New High Sierra and Windows Memory Artifact Support

We are pleased to announce an update for BlackLight is now available. Following the major 2017 release of BlackLight in November, the latest release includes enhancements and fixes, such as:

  • Added new High Sierra FSEvents ‘inode’ reference number to ‘System Logs’ view
  • Support for Windows 10 Fall Creators Update (Version 1709) memory images
  • Enhanced Volume Shadow Copy (VSC) display
  • EWMounter support for Mac OS 10.13 and the ability to mount images with a 4096 block size

NEW FEATURE HIGHLIGHTS

UPDATED PARSING FOR FSEVENT FILES

BlackLight 2017 R1.1 can now parse out the unique identifier, or ‘inode’ number, for the item that the FSEvent record refers to, which is present in High Sierra (10.13). By adding this reference number identification field, examiners can track a file or folder through moves and name changes. A new ‘inode’ column is displayed in the ‘System’ category ‘System Logs’ view and the examiner can sort, hide/show and filter on this column. In addition, the ‘inode’ number is listed in the Tag container and displayed in the report for tagged FSEvents items when generated by users. 

WINDOWS 10 FALL CREATORS UPDATE

Here at BlackBag, supporting our customers in the field with the ongoing challenge of new operating systems and updates to versions is a top priority. BlackLight 2017 R1.1 supports the Windows 10 Fall Creators Update and ensures that the significant changes to this new version of Windows do not affect our customers’ ability to process memory images from this operating system.

IMPROVED VOLUME SHADOW COPY (VSC) DISPLAY

BlackLight 2017 R1.1 provides an improved Volume Shadow Copy display. The enhanced display allows an examiner the ability to identify the file history more easily.

If the examiner chooses to process Volume Shadow Copies, a new top level aggregate partition is displayed in BlackLight 2017 R1.1 under Evidence. This can be expanded to show or hide the individual volume shadow copies. When the top-level ‘Active & VSCs’ partition is selected, all active files and all processed VSC files can be examined. Alternatively, an examiner could select just the active files partition to show only the active (current) files, or select an individual Volume Shadow Copy to show only the files for that specific VSC instance.

EWMOUNTER ADDITIONAL DRIVE SUPPORT

To assist with examining Apple’s new file system (APFS), EWMounter v1.9 (included with BlackLight 2017 R1.1 Mac version) is supported on High Sierra 10.13 with enhanced features. EWMounterv1.9 allows examiners to select the appropriate block sizes, which includes mounting images with a 4096 block size from newer Mac computers on High Sierra. EWMounter v1.9 can also assist with mounting images for unlocking FileVault 2 and merging Fusion drives.

Learn more about BlackLight

To learn more about BlackLight, including more about these features, check out our comprehensive training options; including freeself-paced or in-depth courses at blackbagtech.com/training.html.  Our Instructors have years of law enforcement and digital forensics experience and actively support investigators in the field.

Get your free fully-functional demo license today!

Leave a Reply

Sorry, you must be logged in to post a comment.