Digital media triage with bulk data analysis and bulk_extractor

Bulk data analysis eschews file extraction and analysis, common in forensic practice today, and instead processes data in “bulk,” recognizing and extracting salient details (“features”) of use in the typical digital forensics investigation. This article presents the requirements, design and implementation of the bulk_extractor, a high-performance carving and feature extraction tool that uses bulk data analysis to allow the triage and rapid exploitation of digital media. Bulk data analysis and the bulk_extractor are designed to complement traditional forensic approaches, not replace them. The approach and implementation offer several important advances over today's forensic tools, including optimistic decompression of compressed data, context-based stop-lists, and the use of a “forensic path” to document both the physical location and forensic transformations necessary to reconstruct extracted evidence. The bulk_extractor is a stream-based forensic tool, meaning that it scans the entire media from beginning to end without seeking the disk head, and is fully parallelized, allowing it to work at the maximum I/O capabilities of the underlying hardware (provided that the system has sufficient CPU resources). Although bulk_extractor was developed as a research prototype, it has proved useful in actual police investigations, two of which this article recounts.