Getting Through the Data Quickly
By Stephanie Thompson, Solutions Engineer
Using File Filters
Data, data, and more data!! With hard drives and mobile devices constantly increasing in size, investigators are always looking for ways to get to data quickly. File filtering within BlackLight is one way this can be done.
BlackLight comes with 30+ already configured filters that can make your life a whole lot easier. In this blog post, we are going to focus on four that you may or may not know about so you can see how quick and powerful these features can be.
These are the file filters available in the File Filter tab in BlackLight 2019 R3:
|List All Files||Display all files on selected device|
|Name||Filter files by name|
|Path||Filter files in a named directory (folder)|
|Kind||Filter by genus or category|
|Extension||Filter by file type based on extension (.doc, .txt, .jpg)|
|Content Extension||Filter by file type based on header information|
|Extension Matching||Filter by file type based on header and extension|
|Tagged State||Filter files that are tagged or not tagged|
|Tag Name||Filter files by Tag Name|
|Size||Filter by file size|
|Date Created||Filter by creation date|
|Date Modified||Filter by date modified|
|Date Accessed||Filter by last access date|
|Date Added||Filter by date added|
|BlackLight ID||Filter by the record ID stored within the casefile database|
|File System ID||Filter by the HFS catalog (node ID) / MFT ID number|
|Hash Set||Filter files with known hash values|
|Hash Set Category||Filter files based on hash set category|
|File Hash||Filter files based on a specific hash set|
|List Duplicate Files||Filter the duplicate files by hash|
|Suppress Duplicate Files||Filter out any duplicate files|
|File Entropy||Filter by file entropy value|
|Locked||Filter files with a locked flag|
|Resource Fork||Filter files that have a resource fork|
|Alternate Data Stream||Filter files that have an alternate data stream|
|Visibility||Filter hidden or visible files|
|iOS Hidden Files||Filter iOS hidden files|
|Metadata Field||Filter on the metadata attribute field|
|Metadata Value||Filter on the metadata attribute value|
|Spotlight Field||Filter on the spotlight attribute field|
|Spotlight Value||Filter on the spotlight attribute value|
|Internal Filter||Filter for displaying custom SQL from the details view|
|Snapshot/VSC||Filter files that have a Snapshot or Volume Shadow Copy version|
File Filter Example 1 – Signature Analysis
You may have noticed within BlackLight that there isn’t a column or view that readily points out a file signature mismatch. When you look at the file structure within Browser, BlackLight has a column for Extension, showing the file type based solely on the specified extension, and a column for Content Extension, showing the file type based on the header information. Neither of these columns display information regarding whether the content headers match the specified extension. You are able to sort by each of these columns, but it could be very tedious to try and determine bad signatures in this view.
BlackLight 2019 R3 provides an update to file filters making it easier to do compound filtering. You can filter on a group of conditions and/or individual conditions. For signature analysis there are several ways we can go about it. First, we need to check whether the extension and content extension are not equal, meaning the file extension is different than the file signature. Second, we can narrow down the results to focus on specific file types. In this example, we are looking for files with a content extension or file signature of JPG, GIF, or PNG, as well as files where the file extension is not null (this gets rid of a lot of false positives that sometimes occur for files with no file extension).
File Filer Example 2 – Changes in Volume Shadow Copies and APFS Snapshots
Sometimes examiners choose not to process volume shadow copies or APFS snapshots because it can be time intensive. For some examinations, pertinent information can be found in the VSCs or APFS Snapshots. To make the most use of your analysis time, process the VSCs and snapshots overnight. When you come back to the office you can easily run a filter to show you the differences. BlackLight will tell you if there are files in an older VSC or snapshot that are no longer in the active volume, as well as files that have appear in both but have been changed.
Any snapshots and volume shadow copies that BlackLight processes will be brought back into your casefile as a virtual evidence item. This allows for easier analysis and filtering. With the active partition and all Snapshots/VSCs selected, we can go to the File Filter tab. Below are the options built into BlackLight to filter against Snapshots/VSCs:
In our example below (Figure 3), at the very bottom of the screen we can see that the data was filtered down to 3,638 files. There is a column for Version Index that shows which snapshot or shadow copy that file appears in.
After selecting a file, contextual clicking (right-click in Windows, command-click in macOS) will bring up a menu with various options including File History. When File History is selected, BlackLight will open a screen that shows the different versions available for that file. A file displayed in red italics with a strikethrough (Figure 4) indicates the file was found in a Snapshot/VSC but is no longer available on the active partition.
File Filter Example 3 – Spotlight Information in macOS
The Spotlight index within macOS has proven to contain a wealth of information for examiners. So much additional metadata is available for files, information that could help answer questions about who created the file, how many times a file has been opened, and where the file came from. Once Spotlight metadata has been processed for an evidence item in BlackLight, files can be filtered based on this metadata. For example, to look at where a file came from there is a key called kMDItemWhereFroms. Use the built-in Spotlight Field File Filter to search for wherefrom. Combine that with other filters such as file type to narrow down the data even more:
In the above example, we are looking for JPEGs that have the kMDItemWhereFroms key populated. After selecting a file, the Metadata tab of the ‘Content Pane’ shows all the associated metadata for that particular file. In this case, the WhereFroms show that this picture came from a specific email address and was sent through Messages file transfer.
File Filter Example 4 – Hash Set Comparisons
BlackBag provides a few hash sets that are optional installs for BlackLight including: Known Windows System Files, Known OS X System Files, Hashkeeper 2.0 (Known CP), and Hashkeeper 2.0 (Suspected CP). You also have the option of importing your own hash sets as well as creating hash sets from existing case files. Once the hash sets are imported and processed against the current image, a File Filter can be run to show files that exist in a specific hash set or files that do not exist. Below is an example showing files that are in a user created hash set Bennett-Racer-R3-Geolocation.
These are just a few of the filters that can help examiners get through their data quickly. With over 30 filters already built in within BlackLight (and quick triage processing options available), the size of evidence items don’t have to be the bane of your existence. The additional filter capabilities in BlackLight 2019 R3 and the ability to group these filters is a powerful tool to find information quickly and efficiently.