By ro0ted | May 23, 2015 - 14:20 | Posted in /b/ | Comments Off on #ro0ted #OpNewblood What the blackhats dont want you to know BE: think ur drive is really wiped?
#ro0ted #OpNewblood What the blackhats dont want you to know BE: think ur drive is really wiped?

In the last few tutorials we saw a taste of Volatility now I want to look at another Forensics tool that scans a disk image, file, or directory of files and extracts information such as credit card numbers, domains, e-mail addresses, URLs, and ZIP files…a program called Bulk Extractor which runs on Windows & Linux and is open source. – ro0ted

You can also use Bulk Extractor to see if your drive was properly wiped and see what gets left behind.

Bulk Extractor overview:

Here’s a fun fact about this powerful tool. Not only do they use it against you to extract your data during an investigation but it was designed by NPS which is a United States Navy University.

Let this be a wake up call and use this to really take your computer security serious.



Good note is it extracts information for both 32bit/64bit machines.

Bulk Extract Dev

Bulk Extractor itself

Bulk Extractor itself

For this tutorial I will use a Windows machine then the next one I will run it on Debian Linux.

So open BE:

Click Tools> Run Bulk Extractor …

This Window of Options will appear:

Unlike Volatility which only extracts data outta Volatile memory hence the name Volatility Framework with BE you can scan files as well as memory dumps and an image files:

So select a directory and select an output directory:

Select your scanning options:

Don’t worry about these settings. This is just a walk through I’ll show you how to use each option in another tutorial:

Submit run:

And for the memory sample scan it’s the same process. This is what it looks like:


Interested what you would find on your machine?
Follow my tut on how easy is it to create a memory dump of your machine here:

Depending on how big memory dump is depends on the length you will be waiting but it does have a progress bar feature that Volatility needs for deep scanning:

Here’s a detailed tutorial on Bulk Extractor:

Bulk Extractor Programmers Manual:

Bulk Extractor Users Manual:

Bulk Extractor Worked Examples:



Bulk Extractor is an old but powerful tool. In fact Forensic Investigators use this along with other tools to see if the drive was properly wiped. Create a memory dump of your machine and look for yourself. You can even buy used hdds and see what info got left behind…but that would be evil. 😛

Important finishing note each extraction test takes about 3hrs/30mins. Like I said in the last tutorial. Let it take time. Computer Forensics is the science of analyzing data.

These are some of the results I got from my memory dump:


AES Keys:


 Teamviewer IDs:


The list goes on it shows everything. Anything and everything you have ever done on your pc will be in the dump. Keep in mind this was off a supposed-able “wiped” drive and it was encrypted with True Crypt. I did that setup to show you; Security really is an illusion. –



Please check out my series on, “What the blackhats don’t want you to know” below..#CgAn


Last tutorial in the series: Meet Volatility Frameworks automatic cousin: Volix


(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview

Cracking Delphi Part 2

Reversing Timed Trials: Ollydbg Tricks Part 3

Analyzing Adware

Preview Against Debugging

Bypassing Registering 101

Bypassing Part 2

Android/iOS Reversing

Introducing IDA Pro: Static Analyzing

Hacker’s Disassembler

Ripping Apart Adware

Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file


Unpacking & Crypting there is a difference

Covert Debugging whitepaper from

Manually Unpacking with Ollydbg

Manually Unpacking Part 2

Manually Unpacking 101

ASM Injecting

ASM Injecting Part 2

ASM Injecting Part 3: Crypt your malicious file

Reversing Trials

Adding Your Menu

ASM Injecting Part 4

ASM Injecting Part 5

Finding Nag Screens & Removing them

REMnux: Linux Toolkit for Reverse-Engineering and Analyzing Malware

REMnux: Volatility Framework ~ Memory Forensics
Volatility Analyzing the ZeuS Bot Part 2
Infected Machine? Create a memory dump
What the gov doesn’t want you to know: All your pastebin data is being LOGGED
Connect to IRC more securely with SSL, add a fingerprint to your nick
Do you have pictures of yourself on the internet? You might of leaked your location of where the pic was taken through EXIF Data
Bulk Extractor: Walk Through +

(Visited 1,863 times, 1 visits today)


  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.