Latest BlackBag Release Provides End-To-End Solution For APFS

The release of BlackLight 2018 R1, when combined with MacQuisition 2018 R1, is the world’s first complete end-to-end acquisition, decryption, and analysis solution for the latest Apple File System (APFS).To enhance the multi-platform forensic analysis tool, BlackLight 2018 R1 includes APFS support and beta support for latest versions of the following mobile applications:

o Line

o WeChat

o Facebook Messenger

o WhatsApp


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Learn more about the latest BlackLight release here.

New Feature Highlights

APFS Support

The High Sierra release of macOS 10.13 introduced the Apple File System (APFS), which replaced HFS+ as the default file system used by Apple. APFS is much different than HFS+. APFS no longer defines a volume, rather it implements a container inside of which, several volumes may be present. APFS was designed for solid state drives (SSDs) but can work with traditional drives as well.

Because APFS volumes within a container are not traditional partitions, these volumes cannot be individually imaged. As a result, imaging the unlocked state of an encrypted APFS partition is not possible. When an APFS volume is unlocked with a password or recovery key, the unlocked volume is available for data collection (logical copy of files from the volume). When imaging the APFS Container or the parent physical disk, the resulting image will contain the volume in its encrypted state, rather than the unlocked state. MacQuisition 2018 R1 supports imaging both the logical copies of unencrypted volumes and the encrypted physical disk.

On macOS 10.13.0 (and higher) while System Integrity Protection (SIP) is active, no user, even root, can read the physical disk the system is currently booted from, the physical partition the system is currently booted from, nor the APFS container that holds the currently booted volume. This makes it impossible to image the physical disk.

Adding APFS Evidence to BlackLight 2018 R1

APFS is very different than any other file system, therefore it will appear differently than what has traditionally been seen. Specifically, the APFS container uses pooled storage which is available to all volumes within it including unallocated space. BlackLight will present the APFS pooled container highlighted with a grey box around the pooled volumes. The other volumes will appear normally. If a volume is encrypted, it will not be selected by default and will display text indicating its encrypted status.

Once the checkbox next to an encrypted volume within the APFS container is selected, a password prompt will be displayed along with a password hint if one is available. Provide the known correct password or recovery key to unlock the volume. NOTE: To use a recovery key, please enter the key in all caps, including dashes in the password prompt.

If the password or key is correct, the volume will be selected otherwise BlackLight will prompt to re-enter the correct password. All other processing options will function the same as previous versions of BlackLight with one exception: File Carving.

Because APFS uses pooled storage, you cannot carve deleted files from volumes located inside of containers. With APFS, you can only carve from the pooled storage which means that you must choose to carve the unallocated space from the Add Evidence ingestion options window. Volumes NOT within the pooled storage will behave as previous versions of BlackLight and can be carved at any point.

Once the APFS image is ingested, data within BlackLight will appear as it has with previous versions.

Mobile Application Updates

Many 3rd party applications have changed and continue to change regularly. BlackLight 2018 R1 has been updated to include new parsers for the following applications:

· Line is an app for exchanging texts, images, video and audio.

· WeChat is a Chinese multi-purpose social media mobile application.

· Facebook Messenger is an instant messaging service and software application. Originally called Facebook Chat, the app service was changed to a standalone iOS and Android app.

· WhatsApp is an instant messaging and Voice over IP service. The application allows the sending of text messages and voice calls, as well as video calls, images and other media.

NOTE: These parsers are currently supported as beta features.

Learn more about BlackLight

To learn more about BlackLight, including more about these features, check out our comprehensive training options; including free, self-paced or in-depth courses here. Our Instructors have years of law enforcement and digital forensics experience and actively support investigators in the field.

Get your free fully-functional demo license today!

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 12:44 pm

Throughout the past few years, the way employees communicate with each other has changed forever.<br /><br />69% of employees note that the number of business applications they use at work has increased during the pandemic.<br /><br />Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.<br /><br />Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.<br /><br />Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.<br /><br />With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.<br /><br />Join Monica Harris, Product Business Manager, as she showcases how investigators can:<br /><br />- Manage multiple cloud collections through a web interface<br />- Cull data prior to collection to save time and money by gaining these valuable insights of the data available<br />- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box<br />- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee<br />- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 12:00 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...