BlackLight 2018 R2 is officially released and is now available. This release includes the top three most popular customer requests and provides new support for Spotlight artifacts.
What's New and Improved?
– Ability to view and filter across multiple devices
– Enhanced email support for EMLX parts and email reporting
– Auto-adjust time zones for Daylight Savings Time
– Ability to parse macOS Spotlight Indexes
BlackLight now supports viewing data from multiple devices at the same time without having to change selected devices. Each evidence item is associated with a colored badge number.
In order to see any data from a specific item within any BlackLight view, the checkbox next to the desired volume needs to be selected. If the checkbox is not selected that particular item will not appear in any view.
Likewise, the ‘File Filter’ view will show the numbered badge in the first column for each responsive item. Every view within BlackLight will work this same way.
BlackLight now gives you the ability to parse macOS Spotlight indexes. Spotlight is a system- wide search feature of macOS and the iOS operating systems. It was designed to allow the user to quickly locate a wide variety of items on the computer, including documents, pictures, music, applications, and System Preferences.
Under the ‘Advanced Options’ in the ‘Add Evidence’ Window or within the ‘Evidence Status’ Window the ‘Spotlight Parsing’ option can be selected to run.
The Spotlight index items can be located within the ‘Metadata’ tab of the ‘File Content Viewer’ for any item in a macOS or iOS volume. All of the items will exist under the Spotlight heading within the metadata.
In addition to the ‘Metadata’ view for Spotlight indexes these pieces of information can be filtered on within the ‘Filter’ view.
BlackLight has supported various types of email parsing but has been improved for better support of Apples EMLX EMLX Partials. EMLX is a Mail Message (Apple Mail Email) file used to store an email message. These are plain text files that store just a single email message. EMLXPART files are used by Apple Mail as well, but as attachment files instead of as the actual email files. The emails will show the typical context instead of the header information and the attachments will be automatically included.
IMPORTANT NOTE: In order to render the attachments in the report a preference option must be enabled. It is off by default as it can slow down the report generation for very large reports.
When the report is generated the email can be seen as well as previewed by clicking on the Preview link. This will show the email as the user saw it. Any attachments can also be seen in the preview of the report as well as the attachment link.
File system permissions in NTFS are controlled with Access Control Lists (ACL). Each user logged onto the system holds an access token with security information for that logon session. The system creates an access token when the user logs on. Every process executed on behalf of the user has a copy of the access token. The token identifies the user, the user’s groups, and the user’s privileges. A token also contains a logon SID (Security Identifier) that identifies the current logon session. This information is now displayed for NTFS files and folders.
BlackLight has always allowed timezones to be changed case wide, however it never accounted for time shifts for places that observe daylight savings time. Having to manually adjust times plus or minus hours and even minutes can be laborious and error prone. BlackLight now recognizes daylight savings time shifts for different parts of the world. Change the case time zone display to the desired time zone, which is now based on the zoneinfo database, in the ‘Case Info’ view. and all dates and times will automatically be adjusted accordingly.
From time to time Apple changes storage formats for certain things. The new format for timestamps on iOS 11 and macOS 10.13 (High Sierra) changed from 9 digits to 18 digits for some date columns. BlackLight will now support these longer nanosecond timestamps when they are encountered.
To update to the latest version of BlackLight, click here.
To learn more about BlackLight, request a quote, request a trial, or renew your license, click here.
BlackBag® Technologies offers innovative forensic acquisition and analysis tools for both Windows and Mac OS X based computers, as well as iOS and Android mobile devices. Its forensic software is used by hundreds of federal, state, and local law enforcement agencies around the world, as well as by leading corporations and consultants, to investigate all types of digital evidence associated with both criminal, civil and internal investigations. BlackBag® Technologies also develops and delivers expert forensics training and certification programs, designed for both novice and experienced forensics professionals. To learn more, visit www.blackbagtech.com.