bulk_extractor carving options

[ohl95]

First of all thank you for providing this amazing tool.

I was wondering if there might be a way to run bulk extractor, as apart of Brunnhilde, but exclude file carving components of bulk_extractor. BE is a great tool for tracking down so many files that contain sensitive information, but recovering files/file carving is not something I necessarily need. Moreover there always tends to be hang ups when bulk extractor is carving out files, is computationally very heavy, and I would like to avoid the process altogether, if it's possible. essentially this could mean excluding certain scanners that involve carving files

I am typically running brunnhilde on a mac through CLI.

[tw4l]

Hi @ohl95, sure, that's a very reasonable request!

It looks like the carvers may need to be disabled independently, e.g. -S evtx_carved_carve_mode=0 -S jpeg_carve_mode=0 .... Would you want to be able to pick and choose which carvers to set at what level, or would a single Brunnhilde flag that disables them all be sufficient?

[ohl95]

thank you for the response!!

I think for my purposes, it would be very convenient to just turn off all scanners that involve file carving, with a single flag. However I say that without a full understanding of how BE works. I am mainly using BE to identify PII, Accts, CCN, SNN, emails, phone numbers etc.--all Identity related scans. I don't want to speak for other people that use this tool, who might like the ability to pick and choose specific scanners.

Like I said, I'm no expert on BE, so Im not entirely sure what scanners govern these carved files, but the carved files I am frequently getting are: jpeg (from jpeg scanner: -S jpeg_carve_mode= [0,1,2]), sqlite_carved (-S sqlite_carve_mode=[0,1,2]), utmp_carved (unsure which scanner governs this), winpe_carved (unsure which scanner this is), and zip (-S unzip_carve_mode=[0,1,2]).

One other very important reason why it would be great to turn these off!!!! (see below for a quote from their documentation)
Because bulk_extractor can carve files and preserve original file extensions, there is a real possibility that bulk_extractor might be carving out malware. There is no protection in bulk_extractor against putting malware in a file on your hard drive. Users running bulk_extractor to look for malware should turn off all anti-virus software because the anti-virus program will think its creating malware and stop it. Then the user should carefully scan the results looking for malware before re-enabling the anti-virus.

[tw4l]

That's all helpful context, and yes, a very good point about the file carving and malware!

I have a pretty packed next few days but am making a note for myself to look into this Monday and will try to get a PR in next week :)

[ohl95]

wowee thank you so much!