BlackBag’s BlackLight Used to Solve Mass Shooting

In the days following a mass shooting at a mall in Columbia, Maryland, the digital forensic analysis of the shooter’s Apple iPhone, computer, and iPhone backups played a pivotal role in the investigation. The digital forensic analysis was performed using the assistance of BlackBag’s BlackLight software. The investigation revealed a timeline of events leading up to the shooting and uncovered details about the shooter’s research, planning, and mental state. It was also the digital forensic investigation which led police to discover the shooter’s Tumblr blog and the last post he made with his iPhone moments before shooting his first victim.

BlackBag Technologies’ BlackLight, software that quickly analyzes computer volumes and mobile devices and allows for easy searching and filtering through large data sets, was used to make key discoveries in a mass shooting that led to solving the investigation.On January 25, 2014, 19-year-old Darion Aguilar exited a dressing room armed with a shotgun and began shooting at The Mall in Columbia located in the Baltimore, Maryland suburbs. Before ultimately killing himself, he killed two young victims and injured five other innocent people.

After the incident, the digital forensic analysis of the shooter’s Apple iPhone, computer, and iPhone backups played a pivotal role in the investigation. The digital forensic analysis was performed using the assistance of BlackLight. The investigation revealed a timeline of events leading up to the shooting and uncovered details about the shooter’s research, planning, and mental state. It was also the digital forensic investigation which led police to discover the shooter’s Tumblr blog and the last post he made with his iPhone moments before shooting his first victim.

Now Director of Digital Forensics at IntelliGenesis LLC, Dave Proulx was the lead Digital Forensic Examiner Detective on the case at the time. “The process of not only extracting SQLite databases, in a forensically sound way, then separately analyzing each using a third-party tool, is an extremely exhausting process,” explains Former Detective Dave Proulx. “If you’re relying solely on the parsed information supported by the tool, you’re potentially missing key information and evidence of the unsupported apps,” Proulx added.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Using BlackLight, Mr. Proulx located and analyzed application data that even today would have fallen into the category of thousands of unsupported apps which are not parsed by any tool. Using the (BlackLight) SQLite viewer and query features built into BlackLight, Detective Proulx determined the shooter used apps on his iPhone to plot his journey to the Columbia Mall mixing public and private transportation.

“In an age where a smartphone can have 60, or more dB files (database), the ability to analyze and query these databases without using third-party software or running scripts is, unfortunately, a rare find. It’s still hard to find these features (since Jan. 2014) in some of the more popular forensic and eDiscovery products,” former Detective Proulx explained.
BlackLight is also a great tool to identify apps and other online services possibly not known to the investigation. Usernames, profile IDs are right there in the plists and databases of many mobile app such as Snapchat, WhatsApp, Facebook, Twitter, Dropbox, and even Tumblr.

In December of 2013, (the month before the shooting), the shooter’s iPhone received the first iOS release which introduced the iCloud backup option. Previously, this feature was only available on iTunes. Detective Proulx explained that it was extremely beneficial being able to utilize BlackLight to analyze an iCloud backup which had been created the night before the shooting. Combining the iPhone acquisition and backups from the cloud and his laptop, BlackLight assisted in building the timeline which ultimately pieced together months of the shooter’s online activities and research.

In The Columbia Mall shooting, like so many other cases, BlackBag’s BlackLight software helped Howard County Police in Maryland provide closure for the community and the families of the victims: 21-year-old Brianna Benlolo and 25-year-old Tyler Johnson.
To read the full case study, as well as many other case scenarios, visit BlackBag’s website here.
To learn more about BlackLight, request a quote, request a trial, or renew your license, click here.

About BlackBag Technologies:

BlackBag® Technologies offers innovative forensic acquisition and analysis tools for both Windows and Mac OS X based computers, as well as iOS and Android mobile devices. Its forensic software is used by hundreds of federal, state, and local law enforcement agencies around the world, as well as by leading corporations and consultants, to investigate all types of digital evidence associated with both criminal, civil and internal investigations. BlackBag® Technologies also develops and delivers expert forensics training and certification programs, designed for both novice and experienced forensics professionals. To learn more, visit www.blackbagtech.com.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:51 pm

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:39 pm

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_SE7Cl5jkigk

Maximising Data Collection With SaaS Innovations

Forensic Focus 10th June 2024 12:42 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles