Sunday, February 7, 2021

Forensic Analyzing Memory Image - Bulk-extractor

Bulk_extractor is a program that extracts features such as email addresses, credit card numbers, URLs, and other types of information from digital evidence files. It is a useful forensic investigation tool for many tasks such as malware and intrusion investigations, identity investigations and cyber investigations, as well as analyzing imagery and pass-word cracking.

  1. Start Kali Linux and download memdump.mem [512 MB]
  2. Run bulk_extractor -o bulk wordlist memdump.mem. The results will be placed in the "bulk" folder. 
  3. Run cd bulk and then ls -l you will see a list of files
  4. Use nano to view the files
    • nano domain_histogram.txt. You will see domains visited on this computer and the number of times. You can use ctrl+W to search term, eg. ccsf.edu
    • ctrl+X to close nano.
    • nano ccn_historam.txt You will see the credit card numbers found. 
    • nano wordlist.txt. You will see the words and the frequency. Useful for cracking encrypted files.

Note: Copy files from host to VM: you need to shutdown the guest and setup the "shared folder" so VM can access files on a folder on the host. Or you can enable USB on VM so you can access files through USB on guest. 








Reference: https://samsclass.info/121/proj/p4-Bulk.htm