Join Us!

New Triage Capabilities In BlackLight



Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.
Julie: Hi everyone, thanks for joining our webinar today on our new capabilities in BlackLight. My name is Julie O’Shea, I’m the Global Marketing Manager here at BlackBag.

Before we start today, there are a few notes I would like to review. We are recording this webinar, so we will share an on-demand version when it is complete. If you have any questions, please submit them in the questions window and we will answer them throughout, or in our Q&A at the end of the webinar.

I’m excited to introduce our speakers today: Ashley Hernandez and Dmitry Sumin. Ashley is the Director of Product Development here at BlackBag. With over fifteen years’ experience in the field, she has taught and certified investigators in digital forensics and security topics, including speaking at many digital forensics and law enforcement conferences. She holds a Bachelor of Science in Computer Science from Sonoma State University.

Dmitry Sumin is the President of Passware. While he was a math student at university, he changed a password and locked himself out of his journal. Software on the market wasn’t able to unlock it, so he wrote his own. He put the software online and asked people to send him postcards to see if they liked it. He received hundreds. He also received requests, and if his software couldn’t crack it, he added in a feature so that it could. He was soon spending so much time supporting the software that he had little choice but to form a company, and Passware was born.

Thanks for joining us today, Ashley and Dmitry. Ashley, if you’re ready, I will hand it over to you to get started.

Ashley: Thanks Julie. I’m really excited to share today some of the new features that are coming out in our upcoming BlackLight release. And one of the things that we are focusing on with our new releases is how we can help examiners get through their backlog, or determine from all the systems that are out there which ones we need to focus on most.

So today we’re going to cover why triage is so important. It’s a topic that we return to time and time again, because it’s something that needs to be done, and refined, and improved upon, as new tools and features come about. The different types of triage: I’m going to focus on a couple of different areas of research that talk about the way we can approach triage. And then we’re going to do a demo, to show some of the new features in BlackLight and how they can be used for triage.

So let’s get started.

When we’re talking about triage, the first thing that we’re going to focus on is why we are triaging in the first place. There are several reasons that we could be doing triage.

The first is because we have a backlog, and there are a lot of devices that you need to review. Triage is the process of determining which of those cases or investigations, or for a case or investigation, the devices, you need to focus your attention on first.

So there could be many different reasons why specific devices are more or less important for you to start with, and some of that information you are going to get from the system itself. And some of the information you may know based on the situation that you are encoutering related to the investigation. So if you know the device is related to the suspect or the victim; or you know the device was recently used, or you have information that a specific person says there is information on a device, that may go up in your chain of which items you want to look at first.

So you want to see how important the device is, but also once you start to look at the device, there may be more information that you can glean just by looking at the statistics of what’s on the device. You may see that it has a lot of videos, or it might have a lot of documents. Depending on your type of investigation, that may inform whether or not you approach that device with priority or not.

So we want to get some questions in our own head answered in planning and preparing to triage devices.

The common types of triage that we’re going to talk about today, with the new features, are:

High-level system triage. So that’s triage that we do based on the operating system; whether the system is live or not; if you’ve come to a device, maybe it’s a mobile device, and it’s locked, versus unlocked; or you come to a hardware desktop: is it open and already past the password or not? Some common steps to look at when you’re first encountering the operating system itself is the first type that we’re going to talk about. And in that area, we are going to focus on encryption, as that is one of the areas that we are adding to BlackLight 2019 R3. Or rather, decryption.

The next part we’re going to talk about is by content type. This would be looking at areas by time, or by looking even deeper into pictures or keywords; and that would be – the last type, keywords – would be things you already know about a case. So the top level is system; the mid-level would be general techniques that would work across any type of device; and the last would be either known files or known keywords that you have for your case.

So one of the references that I came up with to review this was, there are several good research papers out there on approaches to triage. Here is one of them. And it talks about that first step being approaches to planning, and the questions of why you are doing triage. And then assessment, we’re going to run through in our example, several of these different areas: user accounts, attached devices, time-based searches, and encryption. And then finally we’re going to look at some of these deeper-level triage elements.

When we’re approaching triage, this may be for different level folks, easier or more complex types of triage, so we want to talk about how to make it accessible and repeatable by building that into our tool ourselves.

Alright. So let’s jump into the top level, which is our system level review. We’ve already talked about the operating system. When we’re determining who uses a computer, one of the main ways we’re going to do that is looking at who is the main user on the device and what that user is interested in. That will help us determine the relevance of that particular machine.

But in order to get to that information, we need to make sure we’re able to connect through the operating system and bypass any encryption if it’s present. So some data that we might gather at this phase is, when was the install date, if the install date was really recent but the information we have about the case is that it was an older event. That might be something to flag. Or if it’s a really old machine, and it looks like nobody has logged into it for a while, that might also give us information about how important this device is.

So in order to get past, or get into, that type of information, we are going to focus first on how to handle the encryption. So at this point I would like to have Dmitry join me. Dmitry, are you there?

Dmitry: Yeah. Yeah, hi. Thank you so much for having me here today.

Ashley: Thank you for joining us, Dmitry. I know there’s a lot of different types of encryptions we may encounter, and the first one that we might encounter during triage is called full disk encryption. But could you talk about the different types of encryption they may encounter on a system?

Dmitry: Yeah, certainly. So as you mentioned, there are multiple different types of encrypted evidence. Well, first of all there is full-disk encryption, and this is a full-system level encryption that requires a password or recovery key, or some other types of credentials, to access the disk. And full-disk encryption is now enabled by default in the latest versions of both Windows or macOS. And it is now a major obstacle for many forensic examiners.

Then there is container-based encryption. Basically, a disk image is stored as a file, and if a password is known, this container could be mounted and used as a regular disk. So this is supported by many encryption applications, like TrueCrypt or Veracrypt. And even macOS allows users to create encrypted disk images or .dmg files.

Then there is file-based encryption. Hundreds of popular applications support encryption: Microsoft Office, PDF files, ZIP archives are just a few examples of that.

Ashley: And right now, based on your experience, what do you think are the two most popular types? Or what are some of the popular types of encryption products that people might have?

Dmitry: That’s definitely BitLocker and FileVault.

Ashley: So BitLocker is for Windows and FileVault is what they might see on Mac.

Dmitry: Yes.

Ashley: And when we look at how we might handle full disk encryption… for full disk encryption, what are the types of information you might be able to use to decrypt full disk encryption on devices?

Dmitry: Well, first of all, if someone is doing a triage, trying to capture live memory images, that’s really very important, because that memory image could contain encryption keys for full disk encryption. And that holds true for FileVault, for BitLocker, or TrueCrypt and other full disk encryption applications.

For FileVault, for example, one could use iTunes backups to extract backup recover keys for FileVault 2, for example. So it’s really important to capture as much information as possible.

Ashley: I think when we talk about getting memory, or some other methods like the backup keychain, we are focused on user keys. Are there any options in the corporate setting for BitLocker or FileVault?

Dmitry: Definitely, yes. If we are speaking about a corporate environment, usually there are some methods to get the data decrypted, like recovery keys and those could be really useful for our decryption.

Ashley: Great. So definitely, when we look at a system and discover that there is full disk encryption, the latest version of BlackLight will allow you to enter in those passwords to decrypt full disk encryption, so we’ll talk about which ones of those are available.

So we can handle the full disk encryption, I know we also wanted to talk a little bit today about beyond full disk encryption, making sure you could identify and decrypt other types of encryption, like the container and file-based encryption. Would you might giving us a quick demo, Dmitry, on how that would work? How we would be able to do some other types of decryption beyond what’s going to be provided in BlackLight?

Dmitry: Yeah, sure.

Ashley: Alright, I’m going to pass over quickly the controls to you so you can show how some of that might work.

Dmitry: Alright. So we’ll do a short demo of Passware Kit Forensic; Ashley, can you see my screen?

Ashley: Yes I can, go ahead.

Dmitry: Alright. The software supports around 300 different file types and application. Let’s select a folder with some encrypted files and containers.

So the software reports what kind of password protection was used, and most importantly, how difficult it might be to recover a password. So for some file types, it might take just a few seconds to recover a password; however, for – I mean, some file types are really very secure and might require quite powerful hardware to do a brute force, or even a dictionary, attack.

This is why capturing a live memory image while doing an initial examination is important. Memory images could contain encryption keys for full disk encryption software, or files, or even plain text passwords.

So here we can filter a list of encrypted files and see a list of files where memory images could be applied and do the decryption without relying on time-consuming brute force attacks. But it is also possible to recover account passwords from memory images. Let me do a demo how we could handle that for macOS memory images.

So I know this is a macOS memory image, and I launch the decryption process. So the software is now analysing the memory image, and it is searching for encrypted account passwords. And account passwords might be really important for further investigation and it provides access to FileVault disks or keychain. So we found a password – let’s see how it works for a keychain file.

So let’s select keychain file from the same machine, and use pre-defined settings. So we were able to recover some additional passwords that could be used later to decrypt other files.

So that was a very short demo of using Passware Kit for decryption, and a link to download a fully functional time-limited trial of Passware Kit Forensic will be included in the slides. And over to Ashley.

Ashley: Thanks Dmitry. So the encryption types we’re going to support in the first initial integration with Passware are really focused on the full disk encryption we’re trying to support, the ones we really need to be able to move past and start to look at the file system itself. So I’m going to do a short demo, after we handle a few more triage topics, that’s going to show how we handle BitLocker encryption, but here are other examples of file-based encryption pieces that are going to be supported as we continue to integrate with Passware products.

I’m very excited to be able to have some of this information available to us as we’re getting ready to release BlackLight 2019 R3 later this year, and we’re excited, Dmitry, to be able to offer some of this functionality that I know you’ve worked on for a while, and built up a whole suite.

So the link is here, it’ll also be at the end of the presentation for getting the free trial of Passware, while we wait and do additional integration. But this will be available – especially BitLocker and FileVault2, the ones that we’re going to focus on today – in our next release of BlackLight.

Alright. So we are focusing now on triage beyond just the encryption part. Once you get past that big first hurdle, we are going to start looking at drilling in more deeply to the device.

I mentioned at the beginning, there are going to be three ways that we are going to do this: we’re going to show how we can do that at the system level, but then we do want to look at different areas of the drive. So the first place that we are going to focus on is talking about some user-level information. And then we’re going to show how our new advanced filtering and searching is going to allow us to really focus in on the files that we look at, to save us time.

Next we’re going to focus on some of the time pieces themselves. So if you know that your case is focused in a specific area of time, how we can focus in on that, and combine that with the user directory. Or different types of files: if you know this is a case that’s focused on documents, or focused on pictures, we’re going to drill into those areas. And then finally we’ll look at internet artifacts, which is something that we’ve updated in our R3.

So with that, I’m going to switch over to a demo real quick. I’m going to bring up a new instance of BlackLight, and the first thing that I’m going to show us is how we are going to be adding evidence to be able to triage it more quickly in our latest BlackLight R3. This is an internal version of it that’s not released yet; that’s why you see these numbers down here.

But I’m going to go ahead and start by adding a BitLocker image. So I’m going to add my image here, and when it first is added you’re going to notice that it has the lock symbol right next to the left. And if I hover over, I’m going to get some text that’s going to tell me this image is encrypted, and I need to select it to provide a password.

So I am going to click on it, and it’s going to prompt me for the password. So I am going to go ahead and grab that password real quick. And I’m going to copy and paste it in – oops, I lost my password window, hang on. There we go. And I’m going to enter in that password.

So to the end user this should look seamless, for you guys, as far as, you enter the password and now it’s going to do the BitLocker decryption. What is new is on the right-hand side.

So we’ve had the triage option, and then most of these options should look familiar to you. We have broken them out further, though, so you have more control of the product. So this will allow you to really choose to only run the options that you need to run to be able to make an assessment for this machine.

So in general, we don’t want to be running things that are going to take too long, or are super comprehensive, when we’re just trying to decide if this machine is relevant. So things like signature analysis, or carving for files, or entropy: those are all things that we’re not going to focus on when we’re looking at triaging a device.

So the one that I do want to call your attention to that’s new, for those of you who are familiar with BlackLight, is this option called ‘Normalization.’ I would give a caveat: that word may change before the final release, so we are making that as intuitive as possible, so if you guys do have a suggestion on what you would like to have this named… the idea is that these are all of the different extraction options that we can do.

