How To Export Media Files From BlackLight Into Semantics21

So before we go to export our files from BlackLight to S21, what we will normally do is we will run the hashes against our case. In this case what we’ve done is we’ve already run these hashes against BlackLight, and as you can see, S21 has been run and it’s showing complete. These are the hashes that we’ve already set up and we’ve connected to this hash database through the MySQL interface within BlackLight. Once that is done – and in this case, the hash is done – we can then go over to our media section.

Now I’m going to choose ‘Combined.’ And what this is going to do is it’s going to show all the images, and all the thumbnails, and all the video files, that are part of this case. It’s displaying all of these pictures and videos and thumbnails for us. Now what I want to do is, I want to export all of these pictures and videos from the case, into a format that S21 will understand.

So I’m going to select all of these pictures and videos now. And what I did here was I selected on one, and then I selected Cmd+A, or Ctrl+A on Windows, which will then allow us to select all of the pictures and videos in the case. If I right-click anywhere on this window I can select ‘Export’, ‘Export Data Set’. And within ‘Export Data Set’ you can see S21.

BlackLight will then prepare the files for export. It will create a folder – a directory structure – on my computer, or wherever I choose to save this data. And then it will export the pictures and videos into the data set structure that S21 understands, including creating the XML files that S21 uses for the purposes of ingesting the data back into the end user application.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


So now BlackLight is prepared to export the files. I’m going to create a new folder here on my desktop; what I’ve done here is I’ve selected the desktop, in this case. Normally what you’re going to do is, you’re going to have this exported to a place where an investigator can use the end user S21 application. The S21 application is a Windows-only application, so obviously in the real world I could not export it out to my desktop. Usually it would be a connected server, or some network storage that is attached to your analytical computer, whether that is a Windows or a Mac, that you can access and reach remotely from your internal network. So in this case, what I’ve done is I’m exporting these files onto my desktop, and I’m just going to call this ‘BlackLight S21 Export.’ So, BlackLight S21 Export, and then I’m going to hit ‘Create,’ and then I’m going to hit ‘Export.’

Now BlackLight will commence exporting from the case, that includes all thumbnail information, as well as all the movies and all the pictures that are in this case. This normally takes about 10-15 minutes, depending upon the size of the case; it could actually take even longer, if there are millions and millions and millions of pictures within your case.

In this case, BlackLight has already started the export feature. If I click on ‘Export Status’ I can see BlackLight as it’s exporting these files. There are over 37,000 files in this case; in this case we’re up to about 5,800 files.

So BlackLight is now exporting the pictures, videos and thumbnails from the case into the export folder that I’ve created, and it’s going to put it into the format that S21 requires for ingestion into the S21 application.

OK, so our S21 export has completed from BlackLight, and as you can see I’ve saved it to the desktop on this computer. Normally you would be saving it to a location, as I said earlier, that an investigator would be able to get a hold of that information and ingest that information correctly into S21.

In this case what’s happened is, BlackLight has exported the files and at the same time it has run a comparison of the files to the S21 hash database and appended those flags to those files, so that when it is ingested into the S21 application – the end-user application – the flags will be present and S21 can correctly display that data.

And what I’m going to do is I’m going to show you the results of that export file. Here’s the export folder here, showing BlackLight S21 Export. And if I open it up it will tell you the name of the case, Bennett-21 Exam, gives you the date and time of the export. And then within each one you have a volume info text, and a Case Report.xml file. Then of course you have your folders, you have ‘S21M’ for S21 movies; and then ‘S21P’ for pictures.

If I open up the pictures folder, all the files are located in here, in these subfolders. At the very bottom we have a Results.txt file that will give us the results within the exported files; and as you can see, it has pre-categorised 831 files, not surprisingly.

And then we have the S21 index file that contains all the information about each one of the pictures and videos – or in this case, pictures – for that particular file. So that XML file will contain the extended attributes of that file; the metadata of that file; including dates and times, full path, owner, etc. of that file. So that’s all part of this package that is forwarded over to the investigator, who then ingests this into S21.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:51 pm

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:39 pm

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_SE7Cl5jkigk

Maximising Data Collection With SaaS Innovations

Forensic Focus 10th June 2024 12:42 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles