Ken, you're CEO at BlackBag. Tell us about your role: what does a day in your life look like?
We have a great leadership team here at BlackBag, with decades of experience in our industry, and I spend a lot of my time working with them to make sure we are meeting our customers’ needs and planning for the future.
I work regularly with Product Management and Engineering, as well as Training and Technical Support, to help guide product decisions based on what we are hearing from our users, or trends we are seeing in the industry.Whether it is adding APFS support or better ways to examine Volume Shadow Copies on Windows machines, everyone here knows that our mission is to support investigators any way that we can. Coordinating that activity, in the ever-changing environment that we work in, takes up a lot of my day. Add to that the normal day to day of running a successful business, and like my team, I can be a pretty busy guy.
You took over as CEO in 2017 – what are some of your highlights from the past year?
Getting to know the people here at BlackBag has definitely been a highlight. We have a great group of people who are true problem solvers, and it was great to experience their enthusiasm around helping our customers. I came in at a time when they had worked for many months to make some significant product improvements, and it was very satisfying to get those changes into the hands of our customers.
With so much internal and external excitement over our iCloud production support, GrayKey integration, Windows support or APFS support, it has been rewarding for all of us to hear from our customers about how we are solving problems that no one else can tackle.
What is the most rewarding part of your job? What aspect of your job do you find most challenging?
One of the most rewarding things that I have been able to do in this last year is get back to working directly with the examiners and practitioners that are doing the job every day and using what they tell me to push our products to help them solve real world problems. Moving to a company with a very focused mission on providing the tools necessary to pour through unimaginable amounts of digital evidence and get to the truth, is the best job that I could ask for.
Still, our industry continues to change rapidly and keeping up with the changes in technology is challenging. Focusing our resources on what will make our customers successful requires a lot of insight by our Product Management team, and there are always new problems that examiners rely on us to solve. We work very hard to be responsive, but there are a lot of issues that try to tug us in different directions.
Tell us about the culture at BlackBag – what are the company's values, and what's it like to work there?
I think I can describe our culture in two words… Teamwork and Respect. We have smart and creative people throughout the organization and we value all of them, no matter what their job is, and we listen to all ideas, no matter where they come from. It is that respect for all thoughts and solutions that allows us to innovate rapidly and ensures that we have considered all possible options. No one person in any organization has all the answers, so it is critical to put together a great team and create an environment where they are comfortable working together to solve whatever is thrown at them and whatever needs to be done.
What has been the impact of Apple's release of APFS last year, and what changes have been made to BlackBag's suite of products to help examiners?
This is one of the main technical questions we get in Technical Support, and we have found that there are really 5 key ways that the introduction of APFS has changed investigations.
Imaging a device formatted as APFS is the first challenge examiners face when investigating these systems. When examiners encounter systems using APFS, the system will present an APFS container, inside of which several volumes may be present. Because APFS volumes within a container are not traditional macOS volumes, they cannot be individually imaged. When imaging the APFS container or the parent physical disk, the resulting image will contain the volume(s) in their current state, including encryption (if present). MacQuisition is designed to intuitively identify the volumes and notify users if encryption is present.
Once users have an image of the APFS volume, there are still two hurdles forensic tools need to support to allow the examiner complete access to all the information on the file system: parsing the file system itself and handling any encryption that is present. If you can get a full image, even of an unencrypted APFS device, your tool must understand the new APFS structures and metadata to be able to show you the folders and files on the system. BlackLight natively parses both unencrypted and encrypted APFS devices better than any other available tool.
Apple designed APFS to have built-in support for encryption; meaning when APFS devices are encrypted it encrypts your data at the file system level. For this reason, “unlocking” APFS volumes does not result in an unencrypted APFS volume. Instead, unlocking allows a tool to unencrypt the blocks as it parses the file system. Because of this, analysis tools such as BlackLight must be able to both decrypt APFS file system metadata and data blocks on demand. Apple devices may have had prior file systems and encryption schemes before, but when upgraded to APFS, these schemes result in different encryption structures. BlackLight supports all of the possible encryption combinations where the user has the password or recovery information.