Sometimes all you want to be able to do is look at the file system. By looking at the file system you will be able to tell, is there even a file system on here with stuff for you to look at? Is there a lot of files on here that are relevant, like video types, if that’s what you’re looking for, or document types? Has this drive been formatted? Kind of just a quick assessment.

When I look at these options, things like Firechat and iChat, those are things that I may not need right away to make my initial assessment. So I could uncheck all of those options here. I could still choose a couple of them that might be high-value for me, like Actionable Intel or some of the contacts, if that’s what’s important to my particular case. But I can choose to disable them all, and essentially what that means is, the only thing that’s going to happen is it’s going to preview the file system and do nothing else.

So we do give you this warning once; you can choose to turn it off once you know what’s going to happen. But essentially, we’re not going to be doing any of the normalization that’s going to fill some of those deeper views, unless you choose to run it. So this is truly meant to just give you a deeper view and decide, is this device relevant?

So I understand the limits of what I’m going to be doing, and I’m going to go ahead and add this new image. I’m going to choose to start adding it, and you’ll notice that we’re going to be dropped to our new evidence status window. So I’m going to see now all of the different options that I can turn off later – just because I’ve chosen to do it upfront doesn’t mean I’m stuck with it – and I’m going to add a couple more images here, just so we can have some things to compare.

So I’m also going to add, from my evidence folder, a .dd image; and again, I’m just going to preview it, I don’t want to do anything more than preview. And then I’m going to add, as well, one more .dmg. So I have a few types of evidence that I’m bringing in here, and again I’m going to preview it. And the idea is, maybe I need to figure out which of these I want to focus on first. So I’ve encountered three pieces of evidence, maybe collected from the field, and I need to know which one to do first.

So as you can see here, these ones that are smaller images finish really quickly. This took three seconds and this took eight seconds. And we’re actually able to go browse the folder system right now, as they pull through.

The BitLocker image is going to take about two minutes, and that is now already parsed for me to be able to work with. But I could go ahead and look here, and at a high level determine which of these systems I might want to investigate. So if I saw this sample image set, and I saw it was pictures, and I saw it was a document case, that might be enough for me to say I don’t want to work with that one. Or this NTFS just kind of bare bones deleted file system, again, once I’ve determined I don’t want that, I can either collapse it or choose to deselect it from my case, because I know it’s not relevant.

So here is that BitLocker image already parsed, and I could start working with that, including doing things like filtering for BitLocker. But in general, the new features we have with triage, is making it really helpful and quick to view a file system, jump right in and browse the file system even while some of those other options are running.

And the second is evidence status that we have – you can now see how much time it’s spent just to get you to where you’re at, but then here are all of those options you can turn on. So any of these can be added as you’d like, as you further move through your case. So as you do triage, if you find it’s something important, then you can head in and focus on that.

I’m going to move to a more specific case now. [mumbles] There we go.

Alright. So now I’m going to focus on some of our new filtering capabilties for triage in our upcoming release. So when we talk about filtering, there are a couple of things that we need to focus on when we’re looking at how we’re going to narrow in and focus our investigation.

We had filtering available previously that would allow us to filter on these different types of fields: name, path, kinds, dates: all of these different filters were options for you to filter on. What’s really new in this version are these two buttons on the top right.

If you can see what they say, one of them says add a new condition, and add a new group. So what we found when we were doing filtering is, sometimes you need to combine logic across a couple of different groups of things. So you wanted to find any file that was in a date range, but it could be across multiple different fields, that was either a picture or a video, or another multimedia type. And you wanted to do that in one filtered view.

So we’ve created the ability to do groups of logic with ands and ors, if you were thinking of it in the logic sense. But for those of us who are familiar with how we used to do it in BlackLight, we would do either match or match all; basically saying, does this have to be true for every piece of logic in here, every condition in here, or is it good enough if it passes one of them?

So we’re going to start by filtering for dates. So trying to focus when you triage by date is pretty common. So the first thing I’m going to do is, I’m going to add a group, because there are four main dates that I’m going to look at. So I clicked on the add group here in the top right. I’m not 100% sure if you guys can see my cursor, but hopefully you can see that it’s up in the top right there.

