Reviewed by Scar de Courcier
In recent months there have been several new and exciting developments to BlackBag’s BlackLight solution. BlackLight helps investigators to analyse computer volumes and mobile devices; it can acquire Android and iPhone devices and runs on Mac or Windows. We took a look at some of the latest changes and how they work.
The new interface is the first major change. BlackBag had received a number of requests for filtering across multiple volumes at one time. Although it was always possible to search across these, filtering was not an option until recently. Now when you add each volume, it is automatically assigned a number in the order in which the data is ingested. You can then sort using one of the built-in filters, and see where the data you’re looking for can be found in each volume.Relatedly, it is now possible to look at all your data in one view by selecting everything and then going to the ‘Browser’ view.
The other interface change is in the Details page: you can now see basic artifacts about the case here even if you haven’t selected any volumes.
Beyond the UI redesign, however, there are a number of other capabilities BlackBag have recently added to BlackLight to make it a more powerful tool for forensic investigation.
Support for APFS snapshots is an important new feature. APFS snapshots can be found in Apple’s new file system and work the same way as volume shadow copies do with Windows. It’s the same concept in theory, but one big difference is that in order for your machine to take snapshots you have to turn on Time Machine. If this is activated then snapshots will automatically be created at various points.
A snapshot is exactly what it sounds like: a full snapshot of the entire file system. If you have snapshot data in your case you can therefore see precisely what was happening on the system at the time the snapshot was taken. It doesn’t just list the files that have changed, like you might see in a more traditional log; instead it will show you everything. If you then look at the user’s home folder you should be able to see all their files listed.
In BlackLight the snapshots are listed below the active volume; when you hover your mouse over the snapshot you can see the date and time when it was taken, plus the Time Machine icon beside the device icon.
Using this alongside the new filtering feature works really well. If you select your volumes, you can then create a snapshot filter so that you see only the ones that have changed in the snapshot, or those that are unique to an active file petition or snapshot.
Another way to look at this is when you’re navigating through the file system; you can see right away if there is a file that exists in a snapshot but has been deleted from the active volume. This indicates that the file may have been changed.
Right clicking on a fie and selecting ‘File History’ will show you different files based upon their file paths and names. This works best when you look at a specific file that has changed over time – in this case you can open it and view each of the versions and the changes that have been made.
The same can be done with pictures: if you click on a picture within your case you can see its active versions, but also any modifications shown within the APFS snapshots. This can be particularly useful in fraud and child exploitation cases. The ‘Actionable Intel’ tab shows you more detail about the APFS snapshots you’re looking at. You can see the number of backups, when a backup has been deleted, and more.
APFS snapshots tend not to be as resilient as volume shadow copies; if you have a large enough hard drive then volume shadow copies will last a long time, whereas APFS snapshots will be replaced a lot more quickly.
GrayKey has been a subject of discussion at a lot of conferences and meetups recently, so it’s good to see that BlackBag is integrating this into their products. GrayKey allows investigators to get data from locked iOS devices; it will retrieve the passcode for the iOS device and then allow you to do an advanced logical file dump from the system. This means you can gather far more data than was previously available.
There used to be a separate tool that allowed investigators to import a GrayKey acquisition into BlackLight and put it into the correct folder structure, however with R3 it gets structured automatically. GrayKey acquisitions generally come in the form of a .zip file with the UDID of the device as the file name. Now when you load these into BlackLight it will automatically read it as a GrayKey file and structure it appropriately within the case.
To add your GrayKey acquisition you just select ‘Add’, then ‘Add’ again next to ‘Files, folders and disc images’ and then select your acquisition from its folder. Once it’s loaded BlackLight will give you the option to parse pictures, videos and so on. The great option with this is that because there’s a full file system dump of the iOS device, a lot of the advanced options which on a normal iOS acquisition wouldn’t be useful are now available. For example, you can now get the file system journal analysis, spotlight analysis, file entropy, and email within it as well. BlackLight shows you the exact file paths where things exist, so you can see the structure of the iOS device from the GrayKey acquisition.
One of the really important things for iOS devices is the ability to see FS events – these are really powerful because they can track the file system and tell you whenever something occurs to a specific file or on the system itself. This means you can see things being created, removed, modified and so on. The timestamps in the FS events log refer to the containers within which the events exist, rather than the exact time at which the specific events happened.
Airdrop information can also be found here – you can see whether a file has been Airdropped from a computer to a phone, and the user names and email addresses registered as participating in the Airdrop.
The other really big change is the ability to parse Spotlight data within BlackLight. Spotlight is a tool on iOS devices which allows the user to search for all sorts of things: file names, things onilne, and even file metadata. There are hundreds of potential metadata artifacts that can be gleaned from a given file.
If you find your file, then select the ‘Metadata’ option, you will then see all the bits of metadata that have been pulled. Some is garbled, some isn’t; it depends on what the actual computer has pulled. But you can determine how many pieces of metadata the computer is tracking, which can be helpful. There is no limit on how many pieces of metadata the computer tracks; it can tell you all sorts of things about a file, including email addresses and subject lines.
kMDItemUseCount tells you roughly how many times the user has opened a file. You will also see a kMDItemLastUsedDate, which is the last date on which an item was opened. One thing to note: the time listed is not the time that it was opened, it just tracks the offset from when that was last opened. So if you a file was opened multiple times on a given date, you’re only going to see it appearing once.
Filtering within Spotlight results is also possible; for example, you can select ‘Spotlight Field’, then ‘contains’ and ‘wherefrom’ to see where everything originate dfrom. If you’re looking for a specific person, you can select everything that has the Spotlight metadata value of the name you’re looking for. There are lots of very powerful options here, and since it’s a new feature it hasn’t been used as much as it perhaps should be within most cases.
Another recent change in BlackLight is support for the new Windows 10 update, which changed in the spring of 2018. Windows changed the formation of their memory and as a result hyberfil and pagefile weren’t working for memory analysis. This has now been fixed and works across all Windows machines.
Reporting has also changed; a lot of BlackLight’s users asked to have reports that contain everything from within the case, so this is now available. Now when you go to the Reporting screen you can choose which data to include, or just tick ‘include everything’. This means you no longer have to tag or bookmark the data contained in Actionable Intel, which you would have had to do in the past. This is very handy as bookmarking is easy to forget when you’re caught up in analysing a case!
Finally, iOS 8 and above have the option to hide files and pictures within your iOS devices. There is now a new filter in BlackLight that will allow you to filter for those hidden files. It’s a flag within the SQLite database that helps you to quickly identify what the user might have wanted to keep from public view.
Overall, the new features that have recently been introduced into BlackLight only add to its power. The filtering feature is particularly impressive, especially because you can build filters on top of each other and filter across all your volumes simultaneously. GrayKey, APFS snapshots and Spotlight data are important updates that are quickly becoming necessities rather than nice-to-haves. I look forward to seeing the next updates that BlackLight has in store.
BlackLight analyses computer volumes and mobile devices. It allows for easy searching, filtering and otherwise sifting through large data sets. It can logically acquire Android and iPhone/iPad devices, runs on Windows and Mac OS X, and can analyze data from all four major platforms within one interface. Find out more on BlackBag's website.