DOCSLIB.ORG

Blacklight 10.2

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Blacklight 10.2 BlackLight 10.2 Release Notes October 30, 2020 Thank you for using BlackBag Technologies products. The Release Notes for this version include important information about new features and improvements made to BlackLight. In addition, this document contains known limitations, supported versions, and updated system requirements. While this information is complete at time of release, it is subject to change without notice and is provided for informational purposes only. Summary To enhance our forensic analysis tool, BlackLight 10.2 includes these new or improved features. • Timeline • Optical character recognition • Tagging improvements • Ingest additional Cellebrite mobile extractions • A first look at Activity Correlation for Windows Features Timeline The new Timeline view lets you access more information from one place. It responds quickly, even with many items in a case file, and it is cleaner and easier to navigate than the previous version. Timeline view allows you to easily focus on all activity during a time period you specify. You can see and sort by all timestamps for each artifact in the Timeline view. You can also see the file path, so you can easily view the file in the File Browser view and investigate further. You can tag items in the Timeline view just as you would in other views within BlackLight. Optical Character Recognition This release introduces the ability to process image (picture) based files for text. Optical character recognition (OCR) converts text detected in the image into plain text which can be indexed and then searched. This process is limited to these image types. .pdf, .tiff, .bmp, .png, .jpg, and .gif You can run OCR processing in three ways. 1. During ingestion, by selecting Process OCR Image Text. 2. On specific supported file types, by the selecting Extract OCR Image Text in the right click menu. 3. From the Evidence Status view, by selecting the OCR process for evidence items. Tagging Improvements While tagging looks the same, there is a new queuing system to allow a larger number of tags to be handled. If many thousands of pictures are tagged within Cellebrite BlackLight, the user interface will no longer be blocked and unavailable. The tagging process continues in the background while other work can be accomplished in the case. If you add more tags, they are added to the tagging queue. Activity Correlation While it is possible to follow a chain of events through the different views of BlackLight, it has not always been easy to see correlated activities. The new Correlation view makes it easy to see the story of an entity's activity. You can now easily see, filter, and pivot on all correlated events, whether they were done by a user or by the system. There are three types of entities: System, User, and Device. These entities are listed in the left column of the Correlation view and can be enabled or disabled depending on the investigators' preference. The number of correlated events is shown in parenthesis after each entity's name. You can run the Correlation engine during initial ingestion or afterward by selecting Correlation from the Evidence Status view. Imager Analyzer Category Additions Two new categories have been added to the Image Analyzer engine, Chat and Vehicles. Chat detects mobile screenshots of messenger applications such as Facebook Messenger, Viber, WhatsApp, Skype, Telegram, and other chat-based applications. Vehicles detects images containing cars (all types, such as sedans, SUVs, pickups, etc.), trucks, motorbikes, and buses. Additional Features We’ve updated our support for new features in the Apple Notes database. For mobile device acquisitions, Cellebrite BlackLight now supports UFED (segmented .zip) versions as well as Premium Cellebrite Advanced Investigative Services .dar formats. Known Limitations Storing Case Files on SMB Share For macOS users storing BlackLight case files on an SMB share, there will be errors from both Postgres and the Elastic server. To fix this, create a .sparseimage file on the SMB share and store the case file in the sparse image. Use of ExFAT for storage media is NOT recommended Due to issues with the Apple file system driver, use of exFAT formatted storage media may cause serious performance issues when using BlackLight. We highly recommend that you DO NOT use exFAT for storage of your case or image files on macOS. Instead, you should use of NTFS, HFS Plus, or APFS for storage. iOS 13 encrypted acquisitions require updated macOS or Windows Users will need to run BlackLight on macOS 10.14 or Windows to acquire iOS 13 encrypted devices. Optical Character Recognition Limitations on OSX 10.15.x OCR Support for .tiff, .bmp, .png, .jpg, and .gif is available on both Windows and Mac operating systems. OCR Support for PDF is available on Windows and Mac OSX 10.15.x Resolved Issues BL-17063 Improved ability to export to folder paths with trailing whitespaces BL-16991 Improved parsing of NTFS to resolve entries that were previously duplicated BL-16925 BlackLight now displays the updated map tiles in reports with GPS location data BL-16843 Improved parsing from unallocated areas of machines with the T2 chip BL-16813 Interface now properly refreshes after adjusting the middle pane BL-16077 Improved progress indication when parsing mail BL-15005 Timestamps are properly displayed on certain systems where they were missing System Requirements Mac OS X 10.12.6 or newer*‡ OPERATING SYSTEM SPECIFICATION Windows® 10 1809 or newer Windows® Server 2016 or newer BlackLight runs on Intel® based systems only BlackLight requires the following COMPATIBILITY additional software: • iTunes 12.6 or higher • QuickTime 7.6.9 or higher for Mac • Windows Media Player 12 for Windows • Mac OS X 10.12.6 or Windows 10 1809 • 2.7 GHz Intel Dual Core i7 • 16 GB DDR3 MINIMUM REQUIREMENTS • 5GB of Disk Space (Installation) • 25GB of Disk Space (Temp Space) • 1024 x 768 or higher screen resolution • macOS Mojave 10.14.6 or Windows 10 • Intel Xeon E5, 6-Core, or better • 32 GB DDR3 or higher OPTIMUM REQUIREMENTS • 5GB of Disk Space (Installation) • 25GB of Disk Space (Temp Space) • 1680 x 1050 or higher screen resolution ‡ We recommend strongly against using macOS versions .0 and .1 in all cases, for example (10.13.0 or 10.13.1) **For Windows systems, BlackLight uses whatever the default app may be for playing media files. Windows Media Player 12 is recommended. If Windows examiners do not have QuickTime installed and they wish to play certain file types such as .AMR files (voicemail, etc.) they will need to install some non-default codecs, following the instructions found here: http://shark007.net/win8codecs.html. For information about downloading iTunes and QuickTime, visit http://www.apple.com/quicktime/download/ Software Downloads The BlackLight® macOS installer is delivered as a package file (.pkg) while the Windows installer is delivered as a setup executable (.exe). In addition to the BlackLight installers, operating system hash sets, and memory symbols will need to be installed in order for BlackLight to take advantage of those. All installers can be found on the software downloads page within the Cellebrite Community: https://community.cellebrite.com/. Supported Devices iOS • iPhone 3G and newer with iOS 4.0 or later • All iPads with iOS 4.0 or later • iPod Touch 2G and newer with iOS 4.0 or later Android • Devices running Android 4.0.4 or later • Devices manufactured by Samsung, Motorola, HTC, LG, and Google Nexus Note: Additional devices running Android 4.0 or later may function properly if the appropriate USB driver for Windows OS is installed Support If you need support, we are here to help. Please use our support features at https://community.cellebrite.com/s/support to submit your request for support and someone for our technical support will respond. Special Thanks We would like to thank these users for providing valuable suggestions and feedback allowing us to continue to make improvements and updates to BlackLight. Tony M., Brandon K., Tim T., Dhiraj G., Matt M., Michael Y., Anders B. .
Load more

Recommended publications
  • Security Analysis and Decryption of Lion Full Disk Encryption
    Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption Omar Choudary Felix Grobert¨ ∗ Joachim Metz ∗ University of Cambridge [email protected] [email protected] [email protected] Abstract 1 Introduction Since the launch of Mac OS X 10.7, also known as Lion, With the launch of Mac OS X 10.7 (Lion), Apple has Apple includes a volume encryption software named introduced a volume encryption mechanism known as FileVault 2 [8] in their operating system. While the pre- FileVault 2. Apple only disclosed marketing aspects of vious version of FileVault (introduced with Mac OS X the closed-source software, e.g. its use of the AES-XTS 10.3) only encrypted the home folder, FileVault 2 can en- tweakable encryption, but a publicly available security crypt the entire volume containing the operating system evaluation and detailed description was unavailable until (this is commonly referred to as full disk encryption). now. This has two major implications: first, there is now a new functional layer between the encrypted volume and We have performed an extensive analysis of the original file system (typically a version of HFS Plus). FileVault 2 and we have been able to find all the This new functional layer is actually a full volume man- algorithms and parameters needed to successfully read ager which Apple called CoreStorage [10] Although this an encrypted volume. This allows us to perform forensic full volume manager could be used for more than volume investigations on encrypted volumes using our own encryption (e.g. mirroring, snapshots or online storage tools.
    [Show full text]
  • Read Before You Install Mac OS X
    Read Before You Install Mac OS X This document provides important information about installing Mac OS X that isn’t in the Welcome to Mac OS X book. Read this document before you install Mac OS X to learn about supported computers, system requirements, and known issues. For more information about Mac OS X, visit this Apple Web site: m www.apple.com/macos/ For the latest information about this release of Mac OS X, open Mac Help and click the More link under News. For information about the support available for this product, see the AppleCare Software Services and Support Guide included with Mac OS X. Supported computers You can install this version of Mac OS X on any of the following computers: m Power Mac G4 m Power Macintosh G3 m PowerBook G4 m PowerBook G3 (except the original PowerBook G3) m iMac m iBook System requirements Your computer must have m at least 128 MB of RAM m a built-in display or a display connected to an Apple-supplied video card m at least 1.5 GB of disk space available 1 Starting installation To start installing Mac OS X, double-click the Install Mac OS X icon. In Mac OS 9 In Mac OS X If the Installer does not open, insert the CD and restart your computer while holding down the C key. If the Installer still does not open, try selecting the Install Mac OS X CD as your startup disk by using Startup Disk preferences (if you are using Mac OS X) or the Startup Disk control panel (if you are using Mac OS 9).
