BlackLight 2016 R1 – The Examiner’s Windows, Mac, iPhone and Android Solution

BlackLight 2016 R1 represents much more than new features and bug fixes. Our vision for BlackLight has always been a cost-effective forensic solution for law enforcement that just works.

A solution that:
– Analyzes 90% of your caseload (Windows, Mac, iPhone and Android)
– Does not require a $6,000 workstation to run
– Does not require a month of expensive training to learn or a computer science degree to use
– Gets you immediate, actionable results (not processing for days or weeks)We recognize budgets are beyond tight. We understand that mandatory rotations happen, moving out experienced examiners and requiring new examiners to come up to speed immediately. We also know that BlackLight will have limitations and won’t be perfect – no software is. It’s why we have an awesome Forensic Analyst and Instructor team ( with years of forensic experience and strong technical backgrounds to offer free training and free support ( in the field. They are one call away for any questions or challenges. For all you BlackLight customers, we think you will appreciate the new features described below. If you are sick and tired of the status quo, we hope you will give BlackLight a try as your primary tool.

New in 2016 R1:

Windows Memory Analysis: While memory forensics is not yet mainstream, we think it will be soon, and the memory technology we have built is incredibly fast. It’s literally 2-3,000 times faster than traditional open-source forensic tools, giving examiners results in seconds, not minutes or hours. It analyzes raw dumps, hiberfil.sys (Hibernation file, from Vista or 7), pagefile.sys, and crash dumps (full, from Vista or 7). For these Windows memory files, BlackLight performs file carving and bulk extraction content searches (for numerous items such as URLs, addresses, phone numbers, etc.). There’s also a new ‘Memory’ subview dedicated specifically to memory file artifacts (processes, libraries, sockets, handles, and drivers). By the way, we know you Mac purists want Mac memory, and that’s also in the works. This is the very first release of our memory technology with much more to come.

Volume Shadow Copies: BlackLight now parses Volume Shadow Copies (VSCs) for Windows volumes, and it allows examiners to analyze them in a novel, intuitive way. BlackLight does not merely show files with VSCs and mount them for viewing. Versatile search and filtering options for the VSCs are included, so examiners can effectively explore this invaluable data, much of which the user may have believed was deleted. BlackLight examiners have the ability to view each VSC’s contents separately, or together in a comparative view with variants from other VSCs and the active volume.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Parsing of Valuable Log Files: On the Mac side, BlackLight now parses file system events from the .fseventsd folders. Although these system events may be deleted by the system over a short period of time, their usefulness cannot be overstated. Every volume that can be written to by the HFS+ file system will contain this .fseventsd data, even a FAT32 flash drive that was connected to a Mac. As of 2016 R1, BlackLight also has the ability to parse $LogFile (disk activity) and $USNJRNL (change journal) files for Windows volumes. These log files can shed light on disk activity, potentially giving the examiner a much clearer picture of the events that have taken place on the Windows volume. There’s no longer a need to use additional tools or scripts to parse these log files – BlackLight allows for analysis of the contents within the native application.

Custom SQLite Queries: SQLite databases are becoming more and more common on both Windows and Mac platforms. BlackLight now allows for queries to be run on SQLite databases. This new feature is especially useful for analyzing SQLite database content that is not already parsed and displayed in specific BlackLight views.

Tons of Bug Fixes and Improvements: including location data for OS X 10.9 and 10.10; more parsing of social media communications data (e.g., Swarm, Tango); and the ability for Windows examiners to map a BlackLight case to any chosen volume letter, thus avoiding the Windows file path character limit and improving performance.

In a nutshell, we’ve added significant new functionality to BlackLight over the past several years (Windows, Android, and now memory features) with much more lined up for 2016. This is a big release for us, and we hope you agree that BlackLight has truly emerged as a primary analysis tool across all major platforms. This is the start of a lot of great things to come, and we look forward to your feedback as always!


Carpe Datum,
The BlackBag Team

Leave a Comment

Latest Articles