Both Linux and Windows Bulk Extractor detected SSNs.
However, Linux identified SSNs in a file named LONG~d3r1v.LIS file and Windows detected
them in the LONG.LIS file. Both machines are scanning identical collections –
that is, the collection on the Windows machine includes both the LONG.LIS and
LONG~d3r1v.LIS files and the collection on the Linux machine includes both the
LONG.LIS and LONG~d3r1v.LIS files. Given the appended text d3r1v, which is our derivative file naming convention, LONG~d3r1v.LIS
is a derivative of LONG.LIS that I recreated in a Windows environment. My question is why Is BE on Windows not detecting SSNs in
LONG~d3r1v.LIS and Linux not detecting them in LONG.LIS?
Currently,
I'm wondering if file encoding/endianness might be causing an issue.
Looking at both files in a hex editor, I can't readily determine what the
difference is between the two file types. This is concerning as BE is
overlooking a file with a known SSN. I've also reviewed both files in BitCurator using the scripts found in File Analysis and haven't encountered a significant difference between the two files.
Any thoughts? I'm hesitant to share the files as they include actual personal data but may be able to share other details if that is helpful.
Thanks,
Tracy Popp