type:

    cd to the bulk_extractor directory
    make pull

To change your repository to make it use a new master branch of a submodule:

 cd to the submodule
 git pull origin master
 cd back to the bulk_extractor directory
 git add submodule directory,  
 then commit and push the bulk_extractor change using the latest new submodule

Compiling Notes

1. bulk_extractor builds with the GNU auto tools.

2. We recommend compiling bulk_extractor with -O3 and that is the

   default. You can disable all optimization flags by specifying the
   configure option --with-noopt.

3. Building with a different glibc In creating the, it may be necessary to build with an older glibc. We're not sure how to do it, but one of these links may help:

4. The following directories will NOT be installed with the commands provided:

    python/   - bulk_extractor python tools.
    	      	Copy them where you wish and run them directly. 

These tools are experimental.

    plugins/  - This is for C/C++ developers only. You can develop your own
    	      	bulk_extractor plugins which will then be run at run-time

if the .so or .dll files are in the same directory as the bulk_extractor executable.

Cross-compiling for Windows

The Windows configuration of bulk_extractor can be cross-compiled on a Fedora 20 or newer system using mingw. A script is provided in the src_win directory for configuring a Fedora virtual machine to cross-compile to windows. Some users have also reported success at compiling on Ubuntu, but it is harder.

If you downloaded bulk_extractor using git (rather than downloading the .tar.gz file), run


If you have previously run configure for a native build, please clean up:

 make distclean

Install MinGW and the libraries required for cross-compilation. This will take some time and will require the root password:

 cd src_win

To include hashdb, follow the build instructions on the hashdb github page:

Finally, cross-compile bulk_extractor to build the Windows installer:


Please install the generated bulk_extractor windows installer .exe file onto your Windows system.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.