BlackLight 2019 R1 ...
 
Notifications
Clear all

BlackLight 2019 R1 - Win/macOS features difference?

5 Posts
5 Users
0 Likes
956 Views
(@john000)
Posts: 45
Eminent Member
Topic starter
 

Hi,

I'm new to the tool BlackLight 2019 R1 and was wondering if there is any difference if I Install it on Windows or macOS system?
Because the entire User guide screenshots are taken from macOS while in our department we use it on Windows.
Is there any chance that I'm missing some features such as timeline due to the system? (I saw screenshots online that the software has a timeline but I can't find it)

Thank you,
John

 
Posted : 11/08/2019 9:17 am
(@dandaman_24)
Posts: 172
Estimable Member
 

Examine a Mac in a Mac - that's what Blackbag always preach.

 
Posted : 11/08/2019 2:26 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

Examine a Mac in a Mac - that's what Sumuri always preach.

 
Posted : 11/08/2019 6:54 pm
(@yogeshkhatri)
Posts: 26
Eminent Member
 

Well, only the vendor (Blackbag) can give you a definitive answer on that. I will say this, most everything you can do on a mac, you can do on Windows/Linux as well.

There used to be a few custom artifacts/databases which were in proprietary unknown formats namely Spotlight's database and unified logging logs, for which you needed a mac examiner system (to process them).

However since last year, both of these have now been successfully reverse engineered by myself (and blacklight too independently). Here's a shameless plug to some of my open source tools that parse these

mac_apt (all in one artifact parsing tool) –> https://github.com/ydkhatri/mac_apt
spotlight_parser –> https://github.com/ydkhatri/spotlight_parser
UnifiedLog Reader –> https://github.com/ydkhatri/UnifiedLogReader

Even mounting of APFS encrypted volumes can be handled with open source software like this
APFS-fuse –> https://github.com/sgan81/apfs-fuse

So other than help with imaging (target disk mode), I don't see much of a need of a mac to process a mac. There may of course be some new unknown artifact, or something else, but I don't see a "strict requirement" of having an examiner mac system any more.

 
Posted : 30/08/2019 2:54 pm
(@badgerau)
Posts: 96
Trusted Member
 

Blackbag removed the Timeline feature about 12 months ago, without explanation, but stated they would return it. This has not happened. I use the Timeline feature a lot, so this has forced me to use other software as my preferred analysis tool.

Blacklight does a good job on Windows but I find the processing time is a problem, especially when processing and indexing all the data ( VSC etc) . I have had some issues on emails not being parsed (Windows only).

Blacklight is my preferred tool for Mac OSX, I just wish they would bring back the timeline feature which is very handy in a lot of investigations.

Sumuri dropped the ball when they sold Recon for Mac and then promptly stopped supporting the product after 12 months.

 
Posted : 30/08/2019 10:39 pm
Share: