The New Artifacts BlackLight 2020 R1 Parses
With the release of BlackLight 2020 R1, BlackBag expanded the macOS artifacts processed. By user request, features were added to process: AirDrop artifacts, built-in iCloud productions, additional data in macOS about Recent Items, and mac OS user account information.
BlackLight 2020 R1 also parses Keychains and Spotlight artifacts. For more information on those features watch our on-demand webinar Ask the Experts: A Deep Dive into Keychain and Spotlight Artifacts.
AirDrop is a built-in feature in macOS and iOS that lets devices share files wirelessly, using Bluetooth to create peer-to-peer WiFi network between macOS and iOS devices. AirDrop enables transfer of files between the devices without using MMS, email, or other file transfer devices or services. AirDrop can be setup on a device, iOS or macOS, to be only used by contacts or to be used by everyone.
BlackLight displays the AirDrop ID and AirDrop Discoverable Mode information for devices on the [Details] tab.
Having information about the AirDrop configuration on a device is helpful, but what is of more interest is knowing what files were transferred to and from the device using AirDrop. This information is parsed in [Actionable Intel] and is found in the ‘Air Drop’ section of the ‘Downloads’ subview.
Here each entry shows the file transferred, name of the sender, name of the recipient, whether the file was sent from the device (outbound) or sent to the device (inbound), and other information.
Apple device users typically have an iCloud account associated with all of their devices. An iCloud account is used to sync data across multiple devices, like Calendars and Photos, and is also used for iOS device backups. Multiple devices can be synced and backed up to one iCloud account. An iCloud account potentially stores a lot of important information.
Provided you have the proper search authority, Apple will provide the data from a user’s iCloud account. The iCloud Productions are sent in an encrypted GPG format. Once decrypted, the zip file containing the user’s data can be processed by BlackLight 2020 R1. Prior to this release, users needed to send the productions to BlackBag for processing. Now that the format has stabilized we have built the processing directly into BlackLight.
Warning: Ingesting data from iCloud Production files relies on the formatting of these files. If Apple chooses to alter the format of the data in iCloud Production files, BlackLight may cease to identify iOS device backups in the iCloud Production files. In those cases, you can still reach out to BlackBag to help adjust the processing as you could in the past.
Keep in mind, some users do not backup their iOS devices to iCloud, but they do store other data in their iCloud account. During ingestion of the zip file containing the iCloud Production, BlackLight will automatically detect if device backups are stored. When the device backups are detected, the Processing Option iCloud Backups is automatically selected.
BlackLight first processes the zip file, parsing the data the user stored in the iCloud account. Upon encountering iOS device backups, a separate device is added for each backup. There may be multiple backups for the same device stored in an iCloud account.
Once everything is processed, the data extracted from the iCloud Production can be reviewed. Within the zip file itself you can review Account Information, Bookmarks, Notes, etc. – whatever data the user stores in iCloud.
Each device backup has a date associated with it, allowing you to see what was on the iOS device on the date the backup was created.
Analysis of these iOS backups is similar analysis of any other iOS backup.
macOS Recent Items
The goal in reviewing ‘Recent Items’ (displayed in [Actionable Intel]) is to gain an understanding of what the user was doing on the computer. The newest release of BlackLight provides more understanding by parsing more information in ‘Recent Items’ for macOS systems than ever before.
For macOS systems data is now parsed from the following locations:
The data parsed is displayed in the ‘File Knowledge’ section of the ‘Recent Items’ subview in [Actionable Intel]. Since a lot of this information is stored in plist files, BlackLight parses information from the plist, but also displays the plist in the File Content Viewer pane. For some of the files parsed, additional content can be found in the associated plist. Along with the information parsed, data in the plist can be tagged and included in your examination report.
macOS User Account Information
macOS stores databases in ~/Library/Accounts containing information about the user’s other accounts including iCloud, social media, email, and calendars. Data is now parsed from these databases in the ‘User Accounts’ section of the ‘Account Usage’ subview in [Actionable Intel].
BlackLight 2020 R1 also parses additional information from macOS user account plist files (created date and last password change date).
To download the latest version of BlackLight, click here. For more information on these and other BlackLight 2020 R1 features, please read the BlackLight 2020 R1 User Guide. If you have any other questions or issues, search the BlackBag support portal here: https://support.blackbagtech.com.