BlackBag® helps Saskatoon Police Service put a criminal behind bars

BlackBag® Technologies’ premiere digital forensic software, BlackLight® helped put a man, convicted of possessing 450 child pornography images, behind bars. Marcel Cole Beuker, whose trial was held in March of this year, claimed the images found on a hard drive connected to his iMac, were not his. It took three long years for the Saskatchewan Internet Child Exploitation (ICE) unit to bring him to justice, but their diligent work secured a conviction. Beuker received an 18-month sentence, plus 4 months for disobeying release conditions.

During the trial, BlackLight®’s .fseventsd feature was featured prominently. The ICE unit had their work cut out for them, as Beuker was an experienced programmer and very tech savvy. Using tools, including BlackLight®, they were able to show almost all of the communication originated from the accused’s system, and no other devices.Once they were able to capture and analyze this evidence, the next hurdle was explaining it to the judge. A Sergeant in the ICE unit stated “what really did it for me was BlackLight allowed me to do in 2 days what it regularly took me 2 months to do back in 2013-15 with [other digital forensic software]. Not only did it help me interpret what I was looking at; it also created the report for me in an interface that a … judge could understand.” The judge agreed that Beuker was solely responsible.

Judge Scherman from the Queen’s Bench provided a well written decision listing BlackLight® as the digital forensics tool to prove guilt in multiple instances. One tactic was to demonstrate Beuker renamed child pornography files. As stated in Judge Sherman’s decision, “the Blacklight analysis showed that files within Danger Zone (Danger Zone is a DMG) were being manipulated in various ways including changing names.”

Even more damning evidence was the ICE unit’s ability to prove Beuker’s knowledge of the files in question. Beuker had installed programs to delete items from his hard drive, as well as ones to provide notifications upon download. Both he admitted would only execute by user permission. According to court statement, “he knew these programs kept logs, and he knew how to delete their logs and such logs were largely deleted (except for background logs ultimately revealed by a forensic program called Blacklight).”

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

A more detailed explanation was written in paragraph 35, of Judge Sherman’s written decision. “In addition, metadata was acquired from PE9 using a forensic program called Blacklight.” Using com.apple.quarantine, BlackLight® was able to prove specific file(s) in question were downloaded and quarantined, then their existence was acknowledged by the user before the download completed.

The Saskatoon Police Service did a remarkable job in bringing down a child pornography criminal, and BlackBag® is thankful to be one of the tools in their arsenal. Our mission is to reveal the truth in data in order to create a safer world.

About the Company

BlackBag® Technologies is a developer of innovative forensic acquisition, triage, and analysis software for Windows, Android, iPhone/iPad, and Mac OS X devices. The company’s flagship product, BlackLight, has been adopted worldwide by many digital forensics examiners as a primary analysis tool. Mobilyze, BlackBag®’s groundbreaking mobile device triage tool, empowers virtually all law enforcement personnel, with or without specialized experience, to capably triage and report on data from smartphones.

To learn more about BlackBag®’s software and training, please contact us at 855-844-8890, or visit us at blackbagtech.com.

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...