bulk_extractor

Extract data from disk image

$ bulk_extractor -o [output_dir] [image.dd]

$ bulk_extractor -o [output_dir] -j [8] [image.dd]

$ bulk_extractor -o [output_dir] -e [exif] [image.dd]

$ bulk_extractor -o [output_dir] -x [email] [image.dd]

$ bulk_extractor -o [output_dir] -Y [0-1000000000] [image.dd]

$ bulk_extractor -o [output_dir] -R [directory]

$ bulk_extractor -o [output_dir] -f "[pattern]" [image.dd]

$ bulk_extractor -H

bulk_extractor [options] image

bulk_extractor is a high-performance digital forensics tool that scans disk images, files, or directories and extracts structured information without parsing file system structures. It extracts email addresses, credit card numbers, URLs, and other artifacts.
The tool processes data in parallel across multiple CPU cores, making it significantly faster than traditional forensic tools.

-o directory

Output directory (required)

Enable specific scanner

Disable specific scanner

Number of threads to use

Page size (default: 16777216)

Maximum recursion depth (default: 12)

Recursively scan directory

Search for specific pattern

Read patterns from file

Scan specific byte range

Wipe output directory before starting

Quiet mode (no status output)

List available scanners with info

Creates report.xml with Digital Forensics XML metadata about the run. Individual feature files contain extracted data types (emails.txt, ccn.txt, urls.txt, etc.).

Output directory must not exist or use -Z to wipe. Processing large images requires significant disk space for output. Some scanners may produce false positives requiring manual review.

foremost(1), scalpel(1), strings(1), photorec(1)