Automic VaultAutomic Vault

brew

Install bulk_extractor with Homebrew, MacPorts, Nix, zypper

Stream-based forensics tool. Version 2.1.1 via Homebrew; verified 2026-05-13.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install bulk_extractor

local Homebrew formula metadata

MacPortsverified · 94%
sudo port install bulk_extractor

MacPorts ports tree · security/bulk_extractor/Portfile · source: api.github.com

Linux

Nixverified · 92%
nix profile install nixpkgs#bulk_extractor

nixpkgs package indexes · pkgs/by-name/bu/bulk_extractor/package.nix · source: api.github.com

openSUSE zypperverified · 92%
sudo zypper install bulk_extractor

openSUSE Tumbleweed package metadata · bulk_extractor · source: download.opensuse.org

overview

Package summary

Stream-based forensics tool

Commands and aliases

  • bulk_extractor

history

Project history and usage

bulk_extractor is a stream-based digital-forensics tool that scans raw media, disk images, files, and directories for structured artifacts without first depending on filesystem parsing. It is historically important because it made bulk data analysis a fast triage step in forensic workflows.

Project history

bulk_extractor predates its current GitHub repository. The NEWS file includes 2010 release announcements for versions 0.4.2 through 0.7.0, with features such as context stop lists, compressed-data carving, crash protection, POSIX threading, ZIP/GZIP/PDF recovery, and hibernation-file extraction.

The `simsong/bulk_extractor` repository was created on 2012-04-03. The README describes the tool as a high-performance digital forensics exploitation tool that extracts email addresses, credit card numbers, JPEGs, JSON snippets, search terms, and other features, storing results in text files and histograms for inspection and downstream processing.

The README recommends citing Simson Garfinkel's 2013 Computers & Security paper, `Digital Media Triage with Bulk Data Analysis and bulk_extractor`, which formalized the technique and helped anchor the tool in academic and law-enforcement forensic practice.

Adoption history

Adoption came from forensic triage needs: investigators could run bulk_extractor against disk images or memory artifacts and quickly get feature files, histograms, and leads without mounting or interpreting the filesystem first.

The project also included BEViewer for inspecting output, documented production downloads through GitHub releases, and kept packaging-friendly build instructions for Unix-like systems. Package managers such as Homebrew, MacPorts, Nix, and openSUSE carry it because forensic analysts and security researchers often need repeatable installs on analysis workstations.

How it is used

Users point `bulk_extractor` at a disk image, file, directory, or other data source and review generated feature files and reports. It recursively examines decoded data, which lets it find artifacts in compressed, encoded, or carved content that simpler scanners miss.

The tool supports scanner selection, histograms, debugging environment variables, and VM-based build recipes. Modern 2.x development requires C++17 and uses submodules such as be13_api and DFXML.

Why package nerds care

bulk_extractor is significant because it packages a research-grade forensic idea into a normal CLI: scan every byte, extract features, and produce plain text output. That combination makes it useful both in investigations and in scripted security pipelines.

For package nerds, it is also a classic example of a domain-specific tool with deep native-code build requirements, academic provenance, GUI adjuncts, and long-lived release history that still belongs in general-purpose package managers.

Timeline

  • 2010: 0.4.x through 0.7.0 release announcements document early stop-list, carving, threading, and crash-protection work.
  • 2012: Public `simsong/bulk_extractor` GitHub repository is created.
  • 2013: Computers & Security publishes the bulk data analysis and bulk_extractor paper cited by the project.
  • 2024: 2.1.1 release notes document ongoing 2.x maintenance.
  • 2026: The repository remains active as the development tree for current bulk_extractor work.

Related projects

  • bulk_extractor is related to BEViewer, DFXML, be13_api, forensic carving tools, disk-image analysis workflows, memory and hibernation-file analysis, and downstream feature-file processing scripts.

security posture

No protected-tool coverage found yet

No matching local secret-handling manifest was found for bulk_extractor. Nucleus package metadata is still published here so future coverage has a stable package URL.

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 2 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
bulk_extractorcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version2.1.1
manager updated2026-05-13
local dataok
upstreamnot checked
latest detectednot detected

https://github.com/simsong/bulk_extractor

install metadata

Package metadata

Package keybrew:bulk_extractor
Version2.1.1
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/bulk_extractor
Homepagehttps://github.com/simsong/bulk_extractor/wiki
Repositoryhttps://github.com/simsong/bulk_extractor
Upstream docshttps://github.com/simsong/bulk_extractor#readme
LicenseMIT
Source archivehttps://github.com/simsong/bulk_extractor/releases/download/v2.1.1/bulk_extractor-2.1.1.tar.gz
Last updated2026-05-13T00:05:26Z
Pulseupdated
Build dependenciespkgconf, re2
Uses from macOSexpat, ncurses
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namebulk_extractor
Version Scheme0
Revision3
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

bulk_extractor

nix profile install nixpkgs#bulk_extractor
  • normalized package name match
  • Matched by: Bulk Extractor
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/bu/bulk_extractor/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
zypper95%

bulk_extractor 2.1.1-1.2

Bulk Email and URL extraction tool

https://github.com/simsong/bulk_extractor/wiki/Introducing-bulk_extractor

sudo zypper install bulk_extractor
  • License: GPL-3.0-or-later
  • Category: Productivity/File utilities
  • Architecture: x86_64
  • Source Package: bulk_extractor
  • 10 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Bulk Extractor
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: bulk_extractor from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
MacPorts95%

bulk_extractor

sudo port install bulk_extractor
  • normalized package name match
  • Matched by: Bulk Extractor
MacPorts ports tree · api.github.com · MacPorts ports tree: security/bulk_extractor/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment