What’s New In BlackLight: How To Streamline Investigations With The Latest Features
Posted Monday November 26, 2018 (11:49:49)
Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.
Julie: Hello, everyone. Thank you for joining today’s webinar, “What’s New in BlackLight: How to Streamline Investigations with the Latest Features”. My name is Julie Urban and I’m the Product Marketing Manager here at BlackBag. Before we kick things off, just a few housekeeping items to review. We are recording this webinar, so we will share an on-demand version after the webinar is complete. We’re also excited to hear from you. If you have any questions, please submit them in the Questions window and we will answer them throughout and in a Q&A at the end of the webinar.
I’m excited to introduce our speaker, Justin Matsuhara. Justin is a retired corporal detective from California. Prior to retirement in 2015, Justin completed California DoJ’s Computer and Mobile Forensics series of classes, as well as other formal related training, and established his agency’s computer forensic lab. With the establishment of the lab, Justin was able to provide internal support in digital forensics to assist with investigations. He holds California post ICI specialty certifications in homicide and computer crime investigations. Thanks for being part of today’s webinar, Justin. If you’re ready, let’s just jump right into it, and I’ll hand the reins over to you.
Justin: Sounds good. Thank you, Julie, and welcome, everybody joining this webinar. When they asked me to do this presentation, there were some things that popped up in my head, and first of all was when we’re working an investigation, and as an investigator, we’re always asking ourselves, are we really seeing all the data, are we really seeing everything that’s related to digital evidence? Am I looking for something that the something might have deleted in hopes of destroying that evidence, maybe to further elude us? Can we honestly say, on the stand, that yes, we’ve covered all the bases related to the available digital evidence? And more importantly, are we compliant with that search warrant that was authored, that gave us that legal access to the data?
Well, now we may be able to answer some of those questions for you.
So, what’s new in BlackLight? With 2018 R3, we added APFS snapshots. As we saw with volume shadow copies, APFS snapshots can provide us with a wealth, a tremendous amount of additional information that we had no access to before. We made enhancements to reporting. We absolutely heard you guys. Those of you who use our Mobilyze tool love the recording aspect of that, being able to simply ingest a device and provide a full report of all those artefacts. I know when I was working as an investigator, narcotics investigators would show up and say, “Hey, give me everything on this file.” And I would just generate the report through Mobilyze. So, now you have that option with BlackLight as well.
GrayKey acquisitions – the new buzz technology that’s out there, that’ll assist us with our investigations. We streamlined how GrayKey acquisitions are ingested into BlackLight, and it’s a very easy process, and we’ll step through that as well.
So, APFS snapshots: again, this is all new, because of APFS, and as a result, we got more artefacts to take a look at. So, we look at … the first thing that we have to consider is whether or not Time Machine backups were established on that particular suspect’s computer. For snapshots to work or to be captured, Time Machine backups have to have been set up. It occurs approximately one hour prior to scheduled Time Machine backups, or specific system updates. Now, retention is an issue, obviously, because what we’re finding through testing is APFS snapshots are held on the system for approximately 24 hours. Now, there is some continued testing going on to see what other situations may leave a snapshot on longer than 24 hours, but that’s that part of that continued research by our Research and Development team.
A user may create their own system using a terminal session, and using tmutil. So, someone can actually create a snapshot of their own system as they see fit. For a more in-depth look, there was a webinar that was presented by our Director of Research & Development, Dr. Joe Sylve – The Importance of APFS Snapshots in Investigations. Give it a watch. It’s well worth the hour of your time to go through and get a full understanding of snapshots and how they can benefit you in your investigation.
From reporting aspects and the enhancements that we did, we give you the ability now to report on all artefacts. This has been a huge request. Again, we heard you, and we give you the ability now. The examiner has full control on how the report is presented and is fully capable of excluding any data. So, depending on your search warrant restrictions, you may not be able to produce a finalized report that includes contact information; therefore, you can exclude that now, where in the past versions of BlackLight, it was never an option. So, we’ll walk you through some of the reporting enhancements, give you a good idea of how to manipulate the reports to fit your needs.
