BlackBag is proud to announce we have updated and streamlined our support for all GrayKey images with our latest BlackLight 2018 R3 release on Mac and Windows. GrayKey, by Grayshift, is designed to provide access to devices that were previously inaccessible. A significant number of devices sat in evidence rooms with the passcode locked, and vast amounts of digital evidence were not reviewed. All this information is now accessible and is assisting examiners in solving cases. In addition to unlocking these devices, GrayKey also captures data from iOS devices which hasn’t been available to examiners for many years, such as email and the system partition. Using BlackLight as the analysis tool for GrayKey allows full filesystem analysis, memory file support and proper handling of dates, as recommended by Grayshift. To learn more about the GrayKey product, please see Grayshift's site.
Support for All 3 GrayKey Images - Full File System, Backup Files and Memory
There are three types of GrayKey images, all of which are supplied as zip files.
Adding GrayKey Images
BlackLight examiners can add GrayKey images either by dragging and dropping them onto a case on Mac, or choose the 'Add' evidence button.
Viewing and Processing GrayKey Images
BlackLight will process the GrayKey zip file just as if it were processing an iOS backup, except with much more data. Whether adding the full system image or the backup image BlackLight can handle either one. Navigation through the GrayKey image will look the same as if it came straight from the device itself.
GrayKey Memory Files
If the GrayKey memory file is added BlackLight will prompt the examiner how to handle it. The file can be brought in as a simple zip file, so you can see the contents, or you can treat it as a file and run content searches to get evidentiary items like IP address, email addresses, etc.
Note: With the 2018 R3 release, BlackLight customers will no longer need to use the Gray to Black application to prepare GrayKey images for import.
Reporting on iOS devices
Ready to report on the findings from the iOS device acquired with GrayKey? Check out our next post on the new reporting options in BlackLight 2018 R3. We now have comprehensive device level options for when you want all the contacts and messages without having to tag files.
We are proud to continue to serve our customers by providing support for these critical tools. As the Mac experts, Chief Customer Officer, Ben Charnota, shares "We’ve received a number of inquiries from users of competitive products reporting that the solution they are using to analyze the GaryKey output is incorrectly representing dates. We frequently encounter this when others support a solution they have limited experience with. Dates are critical to digital forensic exams, so make sure you are using the only solution GrayKey trusts with the dates from their output– BlackLight."
To update to the latest version of Blacklight, click here.
In Case You Missed It:
Ask the Expert: The Importance of APFS Snapshots in Investigations
Our latest webinar on APFS Snapshots is now available to view on demand. In this webinar, Dr. Joe T. Sylve, Director of Research and Development at BlackBag, shows you how to go back in time to review what happened on an APFS volume. Dr. Sylve discusses details of the snapshot functionality built into APFS, why snapshots will be useful in your investigations and how you will be able to take advantage of snapshots in upcoming BlackLight releases.
If your tool of choice is not parsing APFS snapshots, then you may be missing data.