Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bulk_extractor options #63

Open
nconnizzo-cosa opened this issue Nov 2, 2023 · 7 comments
Open

Bulk_extractor options #63

nconnizzo-cosa opened this issue Nov 2, 2023 · 7 comments

Comments

@nconnizzo-cosa
Copy link

Hi all-

Just wondering if it is possible to use some of the more advanced options of bulk_extractor when running Brunnhilde? (such as enabling/disabling scanners, including custom ones, using stop and alert lists, and so on)

Second question: does Brunnhilde run bulk_extractor on directories or only on disk images? My testing has shown that there are no BE outputs when run on an identical set of records packaged as an E01 versus as a nested directory, but I could be doing something wrong! (running Ubuntu 22.04, 64-bit)

Thanks so much for all your work on this tool!
@kieranjol
Copy link
Contributor

I can only answer the second question. I’ve only ever really used it on directory inputs but I assumed bulk extractor via Brunnhilde would work on disk images too? Is your issue that you’re seeing no BE outputs with directory input? Or is the issue with disk images?

@nconnizzo-cosa
Copy link
Author

It's the latter -- when I ran Brunnhilde targeting a directory, BH worked fine (siegfried outputs looked good) but there were no BE reports. When I targeted a disk image (E01) I got both the BH outputs and all the bulk-extractor reports. Perhaps I was missing a flag? Let me re-test with the same data and report back. Could be user error!

@kieranjol
Copy link
Contributor

What was your command line that you used?
I always use

brunnhilde.py -b -n path/to/input_folder path/to/output

@nconnizzo-cosa
Copy link
Author

I have been using brunnhilde.py -b -l -z -o --hash SHA256 path-to-input/ path-to-output/

Run on a directory of emails (MBOX format) and attachments (separated out)

@tw4l
Copy link
Owner

tw4l commented Nov 2, 2023

I have been using brunnhilde.py -b -l -z -o --hash SHA256 path-to-input/ path-to-output/

Run on a directory of emails (MBOX format) and attachments (separated out)

Huh, Bulk Extractor should run in that case! Is there any mention of it in the terminal output? Is there a logs/bulk_extractor-log.txt file in the output directory?

@kieranjol
Copy link
Contributor

I ran your command on windows, using bulk_extractor 2.0.2 and brunnhilde v 1.9.6 and I get BE outputs!

@nconnizzo-cosa
Copy link
Author

nconnizzo-cosa commented Nov 2, 2023
edited
Loading

Hmm, ok I will test again. For what it's worth, I am running Ubuntu in a VM and using some test data that I created in a BitCurator deployment so I wonder if my configuration is wonky. Thank you all for your help and I will try to replicate again tomorrow and let you know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kieranjol @tw4l @nconnizzo-cosa