2014/03/30

Physical Memory Analysis – Bulk Extractor

by Destruct_Icon
Categories: Analysis, Host Forensics
Tags: ,
Comments: Leave a Comment

Bulk Extractor

The second tool in our list for Physical Memory Analysis is Bulk Extractor. Bulk extractor is used to list everything out of memory into text files which will then allow you to quickly identify keywords. Let’s get started with the GUI.

DestructBE1

In order to run BE against a memory dump you will want to click “Tools” > “Run Bulk Extractor”.

DestructBE2

You will be presented with the above and below images. The image from above will allow you to select the memory dump as well as the output directory of the text files which will be created. The below image will be the scanners (generally the separated text files) which will be created in the output directory.

  • Wordlist identifies strings throughout the dump.DestructBE3
  • E-mail looks for any headers, IPs, hostnames or email addresses which may indicate e-mail correspondence.
  • Exif identifies images, audio or video formats.
  • Pdf will pull text from anything related to a PDF.
  • Net looks for any TCP/IP traffic and will create a pcap file to analyze.
  • Zip and Rar looks for any compressed media.
  • Winprefetch identifies any prefetch files which will show you what executables have been recently accessed.
  • For more detailed information on these scanners, click here. Nice write up in detail of each one.

When you have finished selecting your scanners, you can click ok which will begin parsing the memory dump and pulling any of the requested information out.

DestructBE4

Once the parsing is complete you will notice that the “Reports” section of the GUI is now populated with all of the scanner information that was selected.

DestructBE5

When you select one of the reports, information will be displayed in the fields to the right. The “Feature File” will now display which scanner you have selected as well as a listed view of the output.

DestructBE7

You can select one of the options in the listed view which will show all of the reference points of that hit string in the “Referenced Feature” section. From here, you can drill down and identify specific instances of the string you have selected and the full output will be shown on the right in the “Image” section. You may also navigate to the folder you that you selected as the output which has a few extra files that are worth noting.

DestructBE6

The PCAP file will be filled with any TCP/IP communication traffic that bulk extractor can pull out. The other file which should be noted is the report.xml. This is essentially your project file which you can open in bulk extractor so that you don’t have to keep parsing your image multiple times. One thing to note though is that you shouldn’t change the locations of the memory image itself after parsing as it is still required in order to display the detailed information in the “Image” section.

One tip we have for Bulk Extractor is to make sure you use the highlight and feature filter options.

DestructBE8

Highlight will always keep the string you are trying to identify highlighted across all of the different sections as well as inside the “image” section. This is extremely useful when you combine it with the “Feature Filter” which is used to match your keyword with whatever is populated in the “Feature File” list view. This makes drilling down through memory simple and as effective as you want it to be.

Thank you for viewing this guide and we hope you have found it useful. The next guide will be about Volatility so please stay tuned!


Leave a Reply

Your email address will not be published. Required fields are marked *



Today is Monday
2018/01/22