Using Custom Hash Sets in BlackLight
The reason is that after you’ve created the custom hash set, you still must run the hash set for each evidence item on which you want to use the hash set filter.
To run a custom hash set, select ‘Evidence Status’ from the ‘Component List.’
Click the yellow play icon in the ‘Known Files’ column for the desired device.
A ‘Hash Sets’ window appears. Activate the checkbox for the custom hash set, select OK, and wait momentarily for processing to complete.
The ‘Known Files’ column reads ‘Pending’ until the process is complete. When the process is complete, select the device in the ‘Component List’ and choose the ‘File Filter’ view.
Select [Hash Set] from the left drop-down menu if it’s not already selected. Voilà! Now you’ll see your custom hash set as an option in the right drop-down box. Select it and choose the the Filter button on the far right to run the filter.
Remember that you’ll need to repeat this process for each item in the ‘Component List’ for which you want to run the custom hash set filter.
If you have more questions about file filtering in BlackLight, our training team is always at the ready, so reach out.
Latest posts by BlackBag Training Team (see all)
- Why Acquire T2 Macs with MacQuisition? - September 29, 2019
- MacQuisition: Taking Away the Guess Work - September 10, 2019
- A Present From Santa (APFS): Providing APFS support to The Sleuth Kit® Framework - December 19, 2018