BlackLight Quick Start Guide
Version 2019 R3
Welcome to BlackLight
BlackLight is designed with both novice and advanced users in mind. It features a clean interface, easy navigation, and powerful advanced options. This guide is designed to quickly get users up and running and experiencing the power and simplicity of BlackLight.
Recommended System Requirements:
| OS Specifications | Platform | Processor | RAM | Screen Resolution | Free Disk Space |
|---|---|---|---|---|---|
| macOS 10.14.6 Windows 10 | Intel 64-bit system | 3.1 Ghz 6-Core Intel Xeon E5 or better | 32GB DDR3 or higher | 1680 x 1050 or better | 5 GB (installation only) 25 GB (temporary space) |
Minimum System Requirements
| OS Specifications | Platform | Processor | RAM | Screen Resolution | Free Disk Space (for minimal installation of BlackLight) |
|---|---|---|---|---|---|
| macOS 10.11.4 Windows 7 | Intel based system | 2.7 Ghz Intel Dual Core i7 | 16GB DDR3 | 1024 x 768 or better | 5 GB (installation only) 25 GB (temporary space) |
Getting the Most Out of BlackLight
- Maintain a minimum of 20GB of free space on OS drive
- Place the .BlackLight case file on the internal disk of analysis machine
- Evidence file(s) should be on separate internal or external disk
- NTFS, HFS+, APFS formats are recommended (do not use exFAT)
- PCIe SSD recommended
- nvME RAID
Not Recommended
- DO NOT Create case files on a FAT32 or exFAT drive
- DO NOT Create case files on the same drive as image files
- DO NOT Create case files on a RAID0 storage (striped disk)
- DO NOT Create case files on network drives (this is not supported)
Create a BlackLight Case
Upon launching BlackLight, examiners are presented with the Case Manager window:
[Description of Case Manager window showing existing cases and options to create a new one]
Note: Even though it may work, BlackLight does not officially support saving BlackLight cases to network attached drives.
Remember
- Use NTFS, HFS+, or APFS
- Store case file on separate drive
- Do NOT store on RAID 0 (striped disk)
- Do NOT use exFAT
Add Evidence
Select the [Add] button beside Evidence and navigate to the location of the evidence file.
BlackLight Supports:
- .E01, .EX01, .L01, RAW, DMG, AFF4
- macOS sparse bundles and sparse images
- Windows memory images
- SMART, VDMK
- Acquisitions from GrayKey ™
- Direct read of iOS and Android devices
- iOS backup files
Select the evidence file, or the first segment of the evidence, then click 'Select'.
Within the Add Evidence window, BlackLight automatically displays the size of each volume/partition.
Processing Options
BlackLight has a comprehensive list of processing options. In 2019 R3 and later, all processing options are displayed in the Processing Options: section of the 'Add Evidence' Window. As a general rule, the more options chosen the longer the evidence takes to process. Most processes can be run later.
Radio Buttons
Three default Processing Options are included in the interface: Preview, Triage, Comprehensive.
Preview: No processing options are selected. BL parses the file system and shows the results in the Browser tab.
When Preview is chosen, BlackLight displays the following warning:
[Warning: Running Preview or skipping normalization will limit the views. By choosing the Preview option or skipping normalization you will only be able to view and search the filesystem. You will not be able to see the data views until the data normalizers have been run.]
Prior to 2019 R3, by default BlackLight automatically normalized all data. Normalization was a background process the user had no control over. It is the normalization process that populates many of the views in BlackLight (Actionable Intel, Communication, Media, Locations, etc.). If you do not run this, only the Browser and File Filter tabs will work.
Processing Options Details
| Option | Description |
|---|---|
| Normalization | BlackLight's internal processes for populating data in Actionable Intel, Communication, Locations, Internet, Productivity, and System tabs |
| File Signature Analysis | Compares file signature and file extension to populate Content Extension field |
| Picture Analysis | Identify pictures using signature analysis |
| Video Analysis | Parse videos and split them into sixteen frame sequences (4 x 4) to allow BlackLight gallery view and % skin tone analysis |
| Threat Category Analysis | Image Analyzer used to classify media into Threat Categories |
| Calculate Hashes | Hash all files using MD5, SHA-1 and/or SHA-256 algorithms |
| Identify Known Files | Identify known file types using hash sets from BlackBag's website, other imported hash sets, or user created hash sets |
| File Carving | Recover or attempt to recover deleted files based on defined File Signatures |
| Snapshots / Volume Shadow Copies | macOS APFS Snapshots and Windows Volume Shadow copy parsing LONG PROCESSING TIME |
| File System Journal Analysis | Process $USNJRL file in Windows and macOS .fsevents |
| SpotLight Parsing | macOS Spotlight extended attribute data parsing |
| OS Event / Security Logs | Windows $log analysis, EVT/EVTX analysis, and macOS ASL logs |
| Process Archives | All archives files (zip, gz, 7z, tar, and rar) are expanded down to two levels of nested archives CONSUMES A LOT OF DISK SPACE |
| Smart Indexing | Builds a Smart Index of processed allocated data |
| Content Search (Bulk extraction) | Runs built-in searches agains memory files |
| Mail Parsing | Processes Apple Mail, Outlook mail files |
| Hiberfil.sys / Pagefile.sys | Processes Windows memory hibernate file and pageful |
| Calculate File Entropy | Determines possible encryption level of files LONG PROCESSING TIME |
Note: If the correct processing options are not chosen, many views in BlackLight will NOT contain data.
