BlackBag Announces Release of BlackLight 2019 R3
BlackLight 2019 R3 is released! This release includes new integrations and updates to allow BlackLight to work seamlessly with other tools essential to your forensic toolkit. We’ve also enhanced features added earlier this year to make them even more powerful in solving cases.
Enhancements and Improvements include:
- New Processing options to help triage data
- Parsing of Apple Unified Logs
- New Windows Artifacts Parsed in Actionable Intel
- Passware Integration to decrypt images of devices with full disk encryption
- Redesign of File Filters enabling the creation of complex file filters
Additional support for processing Cellebrite extractions
- Support added to process macOS 10.15 Time Capsule backups
- Updates to parse artifacts in the latest versions of Firefox, Chrome, and Safari
- Redesign of the Evidence Status View
New Feature Highlights:
Processing Options – Triaging Devices
One of the greatest features of BlackLight is the location and extraction of data interest, parsed into the [Actionable Intel], [Communication], [Locations], [Internet], [Productivity], and [System] tabs. This allows quick access to high value data. In previous versions of BlackLight, during initial data ingestion, “Normalizing” would appear in Evidence Status indicating data was being extracted to populate these BlackLight views. The user had no control over which data was processed.
BlackLight 2019 R3 allows the user to choose exactly what data will be extracted, allowing greater flexibility when processing data. The user can quickly preview data from the evidence source without running any Extract Data processes or choose to run only selected Extract Data processes at the time of ingestion. If the examiner is looking for a specific type of data, especially on cases with multiple devices, extracting the data they are looking for can reduce the processing required by focusing in on the devices with relevant data. The Extract Data processes not run during initial evidence processing are available to run later from ‘Evidence Status.’ To learn more about processing options for triaging devices, visit our release notes.
Evidence Status Update
The Evidence Status view has changed, with a clearer view for each volume and its associated processing options. Instead of a table-like listing with columns associated with each process, each volume or device has an area displaying the status for all of its processing options. The same icons are used to depict the status of each process. To learn more, check out our release notes.
Windows Artifacts Parsed in Actionable Intel
Additional Windows Artifacts are now parsed in Actionable Intel. The addition of these artifacts prompted a redesign of the [Actionable Intel] tab. Previous versions relied on sub-tab to access information like Device connections and Device Backups. The new design provides a list of Actionable Intel items parsed on the left side of the ‘Content Pane.’ Information can be accessed and displayed by selecting the desired category from the list. To learn more about Windows Artifacts parsed in actionable intel and see examples, read our release notes.
Full Disk Decryption with Passware
Continuing to partner with other industry leaders, Passware has been integrated into BlackLight 2019 R3. Currently, images with the following types of full disk encryption can be decrypted with the proper decryption credentials:
- FileVault 2
- LUKS (Linus Unified Key Setup)
When an image file using one of these encryption types is added to BlackLight, it is identified as a locked partition. To learn more about full disk encryption, visit our release notes.
Apple Unified Logs
Starting in macOS 10.12, Apple changed to a new log format, unified logs. The reason for moving to this format was to have a common log format across all Apple operating systems including macOS, iOS, watchOS, and tvOS. With the release of BlackLight 2019 R3, unified logs are parsed with the ‘OS Event / Security Logs’ initial processing option or ‘Events/Logs’ from ‘Evidence Status’ for macOS devices.
The amount of data stored in Unified Logs is massive. During times of intense activity, 10,000 records can be added to the logs in a minute. This can result in millions of records in Unified Logs. Loading millions of records into the BlackLight graphical user interface and manually reviewing them could take a significant amount of time. To perform a more efficient analysis of Unified Log records, filter for data of interest.
To learn more about these features and additional enhancements, visit www.blackbagtech.com/products/blacklight.
For more information, watch our on-demand webinar to see how to quickly triage systems with new BlackLight features and our integration with Passware Kit Forensic. Register here.
Latest posts by BlackBag PR (see all)
- Cellebrite Acquires BlackBag Technologies - January 14, 2020
- BlackBag Announces Release of BlackLight 2019 R3 - December 16, 2019
- BlackBag Technologies Partners with Passware to Provide Full Disk Decryption in New BlackLight Release - November 18, 2019