BlackLight 2019 R3 is released! This release includes new integrations and updates to allow BlackLight to work seamlessly with other tools essential to your forensic toolkit. BlackBag has enhanced features added earlier this year to make them even more powerful in solving cases.
– New Processing options to help triage data
– Parsing of Apple Unified Logs
– New Windows Artifacts Parsed in Actionable Intel
– Passware Integration to decrypt images of devices with full disk encryption
– Redesign of File Filters enabling the creation of complex file filters
– Additional support for processing Cellebrite extractions
– Support added to process macOS 10.15 Time Capsule backups
– Updates to parse artifacts in the latest versions of Firefox, Chrome, and Safari
– Redesign of the Evidence Status View
Processing Options – Triaging Devices
One of the greatest features of BlackLight is the location and extraction of data interest, parsed into the [Actionable Intel], [Communication], [Locations], [Internet], [Productivity], and [System] tabs. This allows quick access to high value data. In previous versions of BlackLight, during initial data ingestion, “Normalizing” would appear in Evidence Status indicating data was being extracted to populate these BlackLight views. The user had no control over which data was processed.
BlackLight 2019 R3 allows the user to choose exactly what data will be extracted, allowing greater flexibility when processing data. The user can quickly preview data from the evidence source without running any Extract Data processes or choose to run only selected Extract Data processes at the time of ingestion. If the examiner is looking for a specific type of data, especially on cases with multiple devices, extracting the data they are looking for can reduce the processing required by focusing in on the devices with relevant data. The Extract Data processes not run during initial evidence processing are available to run later from ‘Evidence Status.’
Evidence Status Update
The Evidence Status view has changed, with a clearer view for each volume and its associated processing options. Instead of a table-like listing with columns associated with each process, each volume or device has an area displaying the status for all of its processing options. The same icons are used to depict the status of each process.
Windows Artifacts Parsed in Actionable Intel
Additional Windows Artifacts are now parsed in Actionable Intel. The addition of these artifacts prompted a redesign of the [Actionable Intel] tab. Previous versions relied on sub-tab to access information like Device connections and Device Backups. The new design provides a list of Actionable Intel items parsed on the left side of the ‘Content Pane.’ Information can be accessed and displayed by selecting the desired category from the list.
Full Disk Decryption with Passware
Continuing to partner with other industry leaders, Passware has been integrated into BlackLight 2019 R3. Currently, images with the following types of full disk encryption can be decrypted with the proper decryption credentials:
– FileVault 2
– LUKS (Linus Unified Key Setup)
When an image file using one of these encryption types is added to BlackLight, it is identified as a locked partition.
Apple Unified Logs
Starting in macOS 10.12, Apple changed to a new log format, unified logs. The reason for moving to this format was to have a common log format across all Apple operating systems including macOS, iOS, watchOS, and tvOS. With the release of BlackLight 2019 R3, unified logs are parsed with the ‘OS Event / Security Logs’ initial processing option or ‘Events/Logs’ from ‘Evidence Status’ for macOS devices.
The amount of data stored in Unified Logs is massive. During times of intense activity, 10,000 records can be added to the logs in a minute. This can result in millions of records in Unified Logs. Loading millions of records into the BlackLight graphical user interface and manually reviewing them could take a significant amount of time. To perform a more efficient analysis of Unified Log records, filter for data of interest.
For more information, watch BlackBag’s on-demand webinar to see how to quickly triage systems with new BlackLight features and the integration with Passware Kit Forensic. Register here.
About BlackBag Technologies:
BlackBag® Technologies offers innovative forensic acquisition and analysis tools for both Windows and Mac OS X based computers, as well as iOS and Android mobile devices. Its forensic software is used by hundreds of federal, state, and local law enforcement agencies around the world, as well as by leading corporations and consultants, to investigate all types of digital evidence associated with both criminal, civil and internal investigations. BlackBag® Technologies also develops and delivers expert forensics training and certification programs, designed for both novice and experienced forensics professionals. To learn more, visit www.blackbagtech.com or email [email protected].