ACTIONABLE INTEL
EASILY UNCOVER USER ACTIONS
BlackLight’s Actionable Intel view allows examiners to view various data points that can be attributed to a user’s actions. Traces of potentially important user activity from many disparate locations are organized for practical, efficient examination. Elements include:
- Windows Registry artifacts – recently executed files and programs, link files, jumplists, Prefetch and Superfetch data
- Device connection data for all devices previously connected to the system, including USB device connection dates/times and the associated user account
- Trash (for Mac OS X volumes) and Recycle Bin (for Windows volumes)
- Current and deleted user account info
MEMORY
ANALYZE WINDOWS MEMORY FILES
- Analyzes several types of memory files, including raw dumps, Hibernation files (Windows Vista to Windows 10), pagefile.sys, and crash dumps (full, from Windows Vista or 7)
- Performs file carving and bulk extraction content searches (for numerous items such as URLs, addresses, phone numbers, etc.)
- Features a Memory subview for analyzing processes, libraries, sockets, handles, and drivers
- Processes memory files many times faster than traditional open-source forensic tools
FILE FILTER VIEW
EFFICIENTLY SIFT THROUGH LARGE DATA SETS
BlackLight’s signature File Filter view includes examiner-defined filter options to quickly pinpoint relevant data within large data sets. Filter criteria include:
- File name, kind, size, or extension
- Date created, modified, or accessed
- Picture metadata attributes, including GPS coordinates and camera (iPhone/iPad device) type
- Positive and negative hash set filtering
Examiners may apply any number of filters or inverse filters to quickly isolate important data from system files or base application files. BlackLight comes with several pre-set file filters, including those that filter by file type, file attribute, geolocation coordinates, and source device type.
MEDIA
FIND THE PICTURE AND VIDEO EVIDENCE YOU NEED
BlackLight’s Media view has built-in support for all commonly used picture and video file types, and it includes several helpful and examiner-oriented analysis features, such as:
- Built-in GPS Mapping:
- All media files containing GPS data will be identified with a placemark badge
- Examiners can view media geolocation data on a Mercator map (offline) or using Google Maps (online) directly from the built-in GPS view
- Proprietary Skin Tone Analysis Algorithm:
- Sort picture and video files by the skin tone percentage contained in the file
- Video Frame Analysis:
- BlackLight initially displays video files as 4×4 frame sequences, allowing examiners to quickly triage multiple video files in order to locate potential evidence
COMMUNICATIONS
RECOVER EVERY MESSAGE FROM THE MOST COMMON SOURCE
The Communication view in BlackLight allows examiners to see a full log of calls, voicemail, social media activity, and more. Most importantly, examiners can view messaging threads in list view or in their native format, with support for data from:
- Text Services (SMS/MMS, iMessage)
- Messaging Apps (Skype, Kik, TextPlus, TextFree, Tango)
- Social Media (Facebook, Twitter, LinkedIn, Foursquare/Swarm)
REPORTING
CUSTOMIZE YOUR REPORT
BlackLight is designed to make reporting incredibly flexible. Examiners may export large data sets in an easily readable format, and can export reports in a variety of formats to enable easy information sharing with all interested third parties. With BlackLight’s Report view, you can:
- Easily tag evidence and include any and all relevant metadata in the examiner report
- Export your report in your choice of formats, including .pdf, .html, .docx, and .txt
- Export eDiscovery data to a generic Concordance load file that is compatible with all major review platforms
- Mask (blur) sensitive data contained within examiner reports that may be shared with non-authorized third parties
IOS
- iPhone 3G and newer with iOS 4.0 to 10.0
- All iPads with iOS 4.0 to 10.0
- iPod Touch 2G and newer with iOS 4.0 to 10.0
ANDROID
- Devices running Android 4.0.4 to 6.0
- Devices manufactured by: Samsung, Motorola, HTC, LG, Google Nexus
- Note*: Additional devices running Android 4.0 or later may function properly if the appropriate USB driver for Windows OS is installed
BlackLight 2016 R3 & R3.1 implement several new features and improvements, including the following:
- Windows 8 and 10 hiberfil.sys and Raw Memory Parsing, Searching, and Analysis
- Windows Event Log and Apple System Log Parsing and Analysis
- iOS and OS X Recents Database Parsing
- Additional iOS 10 Encrypted Backup Support
- New Data Structure Templates
- Windows Hash Set Included
- Type-down Feature in List Views
- Go To Position (Offset) in Hex View
- Internet History Parsing for Internet Explorer 10, 11, and Edge
- Social Media Parsing of ooVoo, Kik Attachments, iOS Message GPS
- Time Machine Folder Hard Links Resolved
- Support for iOS 10.2 Backup Encryption
- EWMounter Update for macOS Sierra