With the widespread use of the built-in APFS encryption, another change is handling carving data from unallocated space. Since unallocated blocks remain encrypted inside the logical container pool and data needed to recover them is lost during deletion, carving for data associated with an encrypted volume is ineffective. If carving is run, returned data will likely be a false positive or a file fragment that was created before the volume was encrypted. BlackBag is currently researching methods of brute-forcing the requisite information needed to decrypt blocks during carving.
Finally, in prior versions of the Mac OS, time machine backups contain historical information about file changes. APFS introduced a new method, APFS snapshots, that is more equivalent to Microsoft’s Volume Shadow Copies. We are excited to announce that we now have support for analyzing APFS snapshots in BlackLight.
What is the biggest challenge that is facing digital investigators, and how is BlackBag helping with these issues?
As a friend of mine once pointed out to me, there is no longer traditional crime and computer crime. There is just “crime” because every type of incident involves technology. Whether it is an email in a drug case, a text message in a terrorism case, a car’s navigation system in a homicide case, a home computer in an exploitation case or a cell phone in ANY type of case, technology is either directly involved in the perpetration of the crime or can provide evidence to help solve it.
This means that not only our trained examiners, but also our first responders, must recognize how technology impacts their case and understand what they need to do about it.
Our customers realize that we no longer have the luxury of seizing devices and sending them off to be examined by a trained digital investigator. We need to get tools into the hands of everyone, so they can rapidly collect, preserve, and where appropriate, access data before it leaves the scene and possibly disappears forever. This can be at a border checkpoint, a gang shooting or even at mass casualty event. And it is not only those involved, but sometimes it is cooperating witnesses who can provide immediate digital information that can transform an investigation.
At BlackBag, we have recognized this for some time and continually work to make tools like our Mobilyze and BlackLight products that can be used by people with a range of skills. We provide access to the deepest file system artifacts, but also pull key data to the surface quickly and make it easy to understand. Things like our conversation view for text messages, and our ability to provide GPS mapping and skin tone analysis of pictures, brings the capability to understand digital evidence right into the field, where it is needed. As technology advanced, we gave every officer a computer in their car and cameras to automatically scan for wanted vehicles. Now it is time to give them another tool in their toolbox that can help them deal with the realities of today’s world.
At the Techno Security conference in Myrtle Beach, GrayKey was a popular topic of discussion. Tell us about BlackBag's support for Grayshift’s tools for forensic investigations.
Grayshift has a great product for gaining access to locked iPhones, and they are a close partner of ours. When we first heard of their capabilities from our customers, we started working with them to make sure digital examiners had a complete solution for accessing the data from iPhone’s and then examining it. With our expertise in iOS and low-level Apple file system analysis (including APFS), it was a natural fit for BlackLight to ingest all of the GrayKey extracted data and give examiners access to information on mobile devices that no other combination of tools can match.
We know that mobile devices continue to be some of the most important evidence in many investigations. GrayKey has the ability to pull the entire file system from an iOS device, something we have not had access to in years, and BlackLight can parse that data and give our user actionable intelligence that cannot get with any other tools. Whether it is file system activity, combined logs or account passwords, this capability has already closed cases that would not have happened otherwise.
What are BlackBag's plans for the future? What can we expect to see over the next couple of years?
Innovation. We are going to continue to look to the future and solve the problems that are going to shape our industry. We are continuing our cutting-edge R&D in things like mobile devices and memory analysis, while working on key partnerships to make sure that examiners can handle any type of digital evidence that is thrown at them. We will continue to develop so that we remain the leader in Mac OS and iOS forensics, while we show more people how our support for Windows examinations surpasses the capabilities of the former heavy hitters in the industry. BlackBag has always been focused on providing the tools to those that keep our families safe, and we will not stray from that.
Finally, when you're not working, what do you enjoy doing in your spare time?
My family and I are avid campers. Whether it is hiking, backpacking, tent camping or RV camping, if it involves the outdoors, we are there! We have been to countless National Parks and spend any time that we can get away exploring nature. My kids are also very active in many different sports and activities, so like most parents, free weekends are often spent driving them to tournaments or performances. It is easy to get wrapped up in our jobs, but it is very important to maintain a good work life balance and spending time with my family is the most important activity that I do!
BlackBag Technologies develop forensic acquisition, triage, and analysis software for Windows, Android, iPhone/iPad, and Mac OS X devices. Find out more on their website.