GrayKey acquisitions. Those of you who are familiar with GrayKey and those types of acquisitions, we had to create a Gray-to-Black application that we allowed our customers to have access to. And basically, what it was was a conversion of the zip files so that it was ingestible. We built that ability into BlackLight 2018 R3, and it is truly a seamless method of ingestion. It’s a one-step process, and it’s pretty easy. There’s no multiple windows that you have to navigate through, it’s a single Add button, and away you go. And we’ll walk you through that process as well. And of course, we are recognized by GrayShift for properly parsing those dates and times that you would encounter through those acquisitions.
So, let’s just get into this. We’re going to walk you through the ingestion process in BlackLight. What I have up now is my Case Manager window. And I’m going to start up a new case. I’m going to call this particular case BennettTestComp. Okay, I’m just going to drop it on my desktop now, for ease of locating it when I need it. So, I’m going to go ahead and save it. My [07:58] database is going to start up. And up pops BlackLight.
Now, there are three ways of adding evidence to BlackLight. If you haven’t attended one of our BlackLight tools classes, I recommend doing so, where we teach you how to ingest various folders and images and things like that. But you could simply select the Add button here, you can go to a file pulldown, and add the evidence. And then, you can drag and drop your [EO1] file, your raw file or your memory dump over to the component list, and it will bring up an ingestion window for you.
We’re going to simply select the Add button. I’m going to add my image … from my external device. Locate my first [EO1] file, or E01 file, and select. You’ll notice that my Add Evidence window now includes my ingestion options. And what I’m going to do is I’m not going to concern myself with the EFI partition, pre-boot, recovery, VM, or, in this particular case, I have a BOOTCAMP volume as well. So, I’m going to deselect that, and only focus myself on the Racer volume, which is my Macintosh HD volume.
From here, I can select various options for parsing upon ingestion. I can select pictures and video analysis … but I want to concern myself with where are my snapshots? And that’s going to be located under Advanced options. So, if you select your Advanced Options button, you’ll have the three-dot option as well pop up. And based on the image or the folder or the file that you’re going to ingest … BlackLight is extremely intuitive, so it’s going to recognize what is available to you based upon what you’re trying to ingest.
What I’m going to do here is I’m just going to simply deselect all of these items and focus my attention under Parse Snapshots/Volume Shadow Copies. By selecting the three dots here, you will see that you have two snapshots within this particular image. Notice the dates and times. One’s about a month in difference, right? So, what I mentioned about snapshots being held on a system for approximately 24 hours – in this particular case, for some varying reason, we have snapshots that are roughly a month apart.
Now, you have the option here to process these all at one time. And I will caution you, when you’re first doing your ingestion – normally, what we’ll teach our examiners to do is let’s take a look at what’s on the active volume first. If you’re not seeing what you should be seeing or expect to see, then, based upon the newest date of your snapshots, start bringing those in one by one, as you feel necessary. And the reason why is a snapshot is a snapshot of the APFS volume at that time of occurrence. So, whether it was a system update or it was an hour prior to a Time Machine backup, it’s going to take that full system, APFS system snapshot, and as you can imagine, if you’re going to process this, it will take that much more time. It would be processing, let’s say for instance, these two plus my active volume, we’re possibly looking at triple the time that it would normally, if you were just doing one at a time.
I’m not going to actually go through this, because to speed the webinar up, I’ve already parsed out a case that we could take a look. So, I’m just going to go in and cancel this out. And I’m going to move over to that other case.
Julie: Okay, Justin, we actually had a question come in.
Julie: Do I need to re-acquire my APFS volume to access the snapshots?
Justin: Do you need to re-acquire your APFS image to process snapshots? If you use the later version of Macquisition that supports APFS, then there is no need to re-acquire that particular forensic image. It is part of the APFS file system, and therefore you would not have to, because we’re already collecting the data. With this particular new release of BlackLight is where we’re actually exposing it for you – it’s always been there. So, we’re giving you now, through BlackLight, the latest release of BlackLight, the ability to actually see it now. So, you don’t have to re-acquire it, as long as you’re using the latest version of Macquisition and the latest version of BlackLight, you should be good to go. Anything else on that, Julie?
Julie: That works. Thank you.
So, here’s my case file that I pre-parsed out. And as you can see here, for those of you who are not familiar with the later versions of BlackLight, we now give you the ability to select all of your evidence items, and this would be for filtering and looking at artefacts as a whole. What I’m going to do here is I’m just going to concern myself with simply the Racer volume and my snapshots. If we look at what we have selected from our component list in our browser view, you will see these particular artefacts, and you can drill through the various file systems. So, when you’re looking at them, it looks very similar, right? Because they are snapshots of the system.
As we move through our command bar, let’s take a look at Actionable Intel. One of the things that we found through our development of volume shadow copies is the existence of additional artefacts within Actionable Intel that we can present to you for your investigation. One of the areas is device backups. So, if we take a look at device backups, you will note that we have a batch number that represents the artefact number. So, for instance, the seven here represents our Racer, our Snapshot 1. So, under Bobby’s iPhone, if I look, I’ve only got one entry, and it’s contained in the snapshot. That’s huge. That can be the smoking gun. Maybe you never knew that Bobby had an iPhone, or you never knew there was an existence of an iPhone. You may know about the iPads and the other iPhones, but not this particular one. And it’s held within the snapshot.
Now, what can I do with this? Well, I can simply select it, right-click it, I can add it here, or I can select this button down on the bottom, Add Selected. I can add it now as an item of evidence, and I can drill through its data to see if there’s anything that’s going to lend itself to your investigation.
Let’s take a look at account usage, while we’re here, and you’ll see that we’ve got the accounts that are listed for each one of those snapshots. We do have some deleted accounts that were also captured as part of that. So, again, we’re looking at data that’s historical. Yeah, it might have only been a month or prior … or 24 hours prior. But it may be data that you have no visibility on in the past.
Let’s jump over to Communication. You have your call logs. Now, this particular image is very limited on what we had access to. But within calls, you can use your view filter or what we call a show filter, upper right corner, and by selecting that, you can build a filter within BlackLight or this particular view so you can sort it out based on service, deleted records, so on and so forth.
I’m going to jump over to Messages. This is where everybody wants to see. This is the meat and potatoes of a lot of investigations, right? How were they communicating? Who were they talking to? So, let’s just take a look at Messages and see what we have to offer you. If you look at the badge numbers, we’ve got obviously the two snaps in the active volume, and it’s a lot of data. Now, I’m going to caution you: what we like to preach in our classes and what I used to use quite a bit in my investigation was conversation view. But I caution you when you’re doing this, because what we lose as a result of that is our badge numbers that correspond to that specific evidence item.
So, revert back to list view, tag what you need that might … capture it in a tag container. That way, you can always revert back to it in conversation view and then see how it relates to a certain conversation that was occurring. If we look at the contact list, again, we’re providing you contact information from both or all three or both snapshots plus the active volume. Much more data than what you’d normally have. This is what we were used to seeing, this is now what we can see based upon our ability to parse out those snapshots.
Emails. Now, obviously, you’re not going to find emails on phones unless you’re using a GrayKey for the acquisition. But you’ll notice here that you’ve got three separate V5 containers holding various amounts of emails, and that’s represented by what was captured as a result of that snapshot.
Let’s take a look at media view. I’m just going to simply jump over the pictures. So, if we look at all three combined, all three … the two snapshots plus the active volume combined under our Pictures/Media tab, down here on the very bottom, you’re going to see your number of 115,298. Excluding one of the snapshots, it’s going to refilter it, and your number is going to drop accordingly. So, we went from … if we’re looking at the active volume, solely the active volume, what we had access to originally, we’re looking at 39,929 artefacts. But by adding those snapshots, we’ve tripled the amount of data there for you to manually go through. And it’s the same thing for videos and audio.
Under Locations, as we’re looking at locations, we’re looking at location data, again, you’re getting to combined view, based upon what you’ve selected in your component list, a combined view of all your artefacts that contain geolocation [21:30] logs, okay? Same thing with Wi-Fi. So, as you can see, as you drill through your data, you have much more information.
Okay. So, those are some of the fine points, and we wanted to demonstrate how effective snapshots can be for your investigation. The amount of data that we’re producing … and we could continue on through the rest of them as well, but we’ll leave that up to you, to dig through your datasets, to see how much more information. We always recommend, if you aren’t using 2018 R3, before the snapshot support came out, take that APFS image that you created or that you’ve acquired, ingest it into the later version of BlackLight, and you know what? As we like to say, there’s truth in data. You’re going to see a lot more there for you guys to drill through and make or break your case.
Before we move on to reporting, Julie did you have any questions that might have popped up?
Julie: Yeah. So, can you deduplicate the data to reduce the number of files you have to look at?
Justin: You can go through, I believe, file filtering, to deduplicate some of your datasets. If I can bring Ashley into that question – Ashley is our product manager – Ashley, would you be able to interject?
Ashley: Hi Justin. Yeah, this is Ashley. We are able to do some filtering to do deduplication. There is … we’re always looking at things like the hash value versus the identifier for the file. So, we will actually create a short little post on how that works, so that you guys can see how the deduplication works. We want to make sure that if we do dedupe, that we’re making sure you’re not losing any information. So, the hash value needs to be the same or the identifier, especially with Mac, you’ve got the FS event info. We want to make sure that there’s really nothing different between them, and so, that’s one of the things that … very common question, I saw it come up quite a bit on here. We’ll make a whole post on that and show you how to do it. So, that way, folks will have some more information on how the dedupe piece works.
Justin: Awesome. Thank you so much for that interjection. Anything else, Julie?
Julie: That’s all for right now.
Justin: Okay. Before I move into reporting … if you want to learn more about these snapshots, we have two classes, Essential Forensic Techniques classes, they’re week-long classes. We put some emphasis, obviously, on Mac artefacts. If you want a challenging course, and you want to learn about those Mac artefacts and snapshots, Time Machine backups, Time Capsules, how to rebuild an Apple RAID, you may want to look into the Essentials classes. They’re very, very thorough Mac and forensics classes [that may] assist you with your investigations.
Okay, with that being said, let’s jump back into BlackLight and let’s go into reporting and the enhancements that, I got to tell you, Ashley and her team did a phenomenal job on listening to the customers and what their needs were. So, I thought we did a pretty decent job with reporting, I think we do a phenomenal job with reporting now. The same options that you had with previous versions still exist. In other words, we can rearrange our artefacts. So, if I wanted, for instance, my BOOTCAMP active volume right below my Racer volume, I simply pick and drag it, and drop it to its new location. As a result, what will happen is BlackLight will re-render the report. You get a full view of the report as you would see it once you create it, which is really, really good. So, you can manipulate how they fall within the report. So, if a prosecutor asks the question, “Hey, I want to see what device connections I had on this Windows systems, that’s really, really important to me,” then you can come down under Case Data, you can simply take the device connections, you can either select it as the only option or the only thing to display within your case, or you can move it up if you have other artefacts that you want to demonstrate within your report. You can manipulate its location by picking and dragging it as well. We give you that ability to move the artefacts around as you see fit, or as requested by that prosecuting attorney, or maybe it’s another investigator.
You can select … let’s say, for instance, I select my Racer volume and I want to display certain artefacts that are related to it. If I select it, it will then load, and then, as I drill through my report, I’ve got my Racer volume, it tells me what file system I was running, what version, my artefacts … remember seeing this in the Details pane of our GUI interface. So, we provide you that, like we have in the past. If you had selected containers … for instance, I have tagged containers selected. I am also demonstrating that as well in my report. And again, you can pick and choose as to what you want to display within this report, you can manipulate it.
Now, one of the … the case data area is a huge improvement from where we were. I know I ran into this personally, where, by authoring a certain search warrant, I was not able to include contacts. And the only way that we were able to do or exclude it from our BlackLight reports in the past was to save the actual report on that docx format, cut and paste out the contact information, and then re-save it, preferably under a PDF. You don’t have to do that anymore. It’s all simplistic. You pick and choose as to what you want to demonstrate within your report, and you just produce the report.
Now, there is a little gear here, or a little wheel – if you were to select that and you slide over through it, it says, “Include case data from all evidence items or only those items or evidence items that are selected. So, currently, I have two – would be my Racer volume, we’re going to slide up, I’ve got my tags, my evidence tags.
So, I can say I want only [BOOTCAMP] and Racer, or my Macintosh HD volume. If I include all evidence items, what’s going to be created is a report including all of my evidence items, even if they were not checked. So, when you’re generating your report, make sure that you have the correct setting set, so when you generate the report, you don’t get information that, one, you don’t want, or, two, is not within compliance of your search warrant. Okay?
Now, if I want to generate a report, I have the option here to generate in these particular formats – HTML, PDF, docx, text, and obviously CSV and Excel. Those are your options – very much similar to what we had in the past. Simply generate your report by selecting that button. If it’s an HTML report, a Chrome browser, or a Safari browser, it will populate your screen, and it will look very similar to this.
So, here’s my generated report. If I’m looking at my Bennett image … I’ve deselected some of the items so that I didn’t have a lot, but it’ll give you an idea. Now, there’s a menu here, over to the upper right corner. You have your overview, your device details, you have your tagged information, and then you have your case data information. These are all hyperlinked. If I want to look at messages, for instance, what we’ve done to alleviate the pain of literally going through, in this particular case, 2100-plus text messages all at one time – we’ve created chunks of them. So, by selecting them, you have all of your text messages within that given chunk of messages.
If I want to look at calls – here’s my incoming calls. These reference items here on the left-hand side are represented here, where the source is coming from. And let’s take a look at … I don’t think I have device connections … oh, I do. Okay, so I’ve got some device connections. So, we’re pulling from … obviously, we all know that we’re pulling from ntuser.dat file, and usbstor, hence we are producing this report that represents all device connections on the Windows [side].
Now, the question will come up – what about on the Mac side? Well, several iterations of the Mac OS, Apple decided it was not necessary to record, so we don’t capture that anymore. It used to be stored in a plist. And if you go to one of the EFT classes, we talk about unified logs, and you would be able to see some of the device connections to the unified logs. But generically speaking, you’re typically going to see most device connections on your BOOTCAMP or your Windows volumes.
So, pretty simplistic. I think we did a phenomenal job on providing you a report that you can tailor to your needs and, again, exclude that data that doesn’t fit within that [authored] search warrant. That way, you’re not getting in any trouble for violation of, for our California investigators, [CALEPTA]. You can exclude that amount of data, as necessary.
Any questions on any of the reporting?
Julie: Hey Justin. We had a few questions come in.
Julie: For items found in APFS snapshots, does the metadata of the files or pics show which snapshot the data was acquired from for report purposes?
Justin: Let’s take a look.
Ashley: I’m just going to jump in real quick, Justin, and let you know – when you are actually tagging any item from the snapshot, there are two fields you can select. One is whether or not it is in a snapshot or not – so, you can display that in the report – as well as what version of a snapshot. So, you’ll be able to see the volume information. Obviously, that is something that we include for the file. But you’re also going to be able to see, if it was from the snapshot, which snapshot version. And as you can see, over on the left-hand side, his component list, there’s Snap 1 and Snap 2, so the version numbers will resolve to those numbers. So, you can actually display that info in the report, and you do that at tagging time if you want to include those two fields.
Justin: Thanks, Ashley, on that. Any other questions, Julie, that Ashley can help with? [laughs]
Julie: So, can the report template be adjusted to fit the department or company that the report is made, for logo, summary, lessons learned, anything like that?
Justin: Yes. Up here at the very top, you’ll see a drag-and-drop or click-to-change. This logo, you can change, obviously, to … if it’s a badge or your shield, you can change it. You can change … you don’t have to use BlackBag Technologies, obviously. You can use your own agency or your own company logo, that type of thing. Under Digital Forensics Report, you can change this as well. So, if I want to refer to this as Computer Forensic Report, I can do that as well. It’ll just re-render it so it reflects that particular change. So, there you go. Okay?
