BlackBag’s BlackLight Used to Solve Mass Shooting

In the days following a mass shooting at a mall in Columbia, Maryland, the digital forensic analysis of the shooter’s Apple iPhone, computer, and iPhone backups played a pivotal role in the investigation. The digital forensic analysis was performed using the assistance of BlackBag’s BlackLight software. The investigation revealed a timeline of events leading up to the shooting and uncovered details about the shooter’s research, planning, and mental state. It was also the digital forensic investigation which led police to discover the shooter’s Tumblr blog and the last post he made with his iPhone moments before shooting his first victim.

BlackBag Technologies’ BlackLight, software that quickly analyzes computer volumes and mobile devices and allows for easy searching and filtering through large data sets, was used to make key discoveries in a mass shooting that led to solving the investigation.On January 25, 2014, 19-year-old Darion Aguilar exited a dressing room armed with a shotgun and began shooting at The Mall in Columbia located in the Baltimore, Maryland suburbs. Before ultimately killing himself, he killed two young victims and injured five other innocent people.

After the incident, the digital forensic analysis of the shooter’s Apple iPhone, computer, and iPhone backups played a pivotal role in the investigation. The digital forensic analysis was performed using the assistance of BlackLight. The investigation revealed a timeline of events leading up to the shooting and uncovered details about the shooter’s research, planning, and mental state. It was also the digital forensic investigation which led police to discover the shooter’s Tumblr blog and the last post he made with his iPhone moments before shooting his first victim.

Now Director of Digital Forensics at IntelliGenesis LLC, Dave Proulx was the lead Digital Forensic Examiner Detective on the case at the time. “The process of not only extracting SQLite databases, in a forensically sound way, then separately analyzing each using a third-party tool, is an extremely exhausting process,” explains Former Detective Dave Proulx. “If you’re relying solely on the parsed information supported by the tool, you’re potentially missing key information and evidence of the unsupported apps,” Proulx added.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Using BlackLight, Mr. Proulx located and analyzed application data that even today would have fallen into the category of thousands of unsupported apps which are not parsed by any tool. Using the (BlackLight) SQLite viewer and query features built into BlackLight, Detective Proulx determined the shooter used apps on his iPhone to plot his journey to the Columbia Mall mixing public and private transportation.

“In an age where a smartphone can have 60, or more dB files (database), the ability to analyze and query these databases without using third-party software or running scripts is, unfortunately, a rare find. It’s still hard to find these features (since Jan. 2014) in some of the more popular forensic and eDiscovery products,” former Detective Proulx explained.
BlackLight is also a great tool to identify apps and other online services possibly not known to the investigation. Usernames, profile IDs are right there in the plists and databases of many mobile app such as Snapchat, WhatsApp, Facebook, Twitter, Dropbox, and even Tumblr.

In December of 2013, (the month before the shooting), the shooter’s iPhone received the first iOS release which introduced the iCloud backup option. Previously, this feature was only available on iTunes. Detective Proulx explained that it was extremely beneficial being able to utilize BlackLight to analyze an iCloud backup which had been created the night before the shooting. Combining the iPhone acquisition and backups from the cloud and his laptop, BlackLight assisted in building the timeline which ultimately pieced together months of the shooter’s online activities and research.

In The Columbia Mall shooting, like so many other cases, BlackBag’s BlackLight software helped Howard County Police in Maryland provide closure for the community and the families of the victims: 21-year-old Brianna Benlolo and 25-year-old Tyler Johnson.
To read the full case study, as well as many other case scenarios, visit BlackBag’s website here.
To learn more about BlackLight, request a quote, request a trial, or renew your license, click here.

About BlackBag Technologies:

BlackBag® Technologies offers innovative forensic acquisition and analysis tools for both Windows and Mac OS X based computers, as well as iOS and Android mobile devices. Its forensic software is used by hundreds of federal, state, and local law enforcement agencies around the world, as well as by leading corporations and consultants, to investigate all types of digital evidence associated with both criminal, civil and internal investigations. BlackBag® Technologies also develops and delivers expert forensics training and certification programs, designed for both novice and experienced forensics professionals. To learn more, visit www.blackbagtech.com.

Leave a Comment