By ro0ted | May 23, 2015 - 14:20 | Posted in /b/ | 3 Comments
#ro0ted #OpNewblood What the blackhats dont want you to know BE: think ur drive is really wiped?

In the last few tutorials we saw a taste of Volatility now I want to look at another Forensics tool that scans a disk image, file, or directory of files and extracts information such as credit card numbers, domains, e-mail addresses, URLs, and ZIP files…a program called Bulk Extractor which runs on Windows & Linux and is open source. – ro0ted https://twitter.com/ro0ted/

You can also use Bulk Extractor to see if your drive was properly wiped and see what gets left behind.

Bulk Extractor overview:
http://digitalcorpora.org/downloads/bulk_extractor/2014-07-17_BE15.pdf

Here’s a fun fact about this powerful tool. Not only do they use it against you to extract your data during an investigation but it was designed by NPS which is a United States Navy University. http://en.wikipedia.org/wiki/Naval_Postgraduate_School

Let this be a wake up call and use this to really take your computer security serious.

 

Untitled

Good note is it extracts information for both 32bit/64bit machines.

Download
Windows:
Bulk Extract Dev
http://digitalcorpora.org/downloads/bulk_extractor/newer_dev/bulk_extractor-1.6.0-dev-windowsinstaller.exe

Bulk Extractor itselfhttp://digitalcorpora.org/downloads/bulk_extractor/bulk_extractor-1.5.5-windowsinstaller.exe

Linux:
Bulk Extractor itself
http://digitalcorpora.org/downloads/bulk_extractor/bulk_extractor-1.5.5.tar.gz

For this tutorial I will use a Windows machine then the next one I will run it on Debian Linux.

So open BE:
Untitled

Click Tools> Run Bulk Extractor …
Untitled

This Window of Options will appear:
Untitled

Unlike Volatility which only extracts data outta Volatile memory hence the name Volatility Framework with BE you can scan files as well as memory dumps and an image files:
Untitled

So select a directory and select an output directory:
Untitled

Select your scanning options:
Untitled

Don’t worry about these settings. This is just a walk through I’ll show you how to use each option in another tutorial:
Untitled

Submit run:
Untitled

And for the memory sample scan it’s the same process. This is what it looks like:

Untitled

Interested what you would find on your machine?
Follow my tut on how easy is it to create a memory dump of your machine here:
Untitled
https://archive.cyberguerrilla.org/a/2015/ro0ted-opnewblood-what-the-blackhats-dont-want-you-to-know-infected-machine-create-a-memory-dump/

Depending on how big memory dump is depends on the length you will be waiting but it does have a progress bar feature that Volatility needs for deep scanning:
Untitled

Here’s a detailed tutorial on Bulk Extractor:
Untitled
http://simson.net/ref/2012/2012-08-08%20bulk_extractor%20Tutorial.pdf

Bulk Extractor Programmers Manual:
http://digitalcorpora.org/downloads/bulk_extractor/BEProgrammersManual.pdf

Bulk Extractor Users Manual:
http://digitalcorpora.org/downloads/bulk_extractor/BEUsersManual.pdf

Bulk Extractor Worked Examples:
Untitled

Untitled
Untitled

Untitled
http://digitalcorpora.org/downloads/bulk_extractor/BEWorkedExamplesStandalone.pdf

Bulk Extractor is an old but powerful tool. In fact Forensic Investigators use this along with other tools to see if the drive was properly wiped. Create a memory dump of your machine and look for yourself. You can even buy used hdds and see what info got left behind…but that would be evil. 😛

Important finishing note each extraction test takes about 3hrs/30mins. Like I said in the last tutorial. Let it take time. Computer Forensics is the science of analyzing data.

These are some of the results I got from my memory dump:
Untitled

Untitled

AES Keys:
Untitled

CCs:
Untitled

 Teamviewer IDs:
Untitled

Email:
Untitled

The list goes on it shows everything. Anything and everything you have ever done on your pc will be in the dump. Keep in mind this was off a supposed-able “wiped” drive and it was encrypted with True Crypt. I did that setup to show you; Security really is an illusion. – https://twitter.com/ro0ted/

ro0ted


 

Please check out my series on, “What the blackhats don’t want you to know” below..#CgAn

 

Last tutorial in the series: Meet Volatility Frameworks automatic cousin: Volix

 

(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as Malwr.com

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview

Cracking Delphi Part 2

Reversing Timed Trials: Ollydbg Tricks Part 3

Analyzing Adware

Preview Against Debugging

Bypassing Registering 101

Bypassing Part 2

Android/iOS Reversing

Introducing IDA Pro: Static Analyzing

Hacker’s Disassembler

Ripping Apart Adware

Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file

IDA PRO Book

Unpacking & Crypting there is a difference

Covert Debugging whitepaper from blackhat.com

Manually Unpacking with Ollydbg

Manually Unpacking Part 2

Manually Unpacking 101

ASM Injecting

ASM Injecting Part 2

ASM Injecting Part 3: Crypt your malicious file

Reversing Trials

Adding Your Menu

ASM Injecting Part 4

ASM Injecting Part 5

Finding Nag Screens & Removing them

REMnux: Linux Toolkit for Reverse-Engineering and Analyzing Malware

REMnux: Volatility Framework ~ Memory Forensics
Volatility Analyzing the ZeuS Bot Part 2
Infected Machine? Create a memory dump
What the gov doesn’t want you to know: All your pastebin data is being LOGGED
Connect to IRC more securely with SSL, add a fingerprint to your nick
Do you have pictures of yourself on the internet? You might of leaked your location of where the pic was taken through EXIF Data
Bulk Extractor: Walk Through +

(Visited 1,859 times, 1 visits today)


Trackbacks:

  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.

3 Responses to #ro0ted #OpNewblood What the blackhats dont want you to know BE: think ur drive is really wiped?

  1. Pingback: What the blackhats dont want you to know BE: th...

    […] Here’s a fun fact about this powerful tool. Not only do they use it against you to extract your…

  2. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewbl...

    […]   […]

  3. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the Blackhats dont want u to know: Memory Cloning & BE in Linux

    […] tutorial we used Bulk Extractor for Windows this tutorial will be for Linux. – […]