Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bulk_extractor carving options #68

Open
ohl95 opened this issue Oct 29, 2024 · 5 comments
Open

bulk_extractor carving options #68

ohl95 opened this issue Oct 29, 2024 · 5 comments

Comments

@ohl95
Copy link

ohl95 commented Oct 29, 2024

First of all thank you for providing this amazing tool.

I was wondering if there might be a way to run bulk extractor, as apart of Brunnhilde, but exclude file carving components of bulk_extractor. BE is a great tool for tracking down so many files that contain sensitive information, but recovering files/file carving is not something I necessarily need. Moreover there always tends to be hang ups when bulk extractor is carving out files, is computationally very heavy, and I would like to avoid the process altogether, if it's possible. essentially this could mean excluding certain scanners that involve carving files

I am typically running brunnhilde on a mac through CLI.

@tw4l
Copy link
Owner

tw4l commented Oct 31, 2024

Hi @ohl95, sure, that's a very reasonable request!

It looks like the carvers may need to be disabled independently, e.g. -S evtx_carved_carve_mode=0 -S jpeg_carve_mode=0 .... Would you want to be able to pick and choose which carvers to set at what level, or would a single Brunnhilde flag that disables them all be sufficient?

@ohl95
Copy link
Author

ohl95 commented Oct 31, 2024

thank you for the response!!

I think for my purposes, it would be very convenient to just turn off all scanners that involve file carving, with a single flag. However I say that without a full understanding of how BE works. I am mainly using BE to identify PII, Accts, CCN, SNN, emails, phone numbers etc.--all Identity related scans. I don't want to speak for other people that use this tool, who might like the ability to pick and choose specific scanners.

Like I said, I'm no expert on BE, so Im not entirely sure what scanners govern these carved files, but the carved files I am frequently getting are: jpeg (from jpeg scanner: -S jpeg_carve_mode= [0,1,2]), sqlite_carved (-S sqlite_carve_mode=[0,1,2]), utmp_carved (unsure which scanner governs this), winpe_carved (unsure which scanner this is), and zip (-S unzip_carve_mode=[0,1,2]).

One other very important reason why it would be great to turn these off!!!! (see below for a quote from their documentation)
Because bulk_extractor can carve files and preserve original file extensions, there is a real possibility that bulk_extractor might be carving out malware. There is no protection in bulk_extractor against putting malware in a file on your hard drive. Users running bulk_extractor to look for malware should turn off all anti-virus software because the anti-virus program will think its creating malware and stop it. Then the user should carefully scan the results looking for malware before re-enabling the anti-virus.

@tw4l
Copy link
Owner

tw4l commented Oct 31, 2024

That's all helpful context, and yes, a very good point about the file carving and malware!

I have a pretty packed next few days but am making a note for myself to look into this Monday and will try to get a PR in next week :)

@ohl95
Copy link
Author

ohl95 commented Oct 31, 2024

wowee thank you so much!

@tw4l
Copy link
Owner

tw4l commented Dec 15, 2024

Hi @ohl95, sorry for taking longer than expected on this, but I have a pull request open for this feature: #69.

As I point out there, it seems like the Bulk Extractor option to disable JPEG file carving isn't working, at least for me locally with Bulk Extractor 2.1.1. I'm going to investigate a little further, it's possible this is a bug in BE.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants