So before we go to export our files from BlackLight to S21, what we will normally do is we will run the hashes against our case. In this case what we’ve done is we’ve already run these hashes against BlackLight, and as you can see, S21 has been run and it’s showing complete. These are the hashes that we’ve already set up and we’ve connected to this hash database through the MySQL interface within BlackLight. Once that is done – and in this case, the hash is done – we can then go over to our media section.
Now I’m going to choose ‘Combined.’ And what this is going to do is it’s going to show all the images, and all the thumbnails, and all the video files, that are part of this case. It’s displaying all of these pictures and videos and thumbnails for us. Now what I want to do is, I want to export all of these pictures and videos from the case, into a format that S21 will understand.
So I’m going to select all of these pictures and videos now. And what I did here was I selected on one, and then I selected Cmd+A, or Ctrl+A on Windows, which will then allow us to select all of the pictures and videos in the case. If I right-click anywhere on this window I can select ‘Export’, ‘Export Data Set’. And within ‘Export Data Set’ you can see S21.
BlackLight will then prepare the files for export. It will create a folder – a directory structure – on my computer, or wherever I choose to save this data. And then it will export the pictures and videos into the data set structure that S21 understands, including creating the XML files that S21 uses for the purposes of ingesting the data back into the end user application.
So now BlackLight is prepared to export the files. I’m going to create a new folder here on my desktop; what I’ve done here is I’ve selected the desktop, in this case. Normally what you’re going to do is, you’re going to have this exported to a place where an investigator can use the end user S21 application. The S21 application is a Windows-only application, so obviously in the real world I could not export it out to my desktop. Usually it would be a connected server, or some network storage that is attached to your analytical computer, whether that is a Windows or a Mac, that you can access and reach remotely from your internal network. So in this case, what I’ve done is I’m exporting these files onto my desktop, and I’m just going to call this ‘BlackLight S21 Export.’ So, BlackLight S21 Export, and then I’m going to hit ‘Create,’ and then I’m going to hit ‘Export.’
Now BlackLight will commence exporting from the case, that includes all thumbnail information, as well as all the movies and all the pictures that are in this case. This normally takes about 10-15 minutes, depending upon the size of the case; it could actually take even longer, if there are millions and millions and millions of pictures within your case.
In this case, BlackLight has already started the export feature. If I click on ‘Export Status’ I can see BlackLight as it’s exporting these files. There are over 37,000 files in this case; in this case we’re up to about 5,800 files.
So BlackLight is now exporting the pictures, videos and thumbnails from the case into the export folder that I’ve created, and it’s going to put it into the format that S21 requires for ingestion into the S21 application.
OK, so our S21 export has completed from BlackLight, and as you can see I’ve saved it to the desktop on this computer. Normally you would be saving it to a location, as I said earlier, that an investigator would be able to get a hold of that information and ingest that information correctly into S21.
In this case what’s happened is, BlackLight has exported the files and at the same time it has run a comparison of the files to the S21 hash database and appended those flags to those files, so that when it is ingested into the S21 application – the end-user application – the flags will be present and S21 can correctly display that data.
And what I’m going to do is I’m going to show you the results of that export file. Here’s the export folder here, showing BlackLight S21 Export. And if I open it up it will tell you the name of the case, Bennett-21 Exam, gives you the date and time of the export. And then within each one you have a volume info text, and a Case Report.xml file. Then of course you have your folders, you have ‘S21M’ for S21 movies; and then ‘S21P’ for pictures.
If I open up the pictures folder, all the files are located in here, in these subfolders. At the very bottom we have a Results.txt file that will give us the results within the exported files; and as you can see, it has pre-categorised 831 files, not surprisingly.
And then we have the S21 index file that contains all the information about each one of the pictures and videos – or in this case, pictures – for that particular file. So that XML file will contain the extended attributes of that file; the metadata of that file; including dates and times, full path, owner, etc. of that file. So that’s all part of this package that is forwarded over to the investigator, who then ingests this into S21.