And what it’s going to do is, it’s going to make a border around my group. So I know everything in there is going to be treated together as a group of logic. So I am going to focus on four dates. I’ve got the created date; and I’m going to add another one; I’m actually going to make it for all four. I just clicked ‘add condition’ and it’s going to duplicate the one I had right there. So I’m going to add the condition, and now I’m going to make sure I have the four different types of dates. So I have date created, date modified, date accessed, and date added. And for this example, we’re going to look for files that were since about October 1st of this year to now.

But what’s really important when we’re looking at this logic – and this is what’s new – is we need to say, is it going to be either that the file’s date has to match all of them in this range, or it can match any of them? So we want to say ‘any.’

So if I were to do this filter, it’s going to filter across all of the evidence in my case. We’ve got a bunch of different information that it’s going to look across, and there’s going to be lots of files returned, because all I’ve done is a date filter.

If I look at the number here, it says there’s 37,000, down at the bottom. And that’s still probably too much for me to do any sort of triage on. So one of the things that I want to take as an approach is to look at which of these devices on the left I may even want to be doing triage on.

One of the ways I’m going to do that is actually stepping back a moment to look at some of that system-level information that will help me focus.

So I’m going to go to our Details in the top left, and here I can choose each of the partitions. Notice there is a badge number, so this is the bootcamp that is on my first device. And I can see here that this bootcamp partition is a Windows 10; it has my install date here; it has other identifiers about when this date was created; when it was used; and then the different types of artifacts that are on the device. So that image looks like it might have some useful content.

If I look at the racer volume, that also – volume 2 – looks like it’s interesting. But if I come up to number 1, I see that this is pretty small and it doesn’t have content. So in order to just remove that when I’m looking at devices across the view, I can actually uncheck it here on the left-hand side. So I can look at these here and go through these different volumes, and choose any that I think aren’t relevant to pretty much exclude from my initial investigations. So that way you can automatically start to cut down on what I’m looking at.

So it’s a combination of looking at some of this general information, and then also focusing on the type of data that I might see on this device. So that’ll help when I’m filtering.

Another way that I can help filter is by looking at what users are on this system. So I’m going to jump to our actionable intel, which is over here in the centre of our toolbar. And for those of you that are familiar with BlackLight, you might notice that this has been remastered a little bit. We now – because we have so many places that we think are valuable enough for you to jump into – have moved those tabs over to the left-hand side. So if you’re looking for user accounts now, I can see them across those devices that I think are relevant, and I’ll be able to look at those at a high level and pull out names like ‘Josh’ and ‘Jade Bennett’ and ‘Simon’, right? So these are the user levels, or the users that might be on the system. So those are people that might be relevant to the investigation that I’m looking at.

Alright, so now that we know that there are users – or we’re going to assume for the sake of this example, that there are users – I’m going to go back and say, I don’t want to just filter on the date. I do want to look at stuff that’s in the user directory. This is a common approach to narrowing down what you’re focused on.

So we’re going to look at the ‘path contains users.’ This should work against Windows and Macs, which is great. But here, again, my logic is important. So this is part of what’s new: the ability to say “It can be any of these dates, but it has to be in the path and have one of these dates”, it must match all of these big group-level criteria. So one of these things has to be true, and the path has to contain users, and I can filter for that.

Alright, so now we’re down to 5943. Still not as many files as I want to look through by hand, but we’re getting to a more manageable set, and it’s in an area that is useful for me to focus on in the users directory. Within your organisation you might have different ways that you choose to filter or find specific items, but this is a quick way for you to be able to focus the investigation.

One of the ways at this point, is you could choose to take all these files and to load them into a logical evidence file, so you could export to that L01 format, and you could then choose to just process those. So if you wanted to just do index searching, or if you wanted to do something more comprehensive, this would be really focused in on just that area, if you felt like you wanted to go deeper so that you wouldn’t miss anything in the user directory. Again, you’re not doing a full forensic analysis, but this would allow you to focus your attention on where there’s the most valuable information.

Alright. Let’s say we know that we’re looking for documents, essentially. We want to add another layer to this filtering which says: I want to have it in my date range; I want to have the path contain the users directory; but I also want to have a condition that says that kind of document that I’m looking for.

