autopsy::bulk_extractor

tool autopsy bulk_extractor
Autopsybulk_extractor WorkflowArtifacts
01Autopsy
Start & create case
# Launch
autopsy                       # open GUI
# → browser: http://localhost:9999/autopsy

# CLI batch mode (Autopsy 4+)
java -Xmx4g -cp autopsy.jar \
  org.sleuthkit.autopsy.casemodule.CaseNewAction \
  --casedir /tmp/case --casename mycase

# Create case → add data source → analyze
# Key modules to enable:
# ✓ Hash Lookup
# ✓ File Type Identification
# ✓ Embedded File Extractor
# ✓ Keyword Search
# ✓ Recent Activity
# ✓ Email Parser
# ✓ Interesting Files

# Add image: disk.img, memory.dmp, .e01, .l01
Key Autopsy views
PanelWhat to look for
Data SourcesBrowse raw filesystem incl. deleted files (marked *)
Views → Deleted FilesAll deleted files across image
Views → File TypesFilter by extension: Images, Documents, Archives
Keyword SearchSearch "picoCTF", "flag", "password"
Results → Interesting FilesAuto-flagged suspicious items
Results → Extracted ContentBrowser history, recent docs, emails
TimelineActivity timeline — spot anomalous timestamps
CommunicationsEmail, chat, contact artifacts
ReportsGenerate full HTML/Excel report
02bulk_extractor
Basic usage
# Scan image / file and extract artifacts
bulk_extractor -o output/ disk.img
bulk_extractor -o output/ memory.dmp
bulk_extractor -o output/ file.bin

# Parallel threads
bulk_extractor -j 4 -o output/ disk.img

# Specific scanner only
bulk_extractor -e email -o out/ disk.img
bulk_extractor -e url -o out/ disk.img
bulk_extractor -e zip -o out/ disk.img

# Disable scanner
bulk_extractor -x base64 -o out/ disk.img

# Recursive (scan inside zip/archive)
bulk_extractor -R -o out/ disk.img

# Set context window (bytes around hit)
bulk_extractor -C 512 -o out/ disk.img
Output files
FileContains
email.txtEmail addresses found
url.txtURLs
domain.txtDomain names
ccn.txtCredit card numbers
telephone.txtPhone numbers
zip.txtZIP archives found
json.txtJSON fragments
base64.txtBase64 blobs
pii.txtPersonal identifiable info
carved/Extracted files (zip, pdf, etc.)
report.xmlFull machine-readable report
# Quick: grep output for flag
grep -r "picoCTF" output/
cat output/base64.txt | base64 -d 2>/dev/null | strings | grep "CTF"
03CTF Triage Workflow
Priority order for CTF disk images
# 1. Fast string hunt (30 seconds)
strings disk.img | grep -i "picoCTF{\|flag{\|CTF{"
strings -el disk.img | grep -i "picoCTF"    # Unicode

# 2. bulk_extractor sweep (background)
bulk_extractor -j 4 -o /tmp/be_out/ disk.img &

# 3. Mount and browse (while bulk_extractor runs)
sudo mount -o ro,noload,loop disk.img /mnt/img
find /mnt/img -type f | xargs file 2>/dev/null
find /mnt/img -name ".*"                      # hidden files
find /mnt/img -name "*.txt" -o -name "*.pdf"   # interesting extensions

# 4. Deleted files (Sleuth Kit)
fls -rd disk.img                               # deleted
fls -r -m "/" disk.img > body.txt
mactime -b body.txt -d | grep "197\|198"    # timestomping

# 5. Autopsy for deeper analysis (GUI, parallel)
# Use Keyword Search: "picoCTF", "flag", "password", "secret"

# 6. Check bulk_extractor results
grep -r "picoCTF" /tmp/be_out/
ls /tmp/be_out/carved/                        # extracted files
cat /tmp/be_out/base64.txt | while read line; do
    echo "$line" | base64 -d 2>/dev/null | grep -a "CTF"
done
04Common Artifact Locations
Where flags hide on disk images
LocationToolCommand
Deleted filesTSK / Autopsyfls -rd disk.imgicat
Timestomped filesTSK mactimefls -r -m / | mactime | grep "197"
File slack spaceTSK / blklsblkls -s disk.img | strings
Unallocated spaceTSK / foremostblkls disk.img | foremost
Hidden files (.name)findfind /mnt -name ".*"
Alternate data streamsTSK (NTFS)fls -r disk.img | grep ":"
NTFS $MFT / $LogFileAutopsyMetadata Artifacts panel
Steganography in imagessteghide / zstegsteghide extract -sf img.jpg
Browser historyAutopsy / sqliteResults → Web History
Registry Run keysAutopsy / regripperResults → Registry
Prefetch filesAutopsyResults → Recent Activity
Base64 in filesbulk_extractorcat output/base64.txt
QUICK TRIAGE →  ① strings disk.img | grep "picoCTF{"  ② bulk_extractor -j4 -o out/ disk.img  ③ Mount → find -name ".*" → hidden files  ④ fls -rd disk.img → deleted → icat  ⑤ Autopsy Keyword Search → "flag", "picoCTF", "password"  ⑥ grep -r picoCTF out/ → bulk_extractor results