Insights Blog

Getting Through the Data Quickly

By Stephanie Thompson, Solutions Engineer

Using File Filters

Data, data, and more data!!  With hard drives and mobile devices constantly increasing in size, investigators are always looking for ways to get to data quickly.  File filtering within BlackLight is one way this can be done.

BlackLight comes with 30+ already configured filters that can make your life a whole lot easier.  In this blog post, we are going to focus on four that you may or may not know about so you can see how quick and powerful these features can be.

These are the file filters available in the File Filter tab in BlackLight 2019 R3:

 

Filter Description
List All Files Display all files on selected device
Name Filter files by name
Path Filter files in a named directory (folder)
Kind Filter by genus or category
Extension Filter by file type based on extension (.doc, .txt, .jpg)
Content Extension Filter by file type based on header information
Extension Matching Filter by file type based on header and extension
Tagged State Filter files that are tagged or not tagged
Tag Name Filter files by Tag Name
Size Filter by file size
Date Created Filter by creation date
Date Modified Filter by date modified
Date Accessed Filter by last access date
Date Added Filter by date added
BlackLight ID Filter by the record ID stored within the casefile database
File System ID Filter by the HFS catalog (node ID) / MFT ID number
Hash Set Filter files with known hash values
Hash Set Category Filter files based on hash set category
File Hash Filter files based on a specific hash set
List Duplicate Files Filter the duplicate files by hash
Suppress Duplicate Files Filter out any duplicate files
File Entropy Filter by file entropy value
Locked Filter files with a locked flag
Resource Fork Filter files that have a resource fork
Alternate Data Stream Filter files that have an alternate data stream
Visibility Filter hidden or visible files
iOS Hidden Files Filter iOS hidden files
Metadata Field Filter on the metadata attribute field
Metadata Value Filter on the metadata attribute value
Spotlight Field Filter on the spotlight attribute field
Spotlight Value Filter on the spotlight attribute value
Internal Filter Filter for displaying custom SQL from the details view
Snapshot/VSC Filter files that have a Snapshot or Volume Shadow Copy version

File Filter Example 1 – Signature Analysis

You may have noticed within BlackLight that there isn’t a column or view that readily points out a file signature mismatch.  When you look at the file structure within Browser, BlackLight has a column for Extension, showing the file type based solely on the specified extension, and a column for Content Extension, showing the file type based on the header information. Neither of these columns display information regarding whether the content headers match the specified extension. You are able to sort by each of these columns, but it could be very tedious to try and determine bad signatures in this view.

BlackLight 2019 R3 provides an update to file filters making it easier to do compound filtering.  You can filter on a group of conditions and/or individual conditions.  For signature analysis there are several ways we can go about it.  First, we need to check whether the extension and content extension are not equal, meaning the file extension is different than the file signature. Second, we can narrow down the results to focus on specific file types.  In this example, we are looking for files with a content extension or file signature of JPG, GIF, or PNG, as well as files where the file extension is not null (this gets rid of a lot of false positives that sometimes occur for files with no file extension).

Figure 1 – File Filter for jpg, gif, and png files with mismatched extension

File Filer Example 2 – Changes in Volume Shadow Copies and APFS Snapshots

Sometimes examiners choose not to process volume shadow copies or APFS snapshots because it can be time intensive.  For some examinations, pertinent information can be found in the VSCs or APFS Snapshots.  To make the most use of your analysis time, process the VSCs and snapshots overnight. When you come back to the office you can easily run a filter to show you the differences.  BlackLight will tell you if there are files in an older VSC or snapshot that are no longer in the active volume, as well as files that have appear in both but have been changed.

Any snapshots and volume shadow copies that BlackLight processes will be brought back into your casefile as a virtual evidence item.  This allows for easier analysis and filtering.  With the active partition and all Snapshots/VSCs selected, we can go to the File Filter tab.  Below are the options built into BlackLight to filter against Snapshots/VSCs:

Figure 2 – File Filter options for Snapshots/VSCs

 

In our example below (Figure 3), at the very bottom of the screen we can see that the data was filtered down to 3,638 files.  There is a column for Version Index that shows which snapshot or shadow copy that file appears in.

Figure 3 – VSC File Filter results

After selecting a file, contextual clicking (right-click in Windows, command-click in macOS) will bring up a menu with various options including File History.  When File History is selected, BlackLight will open a screen that shows the different versions available for that file.  A file displayed in red italics with a strikethrough (Figure 4) indicates the file was found in a Snapshot/VSC but is no longer available on the active partition.

Figure 4 – File History view

File Filter Example 3 – Spotlight Information in macOS

The Spotlight index within macOS has proven to contain a wealth of information for examiners.  So much additional metadata is available for files, information that could help answer questions about who created the file, how many times a file has been opened, and where the file came from.  Once Spotlight metadata has been processed for an evidence item in BlackLight, files can be filtered based on this metadata.  For example, to look at where a file came from there is a key called kMDItemWhereFroms.  Use the built-in Spotlight Field File Filter to search for wherefrom.  Combine that with other filters such as file type to narrow down the data even more:

Figure 5 – Spotlight File Filter

In the above example, we are looking for JPEGs that have the kMDItemWhereFroms key populated.  After selecting a file, the Metadata tab of the ‘Content Pane’ shows all the associated metadata for that particular file.  In this case, the WhereFroms show that this picture came from a specific email address and was sent through Messages file transfer.

File Filter Example 4 – Hash Set Comparisons

BlackBag provides a few hash sets that are optional installs for BlackLight including: Known Windows System Files, Known OS X System Files, Hashkeeper 2.0 (Known CP), and Hashkeeper 2.0 (Suspected CP).  You also have the option of importing your own hash sets as well as creating hash sets from existing case files.  Once the hash sets are imported and processed against the current image, a File Filter can be run to show files that exist in a specific hash set or files that do not exist.  Below is an example showing files that are in a user created hash set Bennett-Racer-R3-Geolocation.

Figure 6 – Hash set File Filter

Conclusion

These are just a few of the filters that can help examiners get through their data quickly.  With over 30 filters already built in within BlackLight (and quick triage processing options available), the size of evidence items don’t have to be the bane of your existence.  The additional filter capabilities in BlackLight 2019 R3 and the ability to group these filters is a powerful tool to find information quickly and efficiently.

To learn more about BlackLight, click here. Interested in seeing BlackLight in action? Request a trial here.

BlackBag Team
Latest posts by BlackBag Team (see all)