search

simsong / bulk_extractor

This is the development tree. Production downloads are at:
https://github.com/simsong/bulk_extractor/releases
Other
1.04k stars 183 forks source link

bulk_extractor ignoring jpeg_carve_mode; does not carve contiguous JPEGs #468

Closed simsong closed 2 months ago

simsong commented 2 months ago

Replicate with:

src/bulk_extractor -o out-test -S jpeg_carve_mode=2 src/tests/1.jpg

Reported by NIST @richardayers and @jlyle-nist-gov

simsong commented 2 months ago

Apparently the code to set and test jpeg_carve_mode has been removed.

simsong commented 2 months ago

After extensive testing, I have determined that the problem is that the JPEG feature recorder was renamed jpeg_carved. This means that changing the carving mode was changed from -S jpeg_carving_mode=2 to -S jpeg_carved_carving_mode=2. That is confusing:

% src/bulk_extractor -S jpeg_carved_carve_mode=2 -o out-nist2 ~/Downloads/image-contig-jpg.dd
% ls -l out-nist2/jpeg_carved/000                                             
total 16088
-rw-r--r--  1 simsong  staff  2785455 Apr 26 08:05 3429888.jpg
-rw-r--r--  1 simsong  staff  3424980 Apr 26 08:05 4096.jpg
-rw-r--r--  1 simsong  staff  2015880 Apr 26 08:05 6216704.jpg
%

Proposed Resolution: change feature recorder jpeg_carved to jpeg