BlackBag’s BlackLight Used to Solve Mass Shooting

In the days following a mass shooting at a mall in Columbia, Maryland, the digital forensic analysis of the shooter’s Apple iPhone, computer, and iPhone backups played a pivotal role in the investigation. The digital forensic analysis was performed using the assistance of BlackBag’s BlackLight software. The investigation revealed a timeline of events leading up to the shooting and uncovered details about the shooter’s research, planning, and mental state. It was also the digital forensic investigation which led police to discover the shooter’s Tumblr blog and the last post he made with his iPhone moments before shooting his first victim.

BlackBag Technologies’ BlackLight, software that quickly analyzes computer volumes and mobile devices and allows for easy searching and filtering through large data sets, was used to make key discoveries in a mass shooting that led to solving the investigation.On January 25, 2014, 19-year-old Darion Aguilar exited a dressing room armed with a shotgun and began shooting at The Mall in Columbia located in the Baltimore, Maryland suburbs. Before ultimately killing himself, he killed two young victims and injured five other innocent people.

After the incident, the digital forensic analysis of the shooter’s Apple iPhone, computer, and iPhone backups played a pivotal role in the investigation. The digital forensic analysis was performed using the assistance of BlackLight. The investigation revealed a timeline of events leading up to the shooting and uncovered details about the shooter’s research, planning, and mental state. It was also the digital forensic investigation which led police to discover the shooter’s Tumblr blog and the last post he made with his iPhone moments before shooting his first victim.

Now Director of Digital Forensics at IntelliGenesis LLC, Dave Proulx was the lead Digital Forensic Examiner Detective on the case at the time. “The process of not only extracting SQLite databases, in a forensically sound way, then separately analyzing each using a third-party tool, is an extremely exhausting process,” explains Former Detective Dave Proulx. “If you’re relying solely on the parsed information supported by the tool, you’re potentially missing key information and evidence of the unsupported apps,” Proulx added.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Using BlackLight, Mr. Proulx located and analyzed application data that even today would have fallen into the category of thousands of unsupported apps which are not parsed by any tool. Using the (BlackLight) SQLite viewer and query features built into BlackLight, Detective Proulx determined the shooter used apps on his iPhone to plot his journey to the Columbia Mall mixing public and private transportation.

“In an age where a smartphone can have 60, or more dB files (database), the ability to analyze and query these databases without using third-party software or running scripts is, unfortunately, a rare find. It’s still hard to find these features (since Jan. 2014) in some of the more popular forensic and eDiscovery products,” former Detective Proulx explained.
BlackLight is also a great tool to identify apps and other online services possibly not known to the investigation. Usernames, profile IDs are right there in the plists and databases of many mobile app such as Snapchat, WhatsApp, Facebook, Twitter, Dropbox, and even Tumblr.

In December of 2013, (the month before the shooting), the shooter’s iPhone received the first iOS release which introduced the iCloud backup option. Previously, this feature was only available on iTunes. Detective Proulx explained that it was extremely beneficial being able to utilize BlackLight to analyze an iCloud backup which had been created the night before the shooting. Combining the iPhone acquisition and backups from the cloud and his laptop, BlackLight assisted in building the timeline which ultimately pieced together months of the shooter’s online activities and research.

In The Columbia Mall shooting, like so many other cases, BlackBag’s BlackLight software helped Howard County Police in Maryland provide closure for the community and the families of the victims: 21-year-old Brianna Benlolo and 25-year-old Tyler Johnson.
To read the full case study, as well as many other case scenarios, visit BlackBag’s website here.
To learn more about BlackLight, request a quote, request a trial, or renew your license, click here.

About BlackBag Technologies:

BlackBag® Technologies offers innovative forensic acquisition and analysis tools for both Windows and Mac OS X based computers, as well as iOS and Android mobile devices. Its forensic software is used by hundreds of federal, state, and local law enforcement agencies around the world, as well as by leading corporations and consultants, to investigate all types of digital evidence associated with both criminal, civil and internal investigations. BlackBag® Technologies also develops and delivers expert forensics training and certification programs, designed for both novice and experienced forensics professionals. To learn more, visit www.blackbagtech.com.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

Podcast Ep. 80 Recap: Empowering Law Enforcement With Nick Harvey From Cellebrite

Forensic Focus 20th February 2024 11:49 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles