BlackLight From BlackBag
Posted Wednesday February 22, 2017 (17:41:45)
Reviewed by Azeem - Cyber Security Professional
I had no idea just how tightly BlackLight would grab onto my attention and then keep its hold. Yet, here I am. While I've heard positive feedback from people in the information security community regarding BlackBag's forensic software products, I have not had the opportunity to use one of their products on my own. Thus, I was thrilled to review BlackBag's BlackLight product.
For those who are not familiar, BlackBag's BlackLight is a piece of comprehensive forensics analysis software that supports all major platforms, including Windows, Android, iPhone, iPad, and Mac. In addition to analysis, it can logically acquire Android and iPhone/iPad devices. You can also run the software on both Windows and Mac OS X.
In this particular review, I used the latest version of BlackLight (2016 release 3). I decided to use it on Mac. The main reason I chose Mac was that most of analysis that I have performed thus far has been with the traditional Windows Forensic Recovery of Evidence Device (FRED) and I figured this would be a great opportunity to try something different.
Installing BlackLight on Mac was a breeze. I simply downloaded the installation file from BlackBag's website and entered the license key upon initial file execution. The single installation file took care of all of the dependencies needed for the software, which I was glad to see.
Here were the configurations for my Mac: MacBook Pro running Sierra OS version 10.12.2. The hardware included Intel Core i7 with 2.5 GHz with 16GB memory and a standard hard disk drive.
With review, I wanted to make a use-case in which I would perform basic processing and analysis of a traditional disk image using BlackLight running on Mac. Without any real experience with BlackLight, I focused on usability and intuitiveness.
For this review, used a 15GB physical image of Windows XP SP3 E01 Disk. I processed this image through BlackLight with all of the ingestion options available in the software and to my surprise, it took under 10 minutes to complete.
What was even more impressive was that it had very little performance impact on my system. In fact, as the image was being processed in the background, I continued to perform normal operations such as browsing the web and using Open Office software with no problem.
As the evidence processing completed and I began reviewing the output, I noticed the complete user interface and design of the product. Without even digging into the evidence findings, I began appreciating the cleanliness and attractiveness of the display. The display consists of pleasant color schemes, sharp fonts, and intuitive icons.
Personally, I think that in the digital forensic field there is generally not as much emphasis on the user interface and the design of the products as there is on some commercial software in other fields. Without well-designed, intuitive software, it can take time for even an experienced professional to get up to speed on new software. During the time that they are not familiar with the new software, they are not only frustrated but also inefficient because they either continue to use their old tool or find alternative (usually manual) ways of getting things done.
With BlackLight, my appreciation for its intuitiveness began when I created the first case, adding evidence and reviewing the overall status as it processed my evidence:
As I began digging into the findings; instead of starting with advance keyword searches, I started by reviewing the Content Searches section for some pre-built searches. These searches included Internet Services, Internet Searches, Email Domain, URLs, RFC822 Headers, Email Addresses, and Internet Domains:
The screenshot above shows the output of Internet Domains under Content Search. The output shows several important details but one feature that I particular liked, and it is also present at other areas of the software as well, which is the total count of the same occurrences (as seen under the Occurrences column above). Having this already done not only cuts down on any manual de-duplication processing but also limits the number of outputs that would otherwise take up screen space and add little value.
In addition to these pre-built Content Searches, the software allows for the creation of additional custom searches, which can be saved and later referenced.
My second highlight was the Command Bar:
On top of the main Case Window screen is what BlackBag refers to as the Command Bar. This is designed to be used to select different views that display evidence data in a variety of useful ways. It provides important analytical data that I believe would provide great value in most investigations. Additionally, there are several sub-views available to provide further details. While you can read on what all of these analytical options provide in BlackLight’s User’s Guide I will share few that I found the most useful, including some favorites.
This feature allows examiners to view actions by a given user. These artifacts include Registry (recently executed files & programs, link files, jumplists, Prefetch and Superfetch data), device connections for all devices previously connected to the system, iOS device backups, recent file downloads, and user account information.
