Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
INSTALLATION GUIDE
VERSION:
QUICK START GUIDE VERSION 2019 R3
300 Piercy Road • San Jose, CA 95138 • 408.844.8890 • https://www.blackbagtech.com Page 1
WELCOME TO BLACKLIGHT QUICKSTART GUIDE
BlackLight© is designed with both novice and advanced users in mind. It features a clean interface, easy navigation, and powerful advanced options. This guide is designed to quickly get users up and running and experiencing the power and simplicity of BlackLight.
Recommended System Requirements:
OS Specifications macOS 10.14.6 Windows 10
Platform Intel 64-bit system
Processor 3.1 Ghz 6-Core Intel Xeon E5 or better
RAM 32GB DDR3 or higher
Screen Resolution 1680 x 1050 or better
Free Disk Space 5 GB (installation only) 25 GB (temporary space)
© 2019 BlackBag Technologies, Inc. BlackLightÒ Quick Start Guide Page 2
Minimum System Requirements
OS Specifications macOS 10.11.4 Windows 7
Platform Intel based system
Processor 2.7 Ghz Intel Dual Core i7
RAM 16GB DDR3
Screen Resolution 1024 x 768 or better
Free Disk Space (for minimal installation of BlackLight)
5 GB (installation only) 25 GB (temporary space)
Getting the Most Out of BlackLight
• Maintain a minimum of 20GB of free space on OS drive
• Place the .BlackLight case file on the internal disk of analysis machine
• Evidence file(s) should be on separate internal or external disk
• NTFS, HFS+, APFS formats are recommended (do not use exFAT)
• PCIe SSD recommended
• nvME RAID
Not Recommended
DO NOT
• Create case files on a FAT32 or exFAT drive
• Create case files on the same drive as image files
• Create case files on a RAID0 storage (striped disk)
• Create case files on network drives (this is not supported)
300 Piercy Road • San Jose, CA 95138 • 408.844.8890 • https://www.blackbagtech.com Page 3
CREATE A BLACKLIGHT CASE
Upon launching BlackLight, examiners are presented with the Case Manager window:
© 2019 BlackBag Technologies, Inc. BlackLightÒ Quick Start Guide Page 4
ADD EVIDENCE
Select beside Evidence and navigate to the location of the evidence file
300 Piercy Road • San Jose, CA 95138 • 408.844.8890 • https://www.blackbagtech.com Page 5
Select the evidence file, or the first segment of the evidence, then click 'Select'
Within the Add Evidence window, BlackLight automatically displays the size of each volume/partition.
© 2019 BlackBag Technologies, Inc. BlackLightÒ Quick Start Guide Page 6
300 Piercy Road • San Jose, CA 95138 • 408.844.8890 • https://www.blackbagtech.com Page 7
PROCESSING OPTIONS
BlackLight has a comprehensive list of processing options. In 2019 R3 and later, all processing options are displayed in the Processing Options: section of the 'Add Evidence' Window. As a general rule, the more options chosen the longer the evidence takes to process. Most processes can be run later.
© 2019 BlackBag Technologies, Inc. BlackLightÒ Quick Start Guide Page 8
Radio Buttons
Three default Processing Options are included in the interface.
When Preview is chosen, BlackLight displays the following warning:
Prior to 2019 R3, by default BlackLight automatically normalized all data. Normalization was a background process the user had no control over. It is the normalization process that populates many of the views in BlackLight (Actionable Intel, Communication, Media, Locations, etc.). If you do not run this, only the Browser and File Filter tabs will work.
300 Piercy Road • San Jose, CA 95138 • 408.844.8890 • https://www.blackbagtech.com Page 9
Option Description
Normalization BlackLight's internal processes for populating data in Actionable Intel, Communication, Locations, Internet, Productivity, and System tabs
File Signature Analysis
Compares file signature and file extension to populate Content Extension field
Picture Analysis Identify pictures using signature analysis
Video Analysis Parse videos and split them into sixteen frame sequences (4 x 4) to allow BlackLight gallery view and % skin tone analysis
Threat Category Analysis
Image Analyzer used to classify media into Threat Categories
Calculate Hashes Hash all files using MD5, SHA-1 and/or SHA-256 algorithms
Identify Known Files Identify known file types using hash sets from BlackBag's website, other imported hash sets, or user created hash sets
File Carving Recover or attempt to recover deleted files based on defined File Signatures
Snapshots / Volume Shadow Copies
macOS APFS Snapshots and Windows Volume Shadow copy parsing LONG PROCESSING TIME
File System Journal Analysis
Process $USNJRL file in Windows and macOS .fsevents
SpotLight Parsing macOS Spotlight extended attribute data parsing
© 2019 BlackBag Technologies, Inc. BlackLightÒ Quick Start Guide Page 10
Option Description
OS Event / Security Logs
Windows $log analysis, EVT/EVTX analysis, and macOS ASL logs
Process Archives All archives files (zip, gz, 7z, tar, and rar) are expanded down to two levels of nested archives CONSUMES A LOT OF DISK SPACE
Smart Indexing Builds a Smart Index of processed allocated data
Content Search (Bulk extraction)
Runs built-in searches agains memory files
Mail Parsing Processes Apple Mail, Outlook mail files
Hiberfil.sys / Pagefile.sys
Processes Windows memory hibernate file and pageful
Calculate File Entropy
Determines possible encryption level of files LONG PROCESSING TIME
Note: If the correct processing options are not chosen, many views in BlackLight will NOT contain data.
