Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Français
Entry № 150

Bulk Extractor

Qu'est-ce que Bulk Extractor ?

Bulk ExtractorAn open-source, parallelized forensic tool by Simson Garfinkel that streams through disk images, memory dumps, and arbitrary binary blobs to extract structured artifacts — emails, URLs, credit-card numbers, network packets — without first parsing a filesystem.

Bulk Extractor is a parallelized, filesystem-agnostic forensic carving and feature-extraction tool originally developed by Simson Garfinkel and maintained by the Naval Postgraduate School. Given any input — raw disk image, RAM dump, pcap, container image, or even a corrupt filesystem — it sweeps the bytes in parallel and writes 'feature files' containing extracted artifacts: email addresses, URLs, domains, IPv4/IPv6 addresses, credit-card numbers, EXIF metadata, JSON fragments, ELF/PE headers, ZIP entries, decompressed gzip streams, and more. Because it does not require a parseable filesystem, Bulk Extractor is the standard first-pass tool when investigating heavily damaged disks, unallocated space, swap, hiberfil, memory dumps, or unknown binary blobs. Output is straightforward text or histogram files that integrate easily with Autopsy, the Sleuth Kit, or custom analysis pipelines. The 2.0 series (2023) added improved Windows support, better Unicode handling, and cleaner JSON output.

Exemples

  1. 01

    An analyst runs Bulk Extractor against a 2 TB disk image overnight and the resulting `email.txt` and `url.txt` feature files seed a focused review.

  2. 02

    A memory dump from a ransomware-infected host is fed to Bulk Extractor to recover plaintext URLs and IP addresses for C2-channel reconstruction.

Questions fréquentes

Qu'est-ce que Bulk Extractor ?

An open-source, parallelized forensic tool by Simson Garfinkel that streams through disk images, memory dumps, and arbitrary binary blobs to extract structured artifacts — emails, URLs, credit-card numbers, network packets — without first parsing a filesystem. Cette notion relève de la catégorie Forensique et réponse en cybersécurité.

Que signifie Bulk Extractor ?

An open-source, parallelized forensic tool by Simson Garfinkel that streams through disk images, memory dumps, and arbitrary binary blobs to extract structured artifacts — emails, URLs, credit-card numbers, network packets — without first parsing a filesystem.

Comment fonctionne Bulk Extractor ?

Bulk Extractor is a parallelized, filesystem-agnostic forensic carving and feature-extraction tool originally developed by Simson Garfinkel and maintained by the Naval Postgraduate School. Given any input — raw disk image, RAM dump, pcap, container image, or even a corrupt filesystem — it sweeps the bytes in parallel and writes 'feature files' containing extracted artifacts: email addresses, URLs, domains, IPv4/IPv6 addresses, credit-card numbers, EXIF metadata, JSON fragments, ELF/PE headers, ZIP entries, decompressed gzip streams, and more. Because it does not require a parseable filesystem, Bulk Extractor is the standard first-pass tool when investigating heavily damaged disks, unallocated space, swap, hiberfil, memory dumps, or unknown binary blobs. Output is straightforward text or histogram files that integrate easily with Autopsy, the Sleuth Kit, or custom analysis pipelines. The 2.0 series (2023) added improved Windows support, better Unicode handling, and cleaner JSON output.

Comment se défendre contre Bulk Extractor ?

Les défenses contre Bulk Extractor combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.

Quels sont les autres noms de Bulk Extractor ?

Noms alternatifs courants : bulk_extractor, Garfinkel bulk_extractor.

Termes liés