# Bulk extractor

### 1. Introduction > In this lab, a disk image file “evidence.img” is provided in the home directory of the root user (/root/). There is a file on this image which contains the email and phone number of “evil” user. The email of the user is “” and the phone number is the flag for this lab. Extract the files from the disk image using the [**bulk extractor tool**](https://github.com/simsong/bulk_extractor) and retrieve the flag! ### 2. Bulk extractor

We have to use bulk\_extractor to extract the files from the given image > bulk\_extractor evidence.img -o output

It depense on the image size, but the extraction process will take some time…

### 3. Retrieve the flag Instead of checking every file manually I’ll use grep for a string search `grep -irn 'evil@attacker.co.uk' . --color` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FxtdLXgnFHQtbZslT282j%2Fbulk_extract4.png?alt=media\&token=3f8494d7-4766-4658-ba54-daa8ef1c4c79) ### 4. Summary {% embed url="" %}