BlackBag’s BlackLight 2016 R3 is Now Available!

BlackBag Technologies is pleased to announce the third major release of BlackLight for 2016. This comprehensive Windows, Android, iPhone/iPad and Mac forensic analysis software just keeps getting better. Update your software now!

BlackLight 2016 R3 implements several new features and improvements, including the following:

– Windows 8 and 10 hiberfil.sys and Raw Memory Parsing, Searching, and Analysis
– Windows Event Log and Apple System Log Parsing and Analysis
– iOS and OS X Recents Database Parsing
– Additional iOS 10 Encrypted Backup Support
– New Data Structure Templates


– Windows Hash Set Included
– Type-down Feature in List Views
– Go To Position (Offset) in Hex View
– Internet History Parsing for Internet Explorer 10, 11, and Edge
– Social Media Parsing of ooVoo, Kik attachments, iOS Messsage GPS
– Time Machine Folder Hard Links Now Resolved

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

View a more detailed description of the features on our blog or attend our webinar for a live demonstration.WINDOWS 8 AND 10 MEMORY PARSING, SEARCHING AND ANALYSIS
Up until now no one has figured out how to parse Windows 8 and 10 memory and extract meaningful data. BlackLight 2016 R3 can now provide a wealth of information previously unavailable. These memory files are parsed within the “Advanced Processing Options” in the same manner as with Windows Vista and 7.

Just as with earlier versions of BlackLight, files can be carved from within these Windows 8 and 10 memory files and revealed in BlackLight’s Browser view. Searches are run for important items of interest such as, internet searches, Facebook addresses, internet domains, phone and credit card numbers, and more.

Both Windows and Apple Operating Systems have system logging functionality used to record events. Windows event logs are typically maintained in three files: Application, System, and Security. Windows Vista and later use the XML Event log format (EVTX). Events of interest can be found by browsing, using the Find function, and using the View Filter.

Apple System Logs are binary files controlled by a system daemon. ASL logs are stored in private/var/log/asl/ and other directories, but information can also output to the system.log. Here, we use the Find function to look for the term “iCloud”. The full information for any system log is revealed in the Full Fields Content view.

BlackLight shows the “Recents” information that iOS and OS X capture within its databases. The information is revealed in BlackLight’s Mail, Messages, Contacts and Location Views. Some of the more interesting items are recently e-mailed addresses (including ones that are not recorded in the “Contacts” app). In the “Contacts” and Recents” tables are contact points that can be lined up with the “Recents” table to see when the last 5 communications were between individuals and groups. The metadata table contains metadata from recent communications as well. Here we see the “Recents” information, as seen within an iPhone’s messages.

Depending on which data type is being reviewed, BlackLight’s existing ability to reveal “deleted” records in sqlite databases can show information that no longer exists within the database’s active records.

Apple has changed the method in which they protect the iOS backups with iOS 10 and iOS 10.1. BlackLight handles both of these methods but you must know the users password in order to decrypt. It is important to note that AFC is no longer available with iOS 9 and 10 and the only way to get data from the device is by forcing a backup through BlackLight or using iTunes.

BlackBag is supplying templates for parsing MFT records, HFS Catalog records, partition tables, boot sectors, and various files types. Templates for ZIP, TAR, BMP, JPG, GIF, PNG, AVI, MP4, and LNK files are included. As an example, when a zip archive is located, the Data Structure view shows each file that is a part of the archive, as well as the file system date associated with each file. With the file of interest highlighted in the Browser view, we go to the Hex view and select Data Structure.

In this example, a zip archive was created from several pictures. As shown, the Data Structure view provides the file name of each file, date and time attributes, and additional information about each file contained in the zip. When a particular field is highlighted, its corresponding information in both the Hex and ASCII windows are highlighted so they can easily be located by the examiner. Similarly, if the user selects data in Hex, the corresponding Data Structure item will be highlighted.

Learn more information about the new features by attending our webinar on December 14th at 9am PST.

About the Company

BlackBag Technologies is a developer of innovative forensic acquisition, triage, and analysis software for Windows, Android, iPhone/iPad, and Mac OS X devices. The company’s flagship product, BlackLight, has been adopted worldwide by many digital forensics examiners as a primary analysis tool. Mobilyze, BlackBag’s groundbreaking mobile device triage tool, empowers virtually all law enforcement personnel, with or without specialized experience, to capably triage and report on data from smartphones.

In addition to software, BlackBag also develops and delivers expert forensic training and certification programs, designed to meet the needs of law enforcement, military and private sector examiners. Taught by an elite team with considerable law enforcement and digital forensics experience, the courses are tailored to address realistic, multi-platform scenarios simulating the daily challenges of digital evidence.

To learn more about BlackBag®’s software and training, please contact us at 855-844-8890, or visit us at

Leave a Comment

Latest Articles