BlackLight 2018 R3 is officially released and it includes two of the most anticipated features of the year: APFS Snapshots and support for all GrayKey images.
What's New and Improved?
– Comprehensive report options
– APFS Snapshots
– Streamlined support for all GrayKey image formats
– iOS Hidden Photos
– Enhanced Windows Memory Support
To learn more about the latest BlackLight release, click here.
Reporting is a critical step in an investigation and the latest release of BlackLight has been improved to include streamlined reporting options. New to this release, is the ability to have a simple report with comprehensive reporting, on a per device basis, without having to review or tag items. Users can choose to include all Case Data for the entire device, or select specific categories, within the evidence. In addition, HTML reports are now broken down into smaller pages to make it easier to load onto systems.
Continuing with our leading APFS support, BlackLight now allows for parsing of APFS Snapshots. APFS was designed using Snapshots as a means for built in backup support. Snapshots leverage the copy-on-write property of APFS to provide “instant” backups of the entire state of an APFS volume. Snapshots can be mounted as read-only volumes that are exact copies of the file system state at the time they were taken. To examine snapshots, simply choose the “Parse Snapshots / Volume Shadow Copies” option from the advanced processing options.
GrayKey, by Grayshift, is designed to provide access to devices that were previously inaccessible. In addition, GrayKey images include iOS data that was previously not available due to the limitations of iTunes backups. Using BlackLight as the analysis tool for GrayKey allows full filesystem analysis, memory file support and proper handling of dates, as recommended by the Grayshift.
BlackLight examiners can add GrayKey images either by dragging and dropping them onto a case on Mac, or choose the ‘Add’ evidence button. BlackLight will process the GrayKey zip file just as if it were processing an iOS backup, except with much more data. Whether adding the full system image or the backup image BlackLight can handle either one. Navigation through the GrayKey image will look the same as if it came straight from the device itself.
If the GrayKey memory file is added BlackLight will prompt the examiner how to handle it. The file can be brought in as a simple zip file so you can see the contents, or you can treat it as a file and run content searches to get evidentiary items like IP address, email addresses, etc.
BlackLight now supports Windows 10 Spring Creator Update version 1803 for memory analysis.
Starting with iOS 8 a user could tap and hold on a picture in the Photos app to display the option to “Hide” the picture. The picture would then be placed into an album named “Hidden”. While Blacklight would obtain these pictures during ingestion it would not be apparent that they were hidden by the user. Those pictures are now flagged as part of the Hidden album. In addition, they can be filtered on within the File Filter view.
In order to streamline updates to the BlackLight distributed hash sets they are no longer included with BlackLight product installer. Instead they are now included in their own installer and may be updated as needed on the Software Download page.
Due to issues with the Apple file system driver, use of exFAT formatted storage media may cause serious performance issues when using BlackLight. We highly recommend that you DO NOT use exFAT for storage of your case or image files on macOS, and highly recommend the use of NTFS, HFS, or APFS for storage.
When expanding the tree structure using hotkeys, option-click (Mac) or alt-click (Windows), has been modified. Previously, on views like the browser view, using the hotkey would open the whole tree structure, now it will just only expand the top two levels.
To update to the latest version of BlackLight, click here.
To learn more about BlackLight, request a quote, request a trial, or renew your license, click here.
About the Company
BlackBag® Technologies offers innovative forensic acquisition and analysis tools for both Windows and Mac OS X based computers, as well as iOS and Android mobile devices. Its forensic software is used by hundreds of federal, state, and local law enforcement agencies around the world, as well as by leading corporations and consultants, to investigate all types of digital evidence associated with both criminal, civil and internal investigations. BlackBag® Technologies also develops and delivers expert forensics training and certification programs, designed for both novice and experienced forensics professionals. To learn more, visit www.blackbagtech.com.