Julie: Awesome. Thanks, Justin.
Justin: Alright. Any other questions?
Justin: No? Okay. So, let’s move on. And again, the report aspect of it, with the enhancements, it’s going to make your life so much easier to deal with, when you’re dealing with these types of reports. Having worked with DAs constantly, each one of them had a different requirement. So, we now give you that ability to manipulate the artefacts within the report to fit their particular needs. And we also give you that ability to report on all, so we can just simply select everything, we can then have that report report on all evidence items, and out the door you go. You generate it on HTML, take that HTML report, put it on a Blue Ray reader or writer, and simply hand it over to the investigator and let them go through your dataset. We try to make this as easy as possible for you, based upon those needs that you guys have.
That being said, let’s jump over to GrayKey. GrayKey acquisitions. We’re not going to spend a lot of time on it, but we want to walk you through the steps on ingestion, and how easy that is through BlackLight. So, I’m going to go ahead and close this case out.
I’m going to close this case out …
Alright. To do an ingestion of a GrayKey acquisition … again, I’m going to go through the new process of starting a case, I’m going to call this GrayTestWeb. I’m going to go ahead and drop that on to my desktop.
And I’m going to kind of make this easy. So … what I’m doing is I’m bringing up a finder window. I’m going to navigate over to my evidence drive. And what I have is GrayKey acquisition. My suspect’s name was Donny Adams. And what you’re going to get as a result of a GrayKey acquisition is you’re going to get the [_files.zip] file. That’s the complete … or as much information as you’re going to get from the file system off that device as possible.
Now, you will see a [_backup.zip] file, which you don’t see here. And that’s going to include something similar to what you would see in an iTunes backup. And you have your keychain file. Account information, with corresponding passwords, memory dump off that particular phone. A lot of this stuff that we’re talking about now with GrayKey acquisitions are artefacts that we haven’t seen since the days of physical. So, we had to come up with a solution to make it easy for you guys to pull these in, get through your dataset, and then just pass that information on for your investigation.
So, I’m going to simply just drag and drop this file, this zip file here, over to my component list. And I’m just going to drop it there. And guess what pops up – my Add Evidence [item] or window.
Now, by doing that, you automatically get the checkbox opposite of what would be represented by the [UDID]. The size of the acquisition…
And then, from here, again, you can pick your options of what you want BlackLight to process initially. You have your advanced options, and again, BlackLight is going to recognize the existence of these particular artefacts within this particular acquisition. Mail parsing. What do we normally see on a mobile device when we conduct a logical acquisition with regards to mail, email? Nothing, right? So, we have mail parsing. Because with a GrayKey acquisition, guess what we get. Email.
So, again, I’m not going to process this case. I’m going to take you over to that particular GrayKey acquisition. So, for those investigators that get that particular narcotics investigator that walks in the office, that says, “Hey, I need everything on this phone,” perfect. There’s this jump over here, when we start up the GrayKey. Start the GrayKey casefile. And as I mentioned, under Communication, Emails, guess what I got. So, you got your container, you’ve got messages. So, we’re seeing a lot of this information that, again, we haven’t seen since days of physical, and the ingestion process, again, it’s a one-step process. You pick and drag it over to the component list, select your processing options or your ingestion options, and you just let it process.
Once that’s done, now you have the ability to navigate through that dataset. If I want to generate a report, simply come over … and especially in those situations where they want to see everything. Check all the boxes, okay? You get this generated report, everything looks good. I want this to say ‘Phone Forensics Report’. I then generate my report. Simple as that. There’s not multiple screens that you have to drill through to get to your evidence item. Simply drag and drop it over the component list, and [43:43].
So, let’s take a look at that report.
Now I’m looking at the Donnie Adams phone. Take a look at my case data. And you can drill through your data. Again, we’re going to create these chunks of data to help you weed through it a little bit easier, rather than having to scroll through 408 messages all at one time.
Any questions on the GrayKey acquisition stuff?
Julie: I think for right now we’re good. And if there are any that come in, we can ask at the end.