So if I’m just going to pick one kind of document, I could say the kind of document contains Office documents. We have a query that encapsulates Word and Excel, regardless of if it’s .xls or .xlsx. So that might work. But I actually want to make sure I’m looking at PowerPoints and I’m looking at PDFs.

If I were to just add another item here for PDF, it would have to be both the type Office document and the type PDF, which wouldn’t work. So I need to actually make this a group.

So I’m going to add a new group, and it’s going to again put it in a new grouping for me. And I’m going to say that the kind either can match any of these. It could match Office documents, or it could match PDF. Alright. So now I’ve got it down to just documents in this small timeframe, and this is enough that I could definitely just read the four documents, this is a very short timeframe, so it’ll depend on the type of investigation you’re doing. But this allows you to really narrow in on the specific type of information that you’re looking for.

So another example… actually, before we do that. If I do like this filter, say I build up where I think the most common area is for me to triage, if I know the machine, or as a general practice I want to look at users, or I want to look at the different type of documents, I have done by kind, but you could do it by extension. Once I have a filter that I’m really happy with, I can choose to save this filter and give it a name. So if I have my demo filter, but I could maybe say, like, it’s user, date, kind, right? I have all those different groups. I could make that part of my saved filters, and then I could use that over and over again. Right? So I don’t have to rebuild them. All I’d have to do when I want to run them is choose to change out the logic of, say, the date range for that particular case.

Alright. So another example of one that you might want to have on hand… I’m going to delete that group, and the other group. And the next example we’re going to look at is a file extension. So maybe you don’t want to do it by kind, but you want to do it by extension. You could look at things like jpgs. But you’re not wanting to get all the jpgs on the device; you only want to get jpgs that are over a specific size, because you think they’re more likely to have the type of content that you’re looking for.

Now I can filter down to look at just things over a specific size. I could either keep my date range, or I could even open it up if I knew it was between the more further back range, I could go ahead and filter on a larger range of data. And this gave me 358, and more of a reasonable amount to review. The idea with triage is that it really shouldn’t take you more than an hour to get through some of your triage steps, and by having some of these filters already set up for you, where all you have to do is plug in your dates, it really helps you to get to your data more quickly.

Alright. We are going to ask questions in a few minutes, but I am going to show you a couple additional areas where you might want to look for information to narrow in on your search.

So, the first one we’re going to look at is our internet history. We’ve updated all of our internet history for Firefox and Safari and Chrome. And some of the areas that you might want to really focus on with triage are areas like recent searching. Again, if you wanted to really focus on one device – say if it’s just on this bootcamp device, or you know they do most of their searching on this Google Chrome one – you could actually focus it in on a specific one, by blue checking or unchecking specific devices.

You can also see their latest sessions, their last sessions, here. When I look through here I actually start to see information about cars, so I see a BMW listed; I see a Mercedes. And this scenario, there was actually some car theft involved. So seeing some of this in their last sessions, or even looking further back in their history for things like Ford or other items, might be enough for us to make the case that this device needs to be looked at more quickly. Here we see things like Porsche; again, there’s a lot of car words coming about on this system; and so we might want to focus on that.

So another general area that you might want to look at, if it was a security incident – a little different – looking at the systems is, what type of applications were installed? So if you were looking for things like peer-to-peer, or you’re looking for different types of things that might have been used, we can look at these. Again, we can always filter it down based on the device, if you wanted to do it device by device.

There are registry areas that people have as their favourites; we still have the option to do registry options; and then we do have new log capabilities that are coming in BlackLight. I will leave those for another webinar, but as you can see there’s some previews there of good things to come.

So the last thing I want to talk about on triage is the ability to focus it in when you know something about the case. And our content searching has the ability to do some narrowing in at the beginning. So I’m going to do some content search, which is like a traditional keyword search.

I do like index searching, when you know you’re going to be searching on a device, but if you’re looking at content searching, a great way to consider it is that you can just look for the words that you know are relevant. So we’ve seen words like Mustang, Ford, Tesla, I could add Porsche here. And here I can focus on just the devices that I think are relevant, but I can also pull through my filter that I built for just that user directory. So if I want to say files that match a specific filter, I can choose one of those filters that I created earlier.

