Gray to Black: Analyzing GrayKey images in BlackLight or Mobilyze

BlackBag Technologies is pleased to provide BlackLight and Mobilyze customers support for ingesting all GrayKey iPhone image extractions.  To make the import as easy as possible, we have developed a free tool to properly format the GrayKey zip files for import into our tools.  To use the "Gray to Black" application click here to download it and then follow the directions below.  To learn more about GrayKey images, please see GrayShift's site.

Prepare a GrayKey evidence file

1. In Mac OS or Windows, launch the “Gray to Black” application. This application is used to prepare a GrayKey zip for ingestion into BlackLight or Mobilyze.

GrayKey image conversion tool Open the Gray to Black application

2. Click on the “Select Zip File” button; choose a zip file and click "Open".

Import GrayKey file into Gray to Black app Select one of the GrayKey Zip Files and click Open.

Note: there are two formats exported from GrayKey
- UUID_files.zip (Filesystem dump)
- UUID_backup.zip (Backup file)

3. The application will immediately prompt you to Select a Destination Folder

  • Select/create a new folder to receive the converter GrayKey file
  • Make sure you have enough space to convert the zip file (it will be about 20% larger than the GrayKey zip file).

4. Once the folder is selected the conversion will start. The main window will be updated with a list of all the files extracted from the zip archive.


5. During the conversion, you will see a progress bar and the total number of files being extracted from the zip archive.  This process will take some time and is dependant on the amount of data extracted.  Also note, the performance of the extraction on a Mac system is significantly faster than on Windows, but the output is the same.
6. Once the conversion is complete, you will be notified of the “Completion” status with the total number of the files converted and the total time it took to convert the files. Please close the application once complete and restart before ingesting the next evidence set.

  Add GrayKey evidence into BlackLight

  1. Prepare the evidence file as described above.
  2. Launch BlackLight and create a new case.
  3. Add your Evidence to the case
    1. In the left pane click on the “Add” button. A new “Add Evidence” Window will appear.
    2. Click the “Add” button by “Files / Folders / Disk Images”.
    3. Open the destination folder that you created.
    4. In the destination folder, select the folder named with the device “UUID”.
    5. The “Add Evidence” window will update, you should now see a Phone Icon, with the UUID.
    6. Select your “Ingestion Options”.
      NOTE: To speed up ingestion, only select “File Signature Analysis”, “Picture Analysis” and “Video Analysis”.  Other options can be run at a later time.
    7. Click the “Start” button.
  4. The case will start to process the Data. The “Evidence Status” will show the progress of the different tasks.  When the tasks are complete, you can start to review your evidence in BlackLight.

 Add GrayKey evidence into Mobilyze

  1. Prepare the GrayKey evidence file as described above.
  2. Copy or move the UUID named folder to the Mobilyze Cases Folder (typically found in your “Documents” folder).
  3. Launch Mobilyze
  4. In the “Cases” list you should see the UUID from your GrayKey evidence. Select it from the List and click the “Open Case” button.
  5. A Case window should appear, and the different types of evidence (i.e. Calls, Messages, Contacts, etc.) will start to populate with the total number of items per type.
  6. The Status will show the files being processed, including images and movies.
  7. When the processing is complete, you can start to review your evidence in Mobilyze.
    Mobilyze iPhone image review Review and Report in Mobilyze as usual

     

    You are now ready to use the best tools for Apple investigations on the iPhone images extracted by GrayKey.

Download the Gray to Black Application 

Leave a Reply

Sorry, you must be logged in to post a comment.