-
Notifications
You must be signed in to change notification settings - Fork 0
/
b_e_man.txt
116 lines (113 loc) · 6.74 KB
/
b_e_man.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
bash-4.2# bulk_extractor --help
bulk_extractor version 2.0.1: A high-performance flexible digital forensics program.
Usage:
bulk_extractor [OPTION...] image_name
-A, --offset_add arg Offset added (in bytes) to feature locations (default: 0)
-b, --banner_file arg Path of file whose contents are prepended to top of all feature files
-C, --context_window arg Size of context window reported in bytes (default: 16)
-d, --debug arg enable debugging (default: 1)
-D, --debug_help help on debugging
-E, --enable_exclusive arg disable all scanners except the one specified. Same as -x all -E scanner.
-e, --enable arg enable a scanner (can be repeated)
-x, --disable arg disable a scanner (can be repeated)
-f, --find arg search for a pattern (can be repeated)
-F, --find_file arg read patterns to search from a file (can be repeated)
-G, --pagesize arg page size in bytes (default: 16777216)
-g, --marginsize arg margin size in bytes (default: 4194304)
-j, --threads arg number of threads (default: 4)
-J, --no_threads read and process data in the primary thread
-M, --max_depth arg max recursion depth (default: 12)
--max_bad_alloc_errors arg
max bad allocation errors (default: 3)
--max_minute_wait arg maximum number of minutes to wait until all data are read (default: 60)
--notify_main_thread Display notifications in the main thread after phase1 completes. Useful for running with ThreadSanitizer
--notify_async Display notificaitons asynchronously (default)
-o, --outdir arg output directory [REQUIRED]
-P, --scanner_dir arg directories for scanner shared libraries (can be repeated). Default directories include
/usr/local/lib/bulk_extractor, /usr/lib/bulk_extractor and any directories specified in the BE_PATH
environment variable.
-p, --path arg print the value of <path>[:length][/h][/r] with optional length, hex output, or raw output.
-q, --quit no status or performance output
-r, --alert_list arg file to read alert list from
-R, --recurse treat image file as a directory to recursively explore
-S, --set arg set a name=value option (can be repeated)
-s, --sampling arg random sampling parameter frac[:passes]
-V, --version Display PACKAGE_VERSION (currently) 2.0.1
-w, --stop_list arg file to read stop list from
-Y, --scan arg specify <start>[-end] of area on disk to scan
-z, --page_start arg specify a starting page number
-Z, --zap wipe the output directory (recursively) before starting
-0, --no_notify disable real-time notification
-1, --version1 version 1.0 notification (console-output)
-H, --info_scanners report information about each scanner
-h, --help print help screen
Global config options:
-S notify_rate=1 seconds between notificaiton update (notify_rate)
-S debug_histogram_malloc_fail_frequency=0 Set >0 to make histogram maker fail with memory allocations (debug_histogram_malloc_fail_frequency)
-S hash_alg=sha1 Specifies hash algorithm to be used for all hash calculations (hash_alg)
-S report_read_errors=1 Report read errors (report_read_errors)
These scanners enabled; disable with -x:
-x accts - disable scanner accts
-S ssn_mode=0 0=Normal; 1=No `SSN' required; 2=No dashes required
-S min_phone_digits=7 Min. digits required in a phone
-x aes - disable scanner aes
-S scan_aes_128=1 Scan for 128-bit AES keys; 0=No, 1=Yes
-S scan_aes_192=0 Scan for 192-bit AES keys; 0=No, 1=Yes
-S scan_aes_256=1 Scan for 256-bit AES keys; 0=No, 1=Yes
-x base64 - disable scanner base64
-x elf - disable scanner elf
-x email - disable scanner email
-x evtx - disable scanner evtx
-x exif - disable scanner exif
-S exif_debug=0 debug exif decoder
-x facebook - disable scanner facebook
-x find - disable scanner find
-x gps - disable scanner gps
-x gzip - disable scanner gzip
-S gzip_max_uncompr_size=268435456 maximum size for decompressing GZIP objects
-x httplogs - disable scanner httplogs
-x json - disable scanner json
-x kml_carved - disable scanner kml_carved
-x msxml - disable scanner msxml
-x net - disable scanner net
-S carve_net_memory=0 Carve network memory structures
-S min_carve_packet_bytes=40 Smallest network packet to carve
-x ntfsindx - disable scanner ntfsindx
-x ntfslogfile - disable scanner ntfslogfile
-x ntfsmft - disable scanner ntfsmft
-x ntfsusn - disable scanner ntfsusn
-x pdf - disable scanner pdf
-S pdf_dump_hex=0 Dump the contents of PDF buffers as hex
-S pdf_dump_text=0 Dump the contents of PDF buffers showing extracted text
-x rar - disable scanner rar
-S rar_find_components=1 Search for RAR components
-S rar_find_volumes=1 Search for RAR volumes
-x sqlite - disable scanner sqlite
-x utmp - disable scanner utmp
-x vcard_carved - disable scanner vcard_carved
-x windirs - disable scanner windirs
-S opt_weird_file_size=157286400 Threshold for FAT32 scanner
-S opt_weird_file_size2=536870912 Threshold for FAT32 scanner
-S opt_weird_cluster_count=67108864 Threshold for FAT32 scanner
-S opt_weird_cluster_count2=268435456 Threshold for FAT32 scanner
-S opt_max_bits_in_attrib=3 Ignore FAT32 entries with more attributes set than this
-S opt_max_weird_count=2 Number of 'weird' counts to ignore a FAT32 entry
-S opt_last_year=2027 Ignore FAT32 entries with a later year than this
-x winlnk - disable scanner winlnk
-x winpe - disable scanner winpe
-x winprefetch - disable scanner winprefetch
-x zip - disable scanner zip
-S zip_min_uncompr_size=6 Minimum size of a ZIP uncompressed object
-S zip_max_uncompr_size=268435456 Maximum size of a ZIP uncompressed object
-S zip_name_len_max=1024 Maximum name of a ZIP component filename
These scanners disabled; enable with -e:
-e base16 - enable scanner base16
-e hiberfile - enable scanner hiberfile
-e outlook - enable scanner outlook
-e wordlist - enable scanner wordlist
-S word_min=6 Minimum word size
-S word_max=16 Maximum word size
-S max_output_file_size=100000000 Maximum size of the words output file
-S strings=0 Scan for strings instead of words
-e xor - enable scanner xor
-S xor_mask=255 XOR mask value, in decimal