quick start guide€¦ · enter a password or a list of passwords to unlock and parse apple...

QUICK START GUIDE VERSION 2020 R1

300 Piercy Road • San Jose, CA 95138 • 408.844.8890 • https://www.blackbagtech.com Page 1

WELCOME TO BLACKLIGHT QUICKSTART GUIDE

BlackLight© is designed with both novice and advanced users in mind. It features a clean interface, easy navigation, and powerful advanced options. This guide is designed to quickly get users up and running and experiencing the power and simplicity of BlackLight.

Recommended System Requirements:

OS Specifications macOS 10.14.6 Windows 10

Platform Intel 64-bit system

Processor 3.1 Ghz 6-Core Intel Xeon E5 or better

RAM 32GB DDR3 or higher

Screen Resolution 1680 x 1050 or better

Free Disk Space 5 GB (installation only) 25 GB (temporary space)

Note: In testing it was determined BlackLight performs best in macOS 10.14.6

Minimum System Requirements

OS Specifications macOS 10.12.6 (El Capitan) Windows 10 1809

Platform Intel based system

Processor 2.7 Ghz Intel Dual Core i7

RAM 16GB DDR3

Screen Resolution 1024 x 768 or better

Free Disk Space (for minimal installation of BlackLight)

5 GB (installation only) 25 GB (temporary space)

© 2020 BlackBag Technologies, Inc. BlackLightÒ Quick Start Guide Page 2

Getting the Most Out of BlackLight

• Maintain a minimum of 20GB of free space on OS drive

• Place the .BlackLight case file on the internal disk of analysis machine

• Evidence file(s) should be on separate internal or external disk

• NTFS, HFS+, APFS formats are recommended (do not use exFAT)

• PCIe SSD recommended

• nvME RAID

Not Recommended

DO NOT

• Create case files on a FAT32 or exFAT drive

• Create case files on the same drive as image files

• Create case files on a RAID0 storage (striped disk)

• Create case files on network drives (this is not supported)


CREATE A BLACKLIGHT CASE

Upon launching BlackLight, examiners are presented with the Case Manager window:


ADD EVIDENCE

Select beside Evidence and navigate to the location of the evidence file


Select the evidence file, or the first segment of the evidence, then click 'Select'

Within the Add Evidence window, BlackLight automatically displays the size of each volume/partition.


PROCESSING OPTIONS

BlackLight has a comprehensive list of processing options. In 2019 R3 and later, all processing options are displayed in the Processing Options: section of the 'Add Evidence' Window. As a general rule, the more options chosen the longer the evidence takes to process. Most processes can be run later.


Radio Buttons

Three default Processing Options are included in the interface.

When Preview is chosen, BlackLight displays the following warning:

Prior to 2019 R3, by default BlackLight automatically extracted or normalized all data. Extract Data was a background process the user had no control over. It is the Extract Data, or normalization process, that populates many of the views in BlackLight (Actionable Intel, Communication, Media, Locations, etc.). If you do not run this, only the Browser and File Filter tabs will work.


Option Description

Extract Data BlackLight's internal processes for populating data in Actionable Intel, Communication, Locations, Internet, Productivity, and System tabs

File Signature Analysis

Compares file signature and file extension to populate Content Extension field

Picture Analysis Identify pictures using signature analysis

Video Analysis Parse videos and split them into sixteen frame sequences (4 x 4) to allow BlackLight gallery view and % skin tone analysis

Threat Category Analysis

Image Analyzer used to classify media into selected Threat Categories

Calculate Hashes

Hash all files using MD5, SHA-1 and/or SHA-256 algorithms

Identify Known Files

Identify known file types using hash sets from BlackBag's website, other imported hash sets, or user created hash sets

File Carving Recover or attempt to recover deleted files based on defined File Signatures

Snapshots / Volume Shadow Copies

macOS APFS Snapshots and Windows Volume Shadow copy parsing LONG PROCESSING TIME

File System Journal Analysis

Process $USNJRL and $LogFile files in Windows and macOS .fsevents


Option Description

Spotlight Parsing

macOS Spotlight extended attribute data parsing

OS Event / Security Logs

Windows EVT/EVTX analysis, macOS ASL logs, and macOS Unified Logs

Process Archives

All archives files (zip, gz, 7z, tar, and rar) are expanded down to two levels of nested archives CONSUMES A LOT OF DISK SPACE

Smart Indexing Builds a Smart Index of processed allocated data

Content Search (Bulk extraction)

Runs built-in searches against memory files

Mail Parsing Processes Apple Mail, Outlook mail files

iCloud Backups Ingest and processes iOS backups from iCloud zip archives extracted from encrypted GPG files containing iCloud device backups within. These files can be obtained from Apple with a valid search warrant.

