Results differing between OSs

[Tracy P.]

Hi,

I sent this message to the bulk_extractor-users group but am sharing here just in case anyone has experienced this or has an insight.

I'm in the process of evaluating bulk_extractor and BEViewer. I'm running Bulk Extractor Viewer 1.6.0-dev in Windows 7 Enterprise and Bulk Extractor Viewer 1.6.0-dev in the BitCurator environment (Linux Ubuntu 16.04 LTS).

I'm encountering an odd situation. I'm scanning identical collections with BE in both Windows 7 and Ubuntu 16.04. The files being scanned were transferred primarily from 5.25" floppy disk. I'm using the Directory of Files option when scanning.

Both Linux and Windows Bulk Extractor detected SSNs. However, Linux identified SSNs in a file named LONG~d3r1v.LIS file and Windows detected them in the LONG.LIS file. Both machines are scanning identical collections – that is, the collection on the Windows machine includes both the LONG.LIS and LONG~d3r1v.LIS files and the collection on the Linux machine includes both the LONG.LIS and LONG~d3r1v.LIS files. Given the appended text d3r1v, which is our derivative file naming convention,  LONG~d3r1v.LIS is a derivative of LONG.LIS that I recreated in a Windows environment. My question is why Is BE on Windows not detecting SSNs in LONG~d3r1v.LIS and Linux not detecting them in LONG.LIS?

Currently, I'm wondering if file encoding/endianness might be causing an issue. Looking at both files in a hex editor, I can't readily determine what the difference is between the two file types. This is concerning as BE is overlooking a file with a known SSN. I've also reviewed both files in BitCurator using the scripts found in File Analysis and haven't encountered a significant difference between the two files.

Any thoughts? I'm hesitant to share the files as they include actual personal data but may be able to share other details if that is helpful.

Thanks,

Tracy Popp