Hi,
I'm new to the tool BlackLight 2019 R1 and was wondering if there is any difference if I Install it on Windows or macOS system?
Because the entire User guide screenshots are taken from macOS while in our department we use it on Windows.
Is there any chance that I'm missing some features such as timeline due to the system? (I saw screenshots online that the software has a timeline but I can't find it)
Thank you,
John
Examine a Mac in a Mac - that's what Blackbag always preach.
Examine a Mac in a Mac - that's what Sumuri always preach.
Well, only the vendor (Blackbag) can give you a definitive answer on that. I will say this, most everything you can do on a mac, you can do on Windows/Linux as well.
There used to be a few custom artifacts/databases which were in proprietary unknown formats namely Spotlight's database and unified logging logs, for which you needed a mac examiner system (to process them).
However since last year, both of these have now been successfully reverse engineered by myself (and blacklight too independently). Here's a shameless plug to some of my open source tools that parse these
mac_apt (all in one artifact parsing tool) –> https://
spotlight_parser –> https://
UnifiedLog Reader –> https://
Even mounting of APFS encrypted volumes can be handled with open source software like this
APFS-fuse –> https://
So other than help with imaging (target disk mode), I don't see much of a need of a mac to process a mac. There may of course be some new unknown artifact, or something else, but I don't see a "strict requirement" of having an examiner mac system any more.
Blackbag removed the Timeline feature about 12 months ago, without explanation, but stated they would return it. This has not happened. I use the Timeline feature a lot, so this has forced me to use other software as my preferred analysis tool.
Blacklight does a good job on Windows but I find the processing time is a problem, especially when processing and indexing all the data ( VSC etc) . I have had some issues on emails not being parsed (Windows only).
Blacklight is my preferred tool for Mac OSX, I just wish they would bring back the timeline feature which is very handy in a lot of investigations.
Sumuri dropped the ball when they sold Recon for Mac and then promptly stopped supporting the product after 12 months.