Insights Blog

Complete Support for all GrayKey images

BlackBag is proud to announce we have updated and streamlined our support for all GrayKey images with our latest BlackLight 2018 R3 release on Mac and Windows. GrayKey, by Grayshift, is designed to provide access to devices that were previously inaccessible. A significant number of devices sat in evidence rooms with the passcode locked, and vast amounts of digital evidence were not reviewed. All this information is now accessible and is assisting examiners in solving cases. In addition to unlocking these devices, GrayKey also captures data from iOS devices which hasn’t been available to examiners for many years, such as email and the system partition.  Using BlackLight as the analysis tool for GrayKey allows full filesystem analysis, memory file support and proper handling of dates, as recommended by Grayshift.  To learn more about the GrayKey product, please see Grayshift’s site.

Support for All 3 GrayKey Images – Full File System, Backup Files and Memory

There are three types of GrayKey images, all of which are supplied as zip files.

graykey image files after iOS acquisition

Sample GrayKey Image zip files

Adding GrayKey Images

BlackLight examiners can add GrayKey images either by dragging and dropping them onto a case on Mac, or choose the ‘Add’ evidence button.

Adding GrayKey Images Using the Add Evidence option. Examiners can also drag and drop files onto BlackLight from a Mac.

Viewing and Processing GrayKey Images

BlackLight will process the GrayKey zip file just as if it were processing an iOS backup, except with much more data. Whether adding the full system image or the backup image BlackLight can handle either one. Navigation through the GrayKey image will look the same as if it came straight from the device itself.

Examiners can navigate the GrayKey Image once added

GrayKey Memory Files

If the GrayKey memory file is added BlackLight will prompt the examiner how to handle it. The file can be brought in as a simple zip file, so you can see the contents, or you can treat it as a file and run content searches to get evidentiary items like IP address, email addresses, etc.

Adding a GrayKey Memory Image will prompt the user for how to add the file.

Note: With the 2018 R3 release, BlackLight customers will no longer need to use the Gray to Black application to prepare GrayKey images for import.

Reporting on iOS devices

Ready to report on the findings from the iOS device acquired with GrayKey? Check out our next post on the new reporting options in BlackLight 2018 R3.  We now have comprehensive device level options for when you want all the contacts and messages without having to tag files.
We are proud to continue to serve our customers by providing support for these critical tools. As the Mac experts, Chief Customer Officer, Ben Charnota, shares “We’ve received a number of inquiries from users of competitive products reporting that the solution they are using to analyze the GaryKey output is incorrectly representing dates. We frequently encounter this when others support a solution they have limited experience with. Dates are critical to digital forensic exams, so make sure you are using the only solution GrayKey trusts with the dates from their output– BlackLight.”
To update to the latest version of Blacklight, click here.

In Case You Missed It:

Ask the Expert: The Importance of APFS Snapshots in Investigations

Our latest webinar on APFS Snapshots is now available to view on demand. In this webinar, Dr. Joe T. Sylve, Director of Research and Development at BlackBag, shows you how to go back in time to review what happened on an APFS volume. Dr. Sylve discusses details of the snapshot functionality built into APFS, why snapshots will be useful in your investigations and how you will be able to take advantage of snapshots in upcoming BlackLight releases.
If your tool of choice is not parsing APFS snapshots, then you may be missing data.

Register here to watch it on demand.

Ashley Hernandez