Evidence Status
While evidence is processing, BlackLight provides feedback indicating the status of the jobs being processed.
Status Symbols and Meanings
| Symbol | Meaning |
|---|---|
| [Status Indicator] | Overall progress of partition processing for the selected processing options. Green Light shows when processing started. Yellow Light indicates processing is still in progress. Green Light shows when processing completed. Timer shows the time it took to process the partition. |
| [Play Icon] | Seen when Parsing or DB Recovery processes are running. |
| [Checkmark Icon] | Process has completed. |
| [Yellow Circle Icon] | Process has completed, but there are more options to run that were not selected. |
| [Hourglass Icon] | Process is running, but not complete. The process cannot be paused. |
| [Waiting Icon] | Process is waiting to run. |
| [Running Icon] | Process is running, but not complete. The process can be paused. |
| [Not Chosen Icon] | Process has not been chosen to run. |
| [Cannot Run Icon] | Process cannot run on the partition. |
For each volume being processed, BlackLight provides information about the status of all processing options.
Navigating BlackLight
Select evidence item(s) on the left and a consolidated data view icon above to display the data processed for that particular view.
The main navigation tabs include: Browser, File Filter, Actionable Intel, Communication, Media, Locations, Internet, Productivity, System, Plugins.
Within these views, data can be sorted by various criteria, such as file size.
Processed Data
BlackLight categorizes processed data into several key areas:
- Actionable Intelligence: Processed system/user data.
- Communication: Processed call logs, messages, contacts, email.
- Media: Processed pictures, videos, and audio files.
- Locations: Processed Apple Maps data, location data, WiFi connections.
- Internet: Internet browser data (Safari, Chrome, Firefox, The Edge, Explorer).
- Productivity: Calendar and notes data.
- System: Windows registry, applications, system logs, memory analysis.
- Plugins: Data parsed with Apple Pattern of Life Lazy Output'er (APOLLO).
Automatically Processed Data within BlackLight
| Artifact | Location | Description |
|---|---|---|
| Device Backups | Actionable Intel → Device Backups | Stored iOS backups on macOS and Windows computers. iOS backups can be directly imported for processing. |
| Device Connections | Actionable Intel → Device Connections | Parsed Windows/macOS parsed USB device connections. |
| File Downloads | Actionable Intel → File Downloads | Shows files downloaded by macOS and Windows, along with QuarantineEvents from macOS. |
| Jump Lists | Actionable Intel → Program Execution → Jump Lists | Windows 7 and above artifact that shows user interaction with files. |
| Link Files | Actionable Intel → File Knowledge → Link Files | Windows user .lnk files. |
| Prefetch | Actionable Intel → Program Execution → Prefetch | Windows artifact shows launched applications. |
| Program Execution | Actionable Intel → Program Execution → Last Executed | Windows OpenSaveMRU registry key. |
| Recent Items | Actionable Intel → File Knowledge → Recent Items | Recent items from NTUSER.dat and macOS recent items. |
| Shell Bags | System → Registry → ShellBags | Windows shellbag registry values. |
| Superfetch | Actionable Intel → Program Execution → Superfetch | Windows Vista and later show launched applications. |
| Trash Items | Actionable Intel → File Knowledge → Trash Items | Windows Recycle Bin and macOS Trash items. |
| User Accounts | Actionable Intel → Account Usage → User Accounts | Data parsed from Windows SAM file and macOS user plist files. |
| User Assist | Actionable Intel → Program Execution → User Assist | Windows applications launched by user. Data parsed from NTUSER.dat. |
| Windows Registry | System → Registry → All | Parsed Windows registry hives. |
More Information
The BlackLight User's Guide has detailed instructions on using BlackLight and is text searchable.
Classroom Instruction
BlackBag offers several training courses:
Basic Forensic Investigations
Whether you are first learning the fundamentals forensic investigation techniques or interested in seeing BlackBag's tools in action, this course is an excellent fit for any forensic professional who could benefit from a full scenario-based investigative tutorial, regardless of prior use of BlackBag tools.
https://www.blackbagtech.com/training/courses/basic-forensic-investigations.html
Apple® Forensic Investigations
This course is composed of the essential techniques every forensic professional needs to triage and analyze macOS and iOS devices. Specially crafted by our expert instructors, this course has something for every level of forensic experience.
https://www.blackbagtech.com/training/courses/apple-forensic-investigations.html
Advanced Apple® Forensic Investigations
As the second part of our Essential Forensic Techniques series, Advanced Apple® Forensic Investigations delves into more complex analysis concepts and includes many specific data points encountered in examinations.
https://www.blackbagtech.com/training/courses/advanced-apple-forensic-investigations.html
Windows® Forensic Investigations
Take your Windows forensic skills to the investigative level. This comprehensive course teaches the in-depth analysis of Windows-based evidence. Developed by our expert instructors with field experience, this course will provide you the skills to thoroughly inspect your digital evidence.
https://www.blackbagtech.com/training/courses/windows-forensic-investigations.html
