Bulk Extractor.

An open-source, parallelized forensic tool by Simson Garfinkel that streams through disk images, memory dumps, and arbitrary binary blobs to extract structured artifacts — emails, URLs, credit-card numbers, network packets — without first parsing a filesystem. It belongs to the Forensics & IR category of cybersecurity.

An open-source, parallelized forensic tool by Simson Garfinkel that streams through disk images, memory dumps, and arbitrary binary blobs to extract structured artifacts — emails, URLs, credit-card numbers, network packets — without first parsing a filesystem.

Bulk Extractor is a parallelized, filesystem-agnostic forensic carving and feature-extraction tool originally developed by Simson Garfinkel and maintained by the Naval Postgraduate School. Given any input — raw disk image, RAM dump, pcap, container image, or even a corrupt filesystem — it sweeps the bytes in parallel and writes 'feature files' containing extracted artifacts: email addresses, URLs, domains, IPv4/IPv6 addresses, credit-card numbers, EXIF metadata, JSON fragments, ELF/PE headers, ZIP entries, decompressed gzip streams, and more. Because it does not require a parseable filesystem, Bulk Extractor is the standard first-pass tool when investigating heavily damaged disks, unallocated space, swap, hiberfil, memory dumps, or unknown binary blobs. Output is straightforward text or histogram files that integrate easily with Autopsy, the Sleuth Kit, or custom analysis pipelines. The 2.0 series (2023) added improved Windows support, better Unicode handling, and cleaner JSON output.

Defences for Bulk Extractor typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: bulk_extractor, Garfinkel bulk_extractor.