Skip to content

Installing bulk_extractor

Simson L. Garfinkel edited this page Jun 28, 2018 · 95 revisions

Overview

bulk_extractor can be used on Windows, Linux, and Macintosh OS X platforms.

This page contains instructions for downloading, building and installing bulk_extractor on Linux and OS X, and for downloading and installing the bulk_extractor binary on Windows. If you would like to build your own Windows binary, a Linux system must be used; see Cross-compiling for Windows below.

For additional information on bulk_extractor see Forensics Wiki Entry: http://www.forensicswiki.org/wiki/Bulk_extractor

Windows Users

  1. Download the latest bulk_extractor Windows installer from here.
  2. Install bulk_extractor by running the downloaded Windows installer.
Note: Temporarily turn off your virus checker if it refuses to download and/or install bulk_extractor.

Linux and OS X Users

Downloading the Latest Release

At the present time, your best bet is to clone the bulk_extractor git repository and build bulk_extractor from sources. To build the program you will need to have many dependencies installed inside the `etc/` top-level directory you will find shell-scripts for configuring Amazon Linux and Ubuntu Linux.

When you build bulk_extractor, you need to decide which of the optional components you wish to build and install. These include:

  • AFFLIB (no longer recommended)
  • libewf (you'll need this for reading encase disk images).
  • hashdb (if you are working on hash-based carving)

Once the VM is configured, run the `boostrap` script and then `./configure && make && sudo make install`.

Mac OS X Users =

The install process for Mac users is similar to that for Fedora users. We recommend using MacPorts:

 sudo port install flex autoconf automake pkgconfig

The following might be helpful, but development code might be required. The -devel ports might not be available for OS X, but you try to install these ports anyhow (as they will be updated eventually):

 sudo port install libewf openssl tre libxml2

At present, libewf is too old to provide the support needed to process E01 files. However, for OS X, libewf-devel is not available in ports. Therefore, please download and install libewf as described for CentOS / RHEL Users, above.

hashdb

If you wish to use hashdb, you will need to build and install the hashdb library:

Build hashdb next



Now make and install bulk_extractor with hashdb included. In the bulk_extractor directory"

   ./configure
   make
   sudo make install

Debugging new modules

Try using ASan:

   make gitfixup   # brings every submodule to master
   CXXFLAGS="-fsanitize=address" ./configure   # Runs with ASan (requires clang & libasan to be installed)

- Run -E with all of the scanners one-by-one with ASan to find scanner-specific bugs. Currently there seems to be a bug in email in the histogram generation process and in scan_hex

To keep bulk_extractor and its submodules current with the latest code on GitHub, type:

    cd to the bulk_extractor directory
    make pull

To change your repository to make it use a new master branch of a submodule:

 cd to the submodule
 git pull origin master
 cd back to the bulk_extractor directory
 git add submodule directory,  
 then commit and push the bulk_extractor change using the latest new submodule

Compiling Notes

1. bulk_extractor builds with the GNU auto tools.

2. We recommend compiling bulk_extractor with -O3 and that is the

   default. You can disable all optimization flags by specifying the
   configure option --with-noopt.

3. Building with a different glibc In creating the bulk_extractor.so, it may be necessary to build with an older glibc. We're not sure how to do it, but one of these links may help:

4. The following directories will NOT be installed with the commands provided:

    python/   - bulk_extractor python tools.
    	      	Copy them where you wish and run them directly. 

These tools are experimental.

    plugins/  - This is for C/C++ developers only. You can develop your own
    	      	bulk_extractor plugins which will then be run at run-time

if the .so or .dll files are in the same directory as the bulk_extractor executable.

Cross-compiling for Windows

The Windows configuration of bulk_extractor can be cross-compiled on a Fedora 20 or newer system using mingw. A script is provided in the src_win directory for configuring a Fedora virtual machine to cross-compile to windows. Some users have also reported success at compiling on Ubuntu, but it is harder.

If you downloaded bulk_extractor using git (rather than downloading the .tar.gz file), run bootstrap.sh:

 sh bootstrap.sh

If you have previously run configure for a native build, please clean up:

 make distclean

Install MinGW and the libraries required for cross-compilation. This will take some time and will require the root password:

 cd src_win
 ./CONFIGURE_F20.bash

To include hashdb, follow the build instructions on the hashdb github page: https://github.com/simsong/hashdb/wiki/Download

Finally, cross-compile bulk_extractor to build the Windows installer:

 make

Please install the generated bulk_extractor windows installer .exe file onto your Windows system.

You can’t perform that action at this time.