BlackLight 10.2
Release Notes October 30, 2020
Thank you for using BlackBag Technologies products.
The Release Notes for this version include important information about new features and improvements made to BlackLight. In addition, this document contains known limitations, supported versions, and updated system requirements. While this information is complete at time of release, it is subject to change without notice and is provided for informational purposes only.
Summary
To enhance our forensic analysis tool, BlackLight 10.2 includes these new or improved features.
• Timeline • Optical character recognition • Tagging improvements • Ingest additional Cellebrite mobile extractions • A first look at Activity Correlation for Windows
Features Timeline
The new Timeline view lets you access more information from one place. It responds quickly, even with many items in a case file, and it is cleaner and easier to navigate than the previous version. Timeline view allows you to easily focus on all activity during a time period you specify. You can see and sort by all timestamps for each artifact in the Timeline view. You can also see the file path, so you can easily view the file in the File Browser view and investigate further. You can tag items in the Timeline view just as you would in other views within BlackLight.
Optical Character Recognition
This release introduces the ability to process image (picture) based files for text. Optical character recognition (OCR) converts text detected in the image into plain text which can be indexed and then searched. This process is limited to these image types.
.pdf, .tiff, .bmp, .png, .jpg, and .gif
You can run OCR processing in three ways.
1. During ingestion, by selecting Process OCR Image Text. 2. On specific supported file types, by the selecting Extract OCR Image Text in the right click menu. 3. From the Evidence Status view, by selecting the OCR process for evidence items.
Tagging Improvements
While tagging looks the same, there is a new queuing system to allow a larger number of tags to be handled. If many thousands of pictures are tagged within Cellebrite BlackLight, the user interface will no longer be blocked and unavailable. The tagging process continues in the background while other work can be accomplished in the case. If you add more tags, they are added to the tagging queue.
Activity Correlation
While it is possible to follow a chain of events through the different views of BlackLight, it has not always been easy to see correlated activities. The new Correlation view makes it easy to see the story of an entity's activity. You can now easily see, filter, and pivot on all correlated events, whether they were done by a user or by the system. There are three types of entities: System, User, and Device. These entities are listed in the left column of the Correlation view and can be enabled or disabled depending on the investigators' preference. The number of correlated events is shown in parenthesis after each entity's name.
You can run the Correlation engine during initial ingestion or afterward by selecting Correlation from the Evidence Status view.
Imager Analyzer Category Additions
Two new categories have been added to the Image Analyzer engine, Chat and Vehicles. Chat detects mobile screenshots of messenger applications such as Facebook Messenger, Viber, WhatsApp, Skype, Telegram, and other chat-based applications. Vehicles detects images containing cars (all types, such as sedans, SUVs, pickups, etc.), trucks, motorbikes, and buses.
Additional Features
We’ve updated our support for new features in the Apple Notes database.
For mobile device acquisitions, Cellebrite BlackLight now supports UFED (segmented .zip) versions as well as Premium Cellebrite Advanced Investigative Services .dar formats.
Known Limitations Storing Case Files on SMB Share
For macOS users storing BlackLight case files on an SMB share, there will be errors from both Postgres and the Elastic server. To fix this, create a .sparseimage file on the SMB share and store the case file in the sparse image.
Use of ExFAT for storage media is NOT recommended
Due to issues with the Apple file system driver, use of exFAT formatted storage media may cause serious performance issues when using BlackLight. We highly recommend that you DO NOT use exFAT for storage of your case or image files on macOS. Instead, you should use of NTFS, HFS Plus, or APFS for storage. iOS 13 encrypted acquisitions require updated macOS or Windows
Users will need to run BlackLight on macOS 10.14 or Windows to acquire iOS 13 encrypted devices. Optical Character Recognition Limitations on OSX 10.15.x
OCR Support for .tiff, .bmp, .png, .jpg, and .gif is available on both Windows and Mac operating systems. OCR Support for PDF is available on Windows and Mac OSX 10.15.x
Resolved Issues
BL-17063 Improved ability to export to folder paths with trailing whitespaces BL-16991 Improved parsing of NTFS to resolve entries that were previously duplicated BL-16925 BlackLight now displays the updated map tiles in reports with GPS location data BL-16843 Improved parsing from unallocated areas of machines with the T2 chip BL-16813 Interface now properly refreshes after adjusting the middle pane BL-16077 Improved progress indication when parsing mail BL-15005 Timestamps are properly displayed on certain systems where they were missing
System Requirements
Mac OS X 10.12.6 or newer*‡
OPERATING SYSTEM SPECIFICATION Windows® 10 1809 or newer Windows® Server 2016 or newer
BlackLight runs on Intel® based systems only BlackLight requires the following COMPATIBILITY additional software: • iTunes 12.6 or higher • QuickTime 7.6.9 or higher for Mac • Windows Media Player 12 for Windows
• Mac OS X 10.12.6 or Windows 10 1809 • 2.7 GHz Intel Dual Core i7 • 16 GB DDR3 MINIMUM REQUIREMENTS • 5GB of Disk Space (Installation) • 25GB of Disk Space (Temp Space) • 1024 x 768 or higher screen resolution
• macOS Mojave 10.14.6 or Windows 10 • Intel Xeon E5, 6-Core, or better • 32 GB DDR3 or higher OPTIMUM REQUIREMENTS • 5GB of Disk Space (Installation) • 25GB of Disk Space (Temp Space) • 1680 x 1050 or higher screen resolution
‡ We recommend strongly against using macOS versions .0 and .1 in all cases, for example (10.13.0 or 10.13.1) **For Windows systems, BlackLight uses whatever the default app may be for playing media files. Windows Media Player 12 is recommended. If Windows examiners do not have QuickTime installed and they wish to play certain file types such as .AMR files (voicemail, etc.) they will need to install some non-default codecs, following the instructions found here: http://shark007.net/win8codecs.html.
For information about downloading iTunes and QuickTime, visit http://www.apple.com/quicktime/download/
Software Downloads
The BlackLight® macOS installer is delivered as a package file (.pkg) while the Windows installer is delivered as a setup executable (.exe).
In addition to the BlackLight installers, operating system hash sets, and memory symbols will need to be installed in order for BlackLight to take advantage of those. All installers can be found on the software downloads page within the Cellebrite Community: https://community.cellebrite.com/.
Supported Devices iOS
• iPhone 3G and newer with iOS 4.0 or later • All iPads with iOS 4.0 or later • iPod Touch 2G and newer with iOS 4.0 or later
Android
• Devices running Android 4.0.4 or later • Devices manufactured by Samsung, Motorola, HTC, LG, and Google Nexus
Note: Additional devices running Android 4.0 or later may function properly if the appropriate USB driver for Windows OS is installed
Support
If you need support, we are here to help.
Please use our support features at https://community.cellebrite.com/s/support to submit your request for support and someone for our technical support will respond.
Special Thanks
We would like to thank these users for providing valuable suggestions and feedback allowing us to continue to make improvements and updates to BlackLight. Tony M., Brandon K., Tim T., Dhiraj G., Matt M., Michael Y., Anders B.