BlackLight 2018 R3 is officially released and it includes two of the most anticipated features of the year: APFS Snapshots and support for all GrayKey images.
What’s New and Improved?
– Comprehensive report options
– APFS Snapshots
– Streamlined support for all GrayKey image formats
– iOS Hidden Photos
– Enhanced Windows Memory Support
Reporting is a critical step in an investigation and the latest release of BlackLight has been improved to include streamlined reporting options. New to this release, is the ability to have a simple report with comprehensive reporting, on a per device basis, without having to review or tag items. Users can choose to include all Case Data for the entire device, or select specific categories, within the evidence. In addition, HTML reports are now broken down into smaller pages to make it easier to load onto systems.
APFS Snapshot Parsing
Continuing APFS support, BlackLight now allows for parsing of APFS Snapshots. APFS was designed using Snapshots as a means for built in backup support. Snapshots leverage the copy-on-write property of APFS to provide “instant” backups of the entire state of an APFS volume. Snapshots can be mounted as read-only volumes that are exact copies of the file system state at the time they were taken. To examine snapshots, simply choose the “Parse Snapshots / Volume Shadow Copies” option from the advanced processing options.
Streamlined Support for all GrayKey Image Formats
GrayKey, by Grayshift, is designed to provide access to devices that were previously inaccessible. In addition, GrayKey images include iOS data that was previously not available due to the limitations of iTunes backups. Using BlackLight as the analysis tool for GrayKey allows full filesystem analysis, memory file support and proper handling of dates, as recommended by the Grayshift.
BlackLight examiners can add GrayKey images either by dragging and dropping them onto a case on Mac, or choose the ‘Add’ evidence button. BlackLight will process the GrayKey zip file just as if it were processing an iOS backup, except with much more data. Whether adding the full system image or the backup image BlackLight can handle either one. Navigation through the GrayKey image will look the same as if it came straight from the device itself.
If the GrayKey memory file is added BlackLight will prompt the examiner how to handle it. The file can be brought in as a simple zip file so you can see the contents, or you can treat it as a file and run content searches to get evidentiary items like IP address, email addresses, etc.
Enhanced Windows 10 Memory Support
BlackLight now supports Windows 10 Spring Creator Update version 1803 for memory analysis.
iOS 8 Hidden Album Support
Starting with iOS 8 a user could tap and hold on a picture in the Photos app to display the option to “Hide” the picture. The picture would then be placed into an album named “Hidden”. While Blacklight would obtain these pictures during ingestion it would not be apparent that they were hidden by the user. Those pictures are now flagged as part of the Hidden album. In addition, they can be filtered on within the File Filter view.
Hash Sets Installer is now Separate From the BlackLight Installer
In order to streamline updates to the BlackLight distributed hash sets they are no longer included with BlackLight product installer. Instead they are now included in their own installer and may be updated as needed on the Software Download page.
Use of ExFAT for storage media is NOT recommended.
Due to issues with the Apple file system driver, use of exFAT formatted storage media may cause serious performance issues when using BlackLight. We highly recommend that you DO NOT use exFAT for storage of your case or image files on macOS, and highly recommend the use of NTFS, HFS, or APFS for storage.
Expanding Tree Structure Using Hotkeys has Changed
When expanding the tree structure using hotkeys, option-click (Mac) or alt-click (Windows), has been modified. Previously, on views like the browser view, using the hotkey would open the whole tree structure, now it will just only expand the top two levels.
Please CONTACT US for more information, quotes and demo of BlackLight R3