My second favorite feature under Command Control is File Filter. This feature isolates information in a data set. The File Filter view isolates information by file attribute, such as file type and creation date. In contrast, the regular Search feature in BlackLight isolates information according to file content, such as alphanumeric keywords or regular expressions.
I think the File Filter feature makes isolating in a large data set very quick and efficient. You can find the full list of pre-built filter options in BlackLight’s documentation. However, in addition to standard filtering options such as Name and Hash path, you also have some advance options such as Suppress Duplicate Files (filters out any duplicate files), Volume Shadow Copy (filters files that have a Volume Shadow Copy version), and Visibility (filters hidden or visible files):
From all the pre-built filters, the one I found most useful was Kind. This filters content by genus or category. I think this filter would come in handy in both eDiscovery and Incident Response investigations where may need to identify files with possible obfuscation attempts.
There are 13 Kind filter modifiers; with some having secondary modifier to further narrow down the results. As you dig deeper into filtering, there is a reset button that quickly clears all applied filters.
One particular feature where I think there is opportunity for improvement is the Timeline view. While in Timeline view, I did not experience the same level of intuitiveness that I did in other areas of the software. Per the documentation, this feature “shows a list of events in chronological order in a graphical representation by device. This view is created when a Timeline index is created by scanning through an evidence image/device and extracting artifact timestamp data gathered from that evidence”. However, in my experience, this feature was not as responsive as I had hoped and could not yield useful information in a reasonable time.
In my opinion, Timeline is one of those features that it seems almost all forensic software try to get it right. It’s difficult to do so, however, because of the challenge of taking enormous amounts of diverse data and presenting it in an interactive, meaningful, graphical way quickly without significant performance impact.
Per BlackLight’s documentation, it is “… designed for both novice and advanced users, and offers a clean interface featuring easy navigation and powerful advanced options. The BlackLight graphical user interface (GUI) was specifically designed to give forensic examiners both robust capabilities and an intuitive and elegant user experience throughout all phases of a digital forensic investigation.” This is a statement that I think it lives up to. Most of the software is easy to use, intuitive, and responsive. As I navigated through the tool, it took me where I thought it would take me. However, while I have primarily focused on the tool’s user interface, it is important to note that the forensic capabilities of this tool are also impressive and advanced. Such capabilities include its ability to parse $LogFile (disk activity) and $USNJRNL (change journal) Windows Event logs, Metadata, Locations, Regular Expression Keyword Search with Presets (i.e., Email Address, URL, International Phone number, Credit Card, etc.), just to name a few. Plus, the tool comes with a comprehensive User’s Guide, divided up into logical sections and includes screenshots.
All in all, I would say that I am happy. There was no real center of disappointment for me with this software under my use-case. I’ve had a positive experience using BlackBag’s BlackLight 2016 R3 and I would recommend others to run their own particular requirements against it and give it consideration.
About The Reviewer
As an information security professional, the reviewer has accrued years of experience in security engineering, incident response, digital forensics and vulnerability management. A firm believer in ongoing education, he works hard to keep his base of knowledge current and up to date. He is actively involved in the security community and frequently blogs at azeemnow.com. He can also be found on Twitter @azeemnow.
About Blacklight 2016 R3
BlackLight quickly analyzes computer volumes and mobile devices. It sheds light on user actions and now even includes analysis of memory images. BlackLight allows for easy searching, filtering and otherwise sifting through large data sets. It can logically acquire Android and iPhone/iPad devices, runs on Windows and Mac OS X, and can analyze data from all four major platforms within one interface.
This review focused on using BlackLight on a Mac. As for Windows, BlackLight automatically parses out a bevy of artifacts from a Windows image file without further user interaction these include, program execution, user assist artifacts, jump lists, prefectch/superfetch, device connections, alternate data streams, link files, recent items, Windows registry files, and shellbags. If an examiner chooses, BlackLight is capable of parsing out more advanced artifacts such as volume shadows copies, $log file, $UsnJrl file, and event logs. BlackLight can process the Windows hyberfil.sys (including Windows 10) and pagefile.sys from computers running Windows Vista through 10. Lastly BlackLight can analyze live RAM memory imaged from Windows computer, running Vista and above.
Article content received from: Forensic Focus,