We are pleased to announce the third major release of BlackLight for 2016. This comprehensive Windows, Android, iPhone/iPad and Mac forensic analysis software just keeps getting better. Update your software now!
BlackLight 2016 R3 implements several new features and improvements, including the following:
- Windows 8 and 10 hiberfil.sys and Raw Memory Parsing, Searching, and Analysis*
- Windows Event Log and Apple System Log Parsing and Analysis*
- iOS and OS X Recents Database Parsing*
- Additional iOS 10 Encrypted Backup Support*
- New Data Structure Templates*
- Windows Hash Set Included
- Type-down Feature in List Views
- Go To Position (Offset) in Hex View
- Internet History Parsing for Internet Explorer 10, 11, and Edge
- Social Media Parsing of ooVoo, Kik attachments, iOS Messsage GPS
- Time Machine Folder Hard Links Now Resolved
*View a more detailed description of the features below or watch our webinar for a demonstration.
Windows 8 and 10 Memory Parsing, Searching and Analysis
Up until now no one has figured out how to parse Windows 8 and 10 memory and extract meaningful data. BlackLight 2016 R3 can now provide a wealth of information previously unavailable. These memory files are parsed within the "Advanced Processing Options" in the same manner as with Windows Vista and 7. Just as with earlier versions of BlackLight, files can be carved from within these Windows 8 and 10 memory files and revealed in BlackLight’s Browser view. Searches are run for important items of interest such as, internet searches, Facebook addresses, internet domains, phone and credit card numbers, and more.
Operating System Log File Parsing (Windows – EVT/EVTX & Apple – ASL)
Both Windows and Apple Operating Systems have system logging functionality used to record events. Windows event logs are typically maintained in three files: Application, System, and Security. Windows Vista and later use the XML Event log format (EVTX). Events of interest can be found by browsing, using the Find function, and using the View Filter. Apple System Logs are binary files controlled by a system daemon. ASL logs are stored in private/var/log/asl/ and other directories, but information can also output to the system.log. Here, we use the Find function to look for the term "iCloud". The full information for any system log is revealed in the Full Fields Content view.
Recents Database Parsing (iOS 6 & newer/OS X 10.10 & newer)
BlackLight shows the “Recents” information that iOS and OS X capture within its databases. The information is revealed in BlackLight’s Mail, Messages, Contacts and Location Views. Some of the more interesting items are recently e-mailed addresses (including ones that are not recorded in the "Contacts" app). In the "Contacts" and "Recents" tables are contact points that can be lined up with the "Recents" table to see when the last 5 communications were between individuals and groups. The metadata table contains metadata from recent communications as well. Here we see the "Recents" information, as seen within an iPhone’s messages. Depending on which data type is being reviewed, BlackLight’s existing ability to reveal “deleted” records in sqlite databases can show information that no longer exists within the database’s active records.
iOS 10 Encrypted Backup Support
Apple has changed the method in which they protect the iOS backups with iOS 10 and iOS 10.1. BlackLight handles both of these methods but you must know the users password in order to decrypt. It is important to note that AFC is no longer available with iOS 9 and 10 and the only way to get data from the device is by forcing a backup through BlackLight or using iTunes.
New Data Structure Templates
BlackBag is supplying templates for parsing MFT records, HFS Catalog records, partition tables, boot sectors, and various files types. Templates for ZIP, TAR, BMP, JPG, GIF, PNG, AVI, MP4, and LNK files are included. As an example, when a zip archive is located, the Data Structure view shows each file that is a part of the archive, as well as the file system date associated with each file. With the file of interest highlighted in the Browser view, we go to the Hex view and select Data Structure. In this example, a zip archive was created from several pictures. As shown, the Data Structure view provides the file name of each file, date and time attributes, and additional information about each file contained in the zip. When a particular field is highlighted, its corresponding information in both the Hex and ASCII windows are highlighted so they can easily be located by the examiner. Similarly, if the user selects data in Hex, the corresponding Data Structure item will be highlighted.