300 Piercy Road • San Jose, CA 95138 • 408.844.8890 • https://www.blackbagtech.com Page 11
EVIDENCE STATUS
While evidence is processing, BlackLight provides feedback indicating the status of the jobs being processed.
Symbol Meaning
Overall progress of partition processing for the selected processing options.
Green Light shows when processing started. Yellow Light indicates processing is still in progress. Green Light shows when processing completed. Timer shows the time it took to process the partition.
Seen when Parsing or DB Recovery processes are running.
Process has completed.
Process has completed, but there are more options to run that were not selected.
© 2019 BlackBag Technologies, Inc. BlackLightÒ Quick Start Guide Page 12
Symbol Meaning
Process is running, but not complete. The process cannot be paused.
Process is waiting to run.
Process is running, but not complete. The process can be paused
Process has not been chosen to run.
Process cannot run on the partition.
For each volume being processed, BlackLight provides information about the status of all processing options.
300 Piercy Road • San Jose, CA 95138 • 408.844.8890 • https://www.blackbagtech.com Page 13
NAVIGATING BLACKLIGHT
Select evidence item(s) on the left and a consolidated data view icon above to display the data processed for that particular view.
© 2019 BlackBag Technologies, Inc. BlackLightÒ Quick Start Guide Page 14
Processed Data
Actionable Intelligence: Processed system/user data.
Communication: Processed call logs, messages, contacts, email.
Media: Processed pictures, videos, and audio files.
Locations: Processed Apple Maps data, location data, WiFi connections.
Internet: Internet browser data (Safari, Chrome, Firefox, The Edge, Explorer).
Productivity: Calendar and notes data.
System: Windows registry, applications, system logs, memory analysis.
Plugins: Data parsed with Apple Pattern of Life Lazy Output'er (APOLLO).
300 Piercy Road • San Jose, CA 95138 • 408.844.8890 • https://www.blackbagtech.com Page 15
PROCESSED DATA - AUTOMATICALLY PROCESSED DATA WITHIN BLACKLIGHT
Artifact Location Description
Device Backups
Actionable Intel → Device Backups
Stored iOS backups on macOS and Windows computers. iOS backups can be directly imported for processing.
Device Connections
Actionable Intel → Device Connections
Parsed Windows/macOS parsed USB device connections.
File Downloads
Actionable Intel → File Downloads
Shows files downloaded by macOS and Windows, along with QuarantineEvents from macOS.
Jump Lists Actionable Intel → Program Execution → Jump Lists
Windows 7 and above artifact that shows user interaction with files.
Link Files Actionable Intel → File Knowledge → Link Files
Windows user .lnk files.
Prefetch Actionable Intel → Program Execution → Prefetch
Windows artifact shows launched applications.
Program Execution
Actionable Intel → Program Execution → Last Executed
Windows OpenSaveMRU registry key.
Recent Items Actionable Intel → File Knowledge → Recent Items
Recent items from NTUSER.dat and macOS recent items.
Shell Bags System → Registry → ShellBags
Windows shellbag registry values.
Superfetch Actionable Intel → Program Execution → Superfetch
Windows Vista and later show launched applications.
© 2019 BlackBag Technologies, Inc. BlackLightÒ Quick Start Guide Page 16
Artifact Location Description
Trash Items Actionable Intel → File Knowledge → Trash Items
Windows Recycle Bin and macOS Trash items.
User Accounts
Actionable Intel → Account Usage → User Accounts
Data parsed from Windows SAM file and macOS user plist files.
User Assist Actionable Intel → Program Execution → User Assist
Windows applications launched by user. Data parsed from NTUSER.dat.
Windows Registry
System → Registry → All Parsed Windows registry hives.
300 Piercy Road • San Jose, CA 95138 • 408.844.8890 • https://www.blackbagtech.com Page 17
MORE INFORMATION
The BlackLight User's Guide has detailed instructions on using BlackLight and is text searchable.
© 2019 BlackBag Technologies, Inc. BlackLightÒ Quick Start Guide Page 18
CLASSROOM INSTRUCTION
Basic Forensic Investigations
Whether you are first learning the fundamentals forensic investigation techniques or interested in seeing BlackBag’s tools in action, this course is an excellent fit for any forensic professional who could benefit from a full scenario-based investigative tutorial, regardless of prior use of BlackBag tools.
https://www.blackbagtech.com/training/courses/basic-forensic-investigations.html
Apple® Forensic Investigations
This course is composed of the essential techniques every forensic professional needs to triage and analyze macOS and iOS devices. Specially crafted by our expert instructors, this course has something for every level of forensic experience.
https://www.blackbagtech.com/training/courses/apple-forensic-investigations.html
Advanced Apple® Forensic Investigations
As the second part of our Essential Forensic Techniques series, Advanced Apple® Forensic Investigations delves into more complex analysis concepts and includes many specific data points encountered in examinations.
https://www.blackbagtech.com/training/courses/advanced-apple-forensic-investigations.html
300 Piercy Road • San Jose, CA 95138 • 408.844.8890 • https://www.blackbagtech.com Page 19
Windows® Forensic Investigations
Take your Windows forensic skills to the investigative level. This comprehensive course teaches the in-depth analysis of Windows-based evidence. Developed by our expert instructors with field experience, this course will provide you the skills to thoroughly inspect your digital evidence.
https://www.blackbagtech.com/training/courses/windows-forensic-investigations.html