Carving Hidden Evidence with Bulk Extractor: The Power of Record Recovery
- 49 minutes ago
- 3 min read
Before diving in, I’d like to highlight a comprehensive series I’ve created on Data Carving—feel free to check it out via the link below.
---------------------------------------------------------------------------------------------------------
If you’ve been in digital forensics long enough, you’ve probably heard about Bulk Extractor — the legendary tool that can scan through massive amounts of data and pull out meaningful information like emails, IPs, URLs, and even credit card numbers in record time.
But what if I told you there’s an upgraded version that goes beyond basic carving — one that digs deep into the very record structures of Windows file systems and event logs?
Let’s talk about Bulk Extractor with Record Carving (bulk_extractor-rec)
-----------------------------------------------------------------------------------------------------------
Why Bulk Extractor (and this fork) Matters
Traditional carving tools (like PhotoRec, Scalpel, or Foremost) are great for recovering deleted files. But they usually focus on whole files — not the records inside them.
bulk_extractor-rec, on the other hand, looks for specific forensic record types — and this is a game-changer.
Why?
Because it can pull out the small but crucial artifacts that tell us what happened on a system, even when the original files are gone.
Here’s what it can recover:
EVTX logs — Windows Event Log chunks
NTFS MFT records — metadata for files and folders
$UsnJrnl:$J — change journal entries (fantastic for timeline work)
$LogFile — transactional logs that reveal filesystem changes
$INDEX_ALLOCATION records (INDX) — directory index data
utmp records — Unix/Linux login/logout records
Now, those first five are gold for Windows forensics. These are exactly the artifacts you need to reconstruct activity, detect tampering, or trace attacker movements — especially when original logs or MFT files have been partially overwritten.
-----------------------------------------------------------------------------------------------------------
The Smart Part: Record Reconstruction
Here’s what I really love about bulk_extractor-rec: it doesn’t just rip out raw data — it tries to rebuild valid structures.
For example,
when it carves out Windows Event Log chunks, it doesn’t just dump fragments. It rebuilds them into valid .evtx files that you can directly open in tools like Event Log Explorer or Eric Zimmerman’s EvtxECmd.
That means your recovered logs can be parsed just like normal event logs. This saves hours of manual hex editing or XML parsing — and makes this fork incredibly practical during
investigations.
-----------------------------------------------------------------------------------------------------------
Working with NTFS Artifacts
When carving NTFS-related artifacts (like MFT or USN records), Bulk Extractor outputs two main files:
A clean file with all valid records (for example, MFT or UsnJrnl-J)
A _corrupted file with invalid or partial records that didn’t pass integrity checks
You can feed the valid ones straight into MFTECmd or similar tools for easy parsing. The corrupted ones can still contain useful fragments.
-----------------------------------------------------------------------------------------------------------
Performance and Speed
Bulk Extractor is known for one thing — speed.
That means it doesn’t just read surface data — it digs into compressed containers too. Even better, it can process hibernation files (prior to Windows 8) automatically — which often contain tons of evidence about user sessions.
Focusing on Unallocated Space
When I’m investigating, I often want to focus carving on unallocated space — that’s where deleted or lost records usually live. Since Bulk Extractor isn’t filesystem-aware (by design),
I use another tool — blkls from The Sleuth Kit — to extract just the unallocated clusters first.
Here’s how that works:
blkls image.dd > image.unallocated
This command dumps all the unallocated data into a new file, ready to be carved by Bulk Extractor. You can even extract slack space (the tiny gaps between files) using the -s switch — useful when you want to catch small remnants left behind by deleted files.
-----------------------------------------------------------------------------------------------------------
Alternatives & Complements
As I always say no single tool does it all (Especially if we are using open source)— and that’s totally fine. I often combine bulk_extractor-rec with other tools to maximize recovery:
Joakim Schicht’s NTFS Tools – specialized parsers and carvers for $MFT, $LogFile, and $UsnJrnl
EVTXtract (by Willi Ballenthin) – carves EVTX records in raw XML format (great for deep event log recovery)
One gives you structured .evtx logs, and the other gives you raw XML records — a powerful combo!
-----------------------------------------------------------------------------------------------------------
Final Thoughts
If you’ve never tried Bulk Extractor with Record Carving, you’re missing out on one of the most efficient ways to dig deep into deleted or fragmented forensic artifacts.
It’s fast, multi-threaded, reconstructs readable logs, and supports critical NTFS and EVTX records — all in one go.
And best of all? It’s free and open-source.
--------------------------------------------------Dean-----------------------------------------------------
Comments