BlackBag Announces Release Of BlackLight 2019 R3


BlackLight 2019 R3 is released! This release includes new integrations and updates to allow BlackLight to work seamlessly with other tools essential to your forensic toolkit. BlackBag has enhanced features added earlier this year to make them even more powerful in solving cases.

Enhancements and Improvements include:

– New Processing options to help triage data
– Parsing of Apple Unified Logs
– New Windows Artifacts Parsed in Actionable Intel
– Passware Integration to decrypt images of devices with full disk encryption
– Redesign of File Filters enabling the creation of complex file filters
– Additional support for processing Cellebrite extractions
– Support added to process macOS 10.15 Time Capsule backups
– Updates to parse artifacts in the latest versions of Firefox, Chrome, and Safari
– Redesign of the Evidence Status View

New Feature Highlights:

Processing Options – Triaging Devices

One of the greatest features of BlackLight is the location and extraction of data interest, parsed into the [Actionable Intel], [Communication], [Locations], [Internet], [Productivity], and [System] tabs. This allows quick access to high value data. In previous versions of BlackLight, during initial data ingestion, “Normalizing” would appear in Evidence Status indicating data was being extracted to populate these BlackLight views. The user had no control over which data was processed.

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

BlackLight 2019 R3 allows the user to choose exactly what data will be extracted, allowing greater flexibility when processing data. The user can quickly preview data from the evidence source without running any Extract Data processes or choose to run only selected Extract Data processes at the time of ingestion. If the examiner is looking for a specific type of data, especially on cases with multiple devices, extracting the data they are looking for can reduce the processing required by focusing in on the devices with relevant data. The Extract Data processes not run during initial evidence processing are available to run later from ‘Evidence Status.’

Evidence Status Update

The Evidence Status view has changed, with a clearer view for each volume and its associated processing options. Instead of a table-like listing with columns associated with each process, each volume or device has an area displaying the status for all of its processing options. The same icons are used to depict the status of each process.

Windows Artifacts Parsed in Actionable Intel

Additional Windows Artifacts are now parsed in Actionable Intel. The addition of these artifacts prompted a redesign of the [Actionable Intel] tab. Previous versions relied on sub-tab to access information like Device connections and Device Backups. The new design provides a list of Actionable Intel items parsed on the left side of the ‘Content Pane.’ Information can be accessed and displayed by selecting the desired category from the list.

Full Disk Decryption with Passware

Continuing to partner with other industry leaders, Passware has been integrated into BlackLight 2019 R3. Currently, images with the following types of full disk encryption can be decrypted with the proper decryption credentials:

– BitLocker
– FileVault 2
– LUKS (Linus Unified Key Setup)
When an image file using one of these encryption types is added to BlackLight, it is identified as a locked partition.

Apple Unified Logs

Starting in macOS 10.12, Apple changed to a new log format, unified logs. The reason for moving to this format was to have a common log format across all Apple operating systems including macOS, iOS, watchOS, and tvOS. With the release of BlackLight 2019 R3, unified logs are parsed with the ‘OS Event / Security Logs’ initial processing option or ‘Events/Logs’ from ‘Evidence Status’ for macOS devices.

The amount of data stored in Unified Logs is massive. During times of intense activity, 10,000 records can be added to the logs in a minute. This can result in millions of records in Unified Logs. Loading millions of records into the BlackLight graphical user interface and manually reviewing them could take a significant amount of time. To perform a more efficient analysis of Unified Log records, filter for data of interest.

To learn more about these features and additional enhancements, visit www.blackbagtech.com/products/blacklight or read the release notes here.

For more information, watch BlackBag’s on-demand webinar to see how to quickly triage systems with new BlackLight features and the integration with Passware Kit Forensic. Register here.

About BlackBag Technologies:

BlackBag® Technologies offers innovative forensic acquisition and analysis tools for both Windows and Mac OS X based computers, as well as iOS and Android mobile devices. Its forensic software is used by hundreds of federal, state, and local law enforcement agencies around the world, as well as by leading corporations and consultants, to investigate all types of digital evidence associated with both criminal, civil and internal investigations. BlackBag® Technologies also develops and delivers expert forensics training and certification programs, designed for both novice and experienced forensics professionals. To learn more, visit www.blackbagtech.com or email [email protected].

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...