Initial Availability: bulk_extractor and histogram analysis tool
As you may recall from my previous research , it is frequently
useful to compute a histogram of the email addresses on a hard drive.
The most frequent email address is frequently the hard drive's primary
user; the other email addresses are either other email accounts used
by that person or that person's primary correspondents. And the most
popular domain names found in email addresses can be used to trace
organizational communication patterns.
I am developing a tool for automatically performing this histogram
analysis. It's called bulk_extractor. It operates on raw data in disk
images (or files). It's built on top of AFF, so it can read raw
images, EnCase images, and (of course), AFF images.
You can download bulk_extractor from: http://www.afflib.org/downloads/bulk_extractor-0.0.5.tar.gz
This tool is built with the GNU autoconf tools and should compile on
MacOS, Linux, FreeBSD, and Cygwin. Cygwin is a bit confusing; there is
a readme file for this at:
I've also created a pre-compiled version that runs under Cygwin with
support for AFF, encrypted AFF, and EnCase. You can download that
 Garfinkel, S., "Forensic Feature Extraction and Cross-Drive
Analysis," Digital Investigation, Volume 3, Supplement 1, September
2006, Pages 71--81. http://www.simson.net/clips/academic/2006.DFRWS.pdf