BlackBag Announces Release Of BlackLight 2019 R3


BlackLight 2019 R3 is released! This release includes new integrations and updates to allow BlackLight to work seamlessly with other tools essential to your forensic toolkit. BlackBag has enhanced features added earlier this year to make them even more powerful in solving cases.

Enhancements and Improvements include:

– New Processing options to help triage data
– Parsing of Apple Unified Logs
– New Windows Artifacts Parsed in Actionable Intel
– Passware Integration to decrypt images of devices with full disk encryption
– Redesign of File Filters enabling the creation of complex file filters
– Additional support for processing Cellebrite extractions
– Support added to process macOS 10.15 Time Capsule backups
– Updates to parse artifacts in the latest versions of Firefox, Chrome, and Safari
– Redesign of the Evidence Status View

New Feature Highlights:

Processing Options – Triaging Devices

One of the greatest features of BlackLight is the location and extraction of data interest, parsed into the [Actionable Intel], [Communication], [Locations], [Internet], [Productivity], and [System] tabs. This allows quick access to high value data. In previous versions of BlackLight, during initial data ingestion, “Normalizing” would appear in Evidence Status indicating data was being extracted to populate these BlackLight views. The user had no control over which data was processed.

BlackLight 2019 R3 allows the user to choose exactly what data will be extracted, allowing greater flexibility when processing data. The user can quickly preview data from the evidence source without running any Extract Data processes or choose to run only selected Extract Data processes at the time of ingestion. If the examiner is looking for a specific type of data, especially on cases with multiple devices, extracting the data they are looking for can reduce the processing required by focusing in on the devices with relevant data. The Extract Data processes not run during initial evidence processing are available to run later from ‘Evidence Status.’


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Evidence Status Update

The Evidence Status view has changed, with a clearer view for each volume and its associated processing options. Instead of a table-like listing with columns associated with each process, each volume or device has an area displaying the status for all of its processing options. The same icons are used to depict the status of each process.

Windows Artifacts Parsed in Actionable Intel

Additional Windows Artifacts are now parsed in Actionable Intel. The addition of these artifacts prompted a redesign of the [Actionable Intel] tab. Previous versions relied on sub-tab to access information like Device connections and Device Backups. The new design provides a list of Actionable Intel items parsed on the left side of the ‘Content Pane.’ Information can be accessed and displayed by selecting the desired category from the list.

Full Disk Decryption with Passware

Continuing to partner with other industry leaders, Passware has been integrated into BlackLight 2019 R3. Currently, images with the following types of full disk encryption can be decrypted with the proper decryption credentials:

– BitLocker
– FileVault 2
– LUKS (Linus Unified Key Setup)
When an image file using one of these encryption types is added to BlackLight, it is identified as a locked partition.

Apple Unified Logs

Starting in macOS 10.12, Apple changed to a new log format, unified logs. The reason for moving to this format was to have a common log format across all Apple operating systems including macOS, iOS, watchOS, and tvOS. With the release of BlackLight 2019 R3, unified logs are parsed with the ‘OS Event / Security Logs’ initial processing option or ‘Events/Logs’ from ‘Evidence Status’ for macOS devices.

The amount of data stored in Unified Logs is massive. During times of intense activity, 10,000 records can be added to the logs in a minute. This can result in millions of records in Unified Logs. Loading millions of records into the BlackLight graphical user interface and manually reviewing them could take a significant amount of time. To perform a more efficient analysis of Unified Log records, filter for data of interest.

To learn more about these features and additional enhancements, visit www.blackbagtech.com/products/blacklight or read the release notes here.

For more information, watch BlackBag’s on-demand webinar to see how to quickly triage systems with new BlackLight features and the integration with Passware Kit Forensic. Register here.

About BlackBag Technologies:

BlackBag® Technologies offers innovative forensic acquisition and analysis tools for both Windows and Mac OS X based computers, as well as iOS and Android mobile devices. Its forensic software is used by hundreds of federal, state, and local law enforcement agencies around the world, as well as by leading corporations and consultants, to investigate all types of digital evidence associated with both criminal, civil and internal investigations. BlackBag® Technologies also develops and delivers expert forensics training and certification programs, designed for both novice and experienced forensics professionals. To learn more, visit www.blackbagtech.com or email [email protected].

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 12:44 pm

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 12:00 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...