So we had that demo filter up here, but I’d also created things for in the user’s directory in their date range; user docs in their date range; so these type of filters that you build can then be used to narrow in your search. So I did a search like that, that finished, I can start this one. But it goes ahead, and when I looked at it I was able to find these different hits for BMW, or Mustang, or Ford, and the criteria that I used, used that filter condition that I had built with my date range.

And I didn’t use anything like hash sets or anything when I was looking at it, but I was able to get these results back quickly, because I didn’t try to search the entire drive. I was able to, in three minutes and 24 seconds, do a pretty good search of 32,000 files without having excluded – with a focused exclusion that just focused on the user directory for my date range.

Alright. So I’m going to switch out of BlackLight now, and just review what we showed.

So we want to determine which systems are important. And before we can even determine if a system is important, we’re going to need to deal with things like full disk encryption if it’s present. So we had a great demo that showed, not just what full disk encryption options are available, but what options are available for file-based encryptions with our new partnership with Passware.

Then we showed how our new filtering allows you to filter down on users and volumes, and how you can choose to preview before you do more advanced operations, to look into the system.

We did filtering based on dates, paths, types of data like PDFs, Office documents, media, and file sizes. And then there are some high-level options that we always recommend that you do when triaging: what applications were installed; recent internet history; system logs; and then we wrapped up with our file… our specific keyword search for our investigation.

So with that, I’m going to go ahead and ask Julie if there were questions. I appreciate everyone being patient as we went through the demo.

Julie: Yes, we have had a lot of great questions coming in while you both have been presenting.

So we’ll start with: Can you save filters to be used from case to case?

Ashley: Yes. We do have filter templates, and so when you want to save your filters. So the one that I just built, you can choose to save and use generally, and make it generally available. The caveat there is, you’ll of course need to customise it for each case that you do, but at least you’ll have it filled out and you just need to put in the specific data.

Julie: Great. Can I filter to exclude items, is the next question.

Ashley: Yes. So when we were looking at filtering I did positive filters, so I said, like, “It contains this path,” but you could also invert that and say “Does not contain this path.” Or there is also that ‘invert filter’ option which would essentially say, you build all your logic to be positive and then you invert to say, I want to filter everything that doesn’t match my criteria.

Julie: Great, thank you. Which versions of Windows BitLocker are supported?

Ashley: Dmitry, do you want to cover that one?

Dmitry: Yeah, sure. We support all versions of Windows.

Julie: So, Windows 8 all the way through 2016, I think?

Dmitry: All the way to all the latest updates.

Julie: All the latest ones. Great. Perfect.

Is there a way to tell if a container is a TrueCrypt or a Veracrypt one?

Dmitry: Well, that is a tough question. Unfortunately there is no way to tell that, and we’d recommend to see what kind of applications were installed. I mean, if TrueCrypt or Veracrypt were installed, and then to try and find a password for that. Those containers have no file signatures, so it’s really impossible to tell what kind of software was used to create these containers without knowing a password.

Julie: Great, thanks Dmitry. And is it possible to extract the encryption keys for BitLocker from a TPM chip?

Dmitry: It is. The way to do that is to boot up a Windows machine, and once you see a password prompt you would need to take a memory image using… you might need to reboot the machine using a bootable USB drive to create a memory image. And that memory image would contain the BitLocker encryption key.

Julie: Great, thanks Dmitry. Excellent. Well, Ashley and Dmitry, thank you both for walking us through these latest improvements to BlackLight and Passware and how they allow examiners to quickly triage systems. If you submitted a question and we didn’t get a chance to answer it today, a member of our team will contact you individually. Also, we’ve had a few questions come in about viewing of this webinar, and yes it’s being recorded, and we will definitely send it out, so stay tuned for that.

If you are interested in learning more about BlackBag, Passware, or any of our products or services, you can email [email protected] or Ashley or Dmitry – their email addresses are up here – and definitely take advantage of the free trial of Passware, as well. And definitely be sure to follow us on Twitter, Facebook, YouTube and LinkedIn, and at blackbagtech.com; and subscribe to our blog at blackbagtech.com

Alright, well thank you all for joining, and thank you again Ashley and Dmitry. Hope everyone has a great day. Thank you.

Dmitry: Thank you.

Leave a Comment