Configuring a BlackLight Case for Optimal Performance

blackbag blacklight optimizationHow and where the BlackLight case is stored has a direct effect on performance.  Even the fastest workstation will benefit from this simple concept of how to set up your BlackLight case file:  store the case and evidence files on different data buses!

Here’s why.  At its heart, the BlackLight case is a database.  While the case is open, data is being written to and read from the case file (database) almost constantly, especially during initial processing as BlackLight parses, hashes and recovers data from the partitions and unallocated space.  Data is also being read from the evidence file(s) that have been associated with the case.  This virtually constant updating of the database is also why BlackLight can easily recover in the event of a system crash (it happens) without the examiner worrying about when the case was last backed up or saved.  BlackLight saves its cases automatically and dynamically during use.  There is no “save as” or backup every-so-often feature.

Because of the constant read/writes to the case database and the virtual certainty of overloading the bus, we recommend the case file and evidence files should be stored separately and not on devices using the same data bus.  Yes, even a fast, Thunderbolt bus can become overloaded and will benefit from this separation.

When creating a new case or opening an existing case, save the case on the host disk of your workstation on the Desktop or in another folder, as desired.  Be mindful a BlackLight 2016 R3.1 or earlier case file will not function properly saved to a Network location. When creating a new case, this is the only time BlackLight will prompt you to save the case, requesting the case name and location.

Once created, a bundle file on a Mac (HFS+) volume or a folder on Windows will be created with that case name.  The evidence files to be associated with the case should be stored on media connected by a different data bus – SATA, USB, Thunderbolt, etc., even a network share – but different from the bus handling the case file.

Upon completion of the examination, the case file can easily be copied to the same media containing the evidence files.  Then, the media can be archived or placed into an evidence control facility for safekeeping.



Leave a Reply

Sorry, you must be logged in to post a comment.