macOS
brew install bulk_extractorlocal Homebrew formula metadata
sudo port install bulk_extractorMacPorts ports tree · security/bulk_extractor/Portfile · source: api.github.com
brew
Stream-based forensics tool. Version 2.1.1 via Homebrew; verified 2026-05-13.
install
brew install bulk_extractorlocal Homebrew formula metadata
sudo port install bulk_extractorMacPorts ports tree · security/bulk_extractor/Portfile · source: api.github.com
nix profile install nixpkgs#bulk_extractornixpkgs package indexes · pkgs/by-name/bu/bulk_extractor/package.nix · source: api.github.com
sudo zypper install bulk_extractoropenSUSE Tumbleweed package metadata · bulk_extractor · source: download.opensuse.org
overview
Stream-based forensics tool
history
bulk_extractor is a stream-based digital-forensics tool that scans raw media, disk images, files, and directories for structured artifacts without first depending on filesystem parsing. It is historically important because it made bulk data analysis a fast triage step in forensic workflows.
bulk_extractor predates its current GitHub repository. The NEWS file includes 2010 release announcements for versions 0.4.2 through 0.7.0, with features such as context stop lists, compressed-data carving, crash protection, POSIX threading, ZIP/GZIP/PDF recovery, and hibernation-file extraction.
The `simsong/bulk_extractor` repository was created on 2012-04-03. The README describes the tool as a high-performance digital forensics exploitation tool that extracts email addresses, credit card numbers, JPEGs, JSON snippets, search terms, and other features, storing results in text files and histograms for inspection and downstream processing.
The README recommends citing Simson Garfinkel's 2013 Computers & Security paper, `Digital Media Triage with Bulk Data Analysis and bulk_extractor`, which formalized the technique and helped anchor the tool in academic and law-enforcement forensic practice.
Adoption came from forensic triage needs: investigators could run bulk_extractor against disk images or memory artifacts and quickly get feature files, histograms, and leads without mounting or interpreting the filesystem first.
The project also included BEViewer for inspecting output, documented production downloads through GitHub releases, and kept packaging-friendly build instructions for Unix-like systems. Package managers such as Homebrew, MacPorts, Nix, and openSUSE carry it because forensic analysts and security researchers often need repeatable installs on analysis workstations.
Users point `bulk_extractor` at a disk image, file, directory, or other data source and review generated feature files and reports. It recursively examines decoded data, which lets it find artifacts in compressed, encoded, or carved content that simpler scanners miss.
The tool supports scanner selection, histograms, debugging environment variables, and VM-based build recipes. Modern 2.x development requires C++17 and uses submodules such as be13_api and DFXML.
bulk_extractor is significant because it packages a research-grade forensic idea into a normal CLI: scan every byte, extract features, and produce plain text output. That combination makes it useful both in investigations and in scripted security pipelines.
For package nerds, it is also a classic example of a domain-specific tool with deep native-code build requirements, academic provenance, GUI adjuncts, and long-lived release history that still belongs in general-purpose package managers.
security posture
No matching local secret-handling manifest was found for bulk_extractor. Nucleus package metadata is still published here so future coverage has a stable package URL.
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
bulk_extractor | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/simsong/bulk_extractor
install metadata
| Package key | brew:bulk_extractor |
|---|---|
| Version | 2.1.1 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/bulk_extractor |
| Homepage | https://github.com/simsong/bulk_extractor/wiki |
| Repository | https://github.com/simsong/bulk_extractor |
| Upstream docs | https://github.com/simsong/bulk_extractor#readme |
| License | MIT |
| Source archive | https://github.com/simsong/bulk_extractor/releases/download/v2.1.1/bulk_extractor-2.1.1.tar.gz |
| Last updated | 2026-05-13T00:05:26Z |
| Pulse | updated |
| Build dependencies | pkgconf, re2 |
| Uses from macOS | expat, ncurses |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | bulk_extractor |
| Version Scheme | 0 |
| Revision | 3 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
bulk_extractor
nix profile install nixpkgs#bulk_extractorbulk_extractor 2.1.1-1.2
Bulk Email and URL extraction tool
https://github.com/simsong/bulk_extractor/wiki/Introducing-bulk_extractor
sudo zypper install bulk_extractorbulk_extractor
sudo port install bulk_extractorsource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.