Hiberfil.sys / Pagefile.sys

Processes Windows memory hibernation file and pagefile

Calculate File Entropy

Determines possible encryption level of files LONG PROCESSING TIME

Manage Passwords

Enter a password or a list of passwords to unlock and parse Apple keychains on macOS or iOS devices

Note: If the correct processing options are not chosen, many views in BlackLight will NOT contain data.


EVIDENCE STATUS

While evidence is processing, BlackLight provides feedback indicating the status of the jobs being processed.

Symbol Meaning

Overall progress of partition processing for the selected processing options.

Green Light shows when processing started.

Yellow Light indicates processing is still in progress.

Green Light shows when processing completed.

Timer shows the time it took to process the partition.

Seen when Parsing or DB Recovery processes are running.

Process has completed.

Process has completed, but there are more options to run that were not selected.


Symbol Meaning

Process is running, but not complete. The process cannot be paused.

Process is waiting to run.

Process is running, but not complete. The process can be paused

Process has not been chosen to run.

Process cannot run on the partition.

For each volume being processed, BlackLight provides information about the status of all processing options.


NAVIGATING BLACKLIGHT

Select evidence item(s) on the left and a consolidated data view icon above to display the data processed for that particular view.


Processed Data

Actionable Intelligence: Processed system/user data.

Communication: Processed call logs, messages, contacts, email.

Media: Processed pictures, videos, and audio files.

Locations: Processed Apple Maps data, location data, WiFi connections.

Internet: Internet browser data (Safari, Chrome, Firefox, The Edge, Explorer).

Productivity: Calendar and notes data.

System: Windows registry, applications, system logs, memory analysis.

Plugins: Data parsed with Apple Pattern of Life Lazy Output'er (APOLLO).


PROCESSED DATA - AUTOMATICALLY PROCESSED DATA WITHIN BLACKLIGHT

Artifact Location Description

Device Backups

Actionable Intel → Device Backups

Stored iOS backups on macOS and Windows computers. iOS backups can be directly imported for processing.

Device Connections

Actionable Intel → Device Connections

Parsed Windows/macOS parsed USB device connections.

File Downloads

Actionable Intel → File Downloads

Shows files downloaded by macOS and Windows, along with QuarantineEvents from macOS.

Jump Lists Actionable Intel → Program Execution → Jump Lists

Windows 7 and above artifact that shows user interaction with files.

Link Files Actionable Intel → File Knowledge → Link Files

Windows user .lnk files.

Prefetch Actionable Intel → Program Execution → Prefetch

Windows artifact shows launched applications.

Program Execution

Actionable Intel → Program Execution → Last Executed

Windows OpenSaveMRU registry key.

Recent Items Actionable Intel → File Knowledge → Recent Items

Recent items from NTUSER.dat and macOS recent items.

Shell Bags System → Registry → ShellBags

Windows shellbag registry values.


Artifact Location Description

Superfetch Actionable Intel → Program Execution → Superfetch

Windows Vista and later show launched applications.

Trash Items Actionable Intel → File Knowledge → Trash Items

Windows Recycle Bin and macOS Trash items.

User Accounts

Actionable Intel → Account Usage → User Accounts

Data parsed from Windows SAM file and macOS user plist files.

User Assist Actionable Intel → Program Execution → User Assist

Windows applications launched by user. Data parsed from NTUSER.dat.

Windows Registry

System → Registry → All

Parsed Windows registry hives.

Unified Logs System → System Logs → UnifiedLog

Unified Log records


MORE INFORMATION

The BlackLight User's Guide has detailed instructions on using BlackLight and is text searchable.


CLASSROOM INSTRUCTION

Basic Forensic Investigations

Whether you are first learning the fundamentals forensic investigation techniques or interested in seeing BlackBag’s tools in action, this course is an excellent fit for any forensic professional who could benefit from a full scenario-based investigative tutorial, regardless of prior use of BlackBag tools.

https://www.blackbagtech.com/training/courses/basic-forensic-investigations.html

Apple® Forensic Investigations

This course is composed of the essential techniques every forensic professional needs to triage and analyze macOS and iOS devices. Specially crafted by our expert instructors, this course has something for every level of forensic experience.

https://www.blackbagtech.com/training/courses/apple-forensic-investigations.html

Advanced Apple® Forensic Investigations

As the second part of our Essential Forensic Techniques series, Advanced Apple® Forensic Investigations delves into more complex analysis concepts and includes many specific data points encountered in examinations.

https://www.blackbagtech.com/training/courses/advanced-apple-forensic-investigations.html

Windows® Forensic Investigations

Take your Windows forensic skills to the investigative level. This comprehensive course teaches the in-depth analysis of Windows-based evidence. Developed by our expert instructors with field experience, this course will provide you the skills to thoroughly inspect your digital evidence.

https://www.blackbagtech.com/training/courses/windows-forensic-investigations.html

quick start guide€¦ · enter a password or a list of passwords to unlock and parse apple...

Documents