Justin: Okay. I think that covers it. Ashley, did you have anything that you wanted to add as well?
Ashley: Just a couple of notes. When we are in the report view for case data and you were in the preview, if you wanted to go back to where you’re setting up the report, Justin, real quick – I did want to note that we don’t load in all of the items into preview view, just so that it doesn’t take too long to make that preview view come up. And then, if you are exporting lots and lots of files, if you choose to have all of the options on, and there is quite a bit of data in your case, we will break it up into folders when we export to the disk, but it can take a little while.
The other piece I’m not sure if we covered is if there are multiple evidence files in your case – on the case data options, we can choose to just report off of selected ones. So, this one only has one device in it, but there is an option down below, where you can choose to select. Maybe if we had had the previous case with like Racer and a Windows volume and a mobile phone, you could choose to report only all the data on just the mobile device, for instance. Maybe you didn’t want to do all the messages from the desktops but you did want to do all the messages from all the mobile devices in your case. So, that is where that wheel comes into play.
And then, I did have a question that came in that I wanted to answer regarding search. So, there are abilities to search within some of the document formats that we have. There’s not any HTML report, kind of like an indexed type search. So, if you were to do a [docker PDF], you could obviously search across that. But there’s no specific search button within the HTML report.
Looking at the questions, there was a question on GrayKey asking what information is in the partial file system dump from GrayKey. I think that refers to the backup. That’s going to be similar to what you would get with the iTunes backup, but as Justin mentioned, there are additional files, like email. For interest in GrayShift and their product GrayKey, or specific questions about what they require though, I would definitely point you over to the GrayShift site. They have more detail on that.
I think those are some of the high-level questions that I got in here. I’m just looking and seeing if there’s any other items that we wanted to cover.
I think those are the big ones. There are a few questions that we will cover after, that were outside of what we talked about today, and those I will respond to, and as I mentioned, we will put together the blog post on how to do some of the file deduping, as well as there was a question I saw about how to remove system files. I did want to note that on our website, when you’re doing your software downloads for BlackLight, you’ll now see that the hash libraries are separate. We’ve made the download smaller, so if you don’t use those, you don’t need to download them, but it will allow us to be able to pull those and update them whenever we get new OS for Mac and Windows, known system files, so that you can actually remove those from your view as well. That is one request that we’ve gotten a couple of times, for a short video on, is how to do the hashing removing known hashes, so we can cover that.
I did just see another question come in, about integration with Project Vic. Yes, we do integrate with Project Vic. I think we have a blog post on that, if you go back in the history, on showing how that works.
But I think that covers all the main ones, Julie. Thank you so much for moderating, and Justin, for doing the presentation. I know there’s lots of feedback that they really appreciated, all the content that we covered.
Justin: Awesome. Well, again, I want to thank everybody for joining us. I know everybody’s busy with investigations. There’s a lot of questions that people do have. We do still offer the BlackLight tools class, two-day class. If you haven’t been to one, come out, we’ll walk you through some more stuff with regards to snapshots, report manipulation, things like that. My number is the [good] number there, (408) 710-7350. Feel free to contact me if you’ve got questions. You can always reach out to me via email as well, at [email protected][email protected].
But no – thank you so much for joining us, and hopefully, this gives you some insight in being able to use it in some of your upcoming investigations. Julie, do you have anything to add to that?
Julie: Yeah, just wanted to say thank you, Justin, for walking us through ‘How to Streamline Your Investigations with the Latest Features of BlackLight’. And thank you to everyone who joined us. We had a great turnout. And please make sure you follow us on Twitter, Facebook, YouTube, LinkedIn. And subscribe to our blog, we post a lot of awesome content each day on there, and weekly on the blog. So, make sure you follow along. And feel free to reach out to Justine, or, if you have any other general questions about content, you can reach out to [[email protected]][email protected][/url] and I’ll be happy to answer any questions. And feel free to keep the questions coming. We’ll be answering them, and Justin can help with that as well. So, thank you, Justin, and thank you, Ashley, for jumping in when we needed some extra assistance.
Julie: Awesome. Well, thank you, again, everyone. Have a wonderful day.