    [Show full text]
  • Apple File System Reference
    Apple File System Reference Developer Contents About Apple File System 7 General-Purpose Types 9 paddr_t .................................................. 9 prange_t ................................................. 9 uuid_t ................................................... 9 Objects 10 obj_phys_t ................................................ 10 Supporting Data Types ........................................... 11 Object Identifier Constants ......................................... 12 Object Type Masks ............................................. 13 Object Types ................................................ 14 Object Type Flags .............................................. 20 EFI Jumpstart 22 Booting from an Apple File System Partition ................................. 22 nx_efi_jumpstart_t ........................................... 24 Partition UUIDs ............................................... 25 Container 26 Mounting an Apple File System Partition ................................... 26 nx_superblock_t ............................................. 27 Container Flags ............................................... 36 Optional Container Feature Flags ...................................... 37 Read-Only Compatible Container Feature Flags ............................... 38 Incompatible Container Feature Flags .................................... 38 Block and Container Sizes .......................................... 39 nx_counter_id_t ............................................. 39 checkpoint_mapping_t ........................................
    [Show full text]
  • Dell Encryption Enterprise for Mac Administrator Guide V10.9
    Dell Encryption Enterprise for Mac Administrator Guide v10.9 March 2021 Rev. A02 Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2012-2021 Dell Inc. All rights reserved. Registered trademarks and trademarks used in the Dell Encryption and Endpoint Security Suite Enterprise suite of documents: Dell™ and the Dell logo, Dell Precision™, OptiPlex™, ControlVault™, Latitude™, XPS®, and KACE™ are trademarks of Dell Inc. Cylance®, CylancePROTECT, and the Cylance logo are registered trademarks of Cylance, Inc. in the U.S. and other countries. McAfee® and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. in the US and other countries. Intel®, Pentium®, Intel Core Inside Duo®, Itanium®, and Xeon® are registered trademarks of Intel Corporation in the U.S. and other countries. Adobe®, Acrobat®, and Flash® are registered trademarks of Adobe Systems Incorporated. Authen tec® and Eikon® are registered trademarks of Authen tec. AMD® is a registered trademark of Advanced Micro Devices, Inc. Microsoft®, Windows®, and Windows Server®, Windows Vista®, Windows 7®, Windows 10®, Active Directory®, Access®, BitLocker®, BitLocker To Go®, Excel®, Hyper-V®, Outlook®, PowerPoint®, Word®, OneDrive®, SQL Server®, and Visual C++® are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. VMware® is a registered trademark or trademark of VMware, Inc. in the United States or other countries.
    [Show full text]
  • Paragon Ntfs for Mac Os X™
    PARAGON Technologie GmbH, Systemprogrammierung Heinrich-von-Stephan-Str. 5c 79100 Freiburg, Germany Tel. +49 (0) 761 59018201 Fax +49 (0) 761 59018130 Internet www.paragon-software.com E-mail [email protected] PARAGON NTFS FOR MAC OS X™ USER MANUAL 2 CONTENTS Introduction .......................................................................................................................... 3 Features Overview ................................................................................................................. 3 Key Features ............................................................................................................................................... 3 Supported Media ........................................................................................................................................ 3 Getting Started ...................................................................................................................... 4 Distribution ................................................................................................................................................ 4 Registration ................................................................................................................................................ 4 To Register as a New User ...................................................................................................................................................... 4 To Register a New Product ....................................................................................................................................................
    [Show full text]
  • Chapter 13 MAC OS X FORENSICS
    Chapter 13 MAC OS X FORENSICS Philip Craiger and Paul Burke Abstract This paper describes procedures for conducting forensic examinations of Apple Maca running Mac OS X. The target disk mode is used to create a forensic duplicate of a Mac hard drive and preview it. Procedures are discussed for recovering evidence from allocated space, unallocated space, slack space and virtual memory. Furthermore, procedures are described for recovering trace evidence from Mac OS X default email, web browser and instant messaging applications, as well as evidence pertaining to commands executed from a terminal. Keywords: Macintosh computers, Mac OS X forensics 1. Introduction Since its introduction in 1984, the Apple Macintosh has an enjoyed a small, albeit vocal, user base. Nevertheless, it is surprising that very little has been published regarding forensic examinations of Macintosh computers. This paper describes procedures for conducting forensic examinations of Apple Macs running Mac OS X. Due to space limitations, certain as- sumptions are made to limit the scope of our coverage. These assump- tions are: (i) The forensic computer and the suspect's computer run version 10.4.3 of Mac OS X, the latest version as of November 2005; (ii) the suspect has not set the Open Firmware password (Open Firmware is a processor and system-independent boot firmware used by PowerPC- based Macs, analogous to the x86 PC BIOS); (iii) the suspect has not used encryption via the Mac OS X FileVault, a virtual volume encrypted with 128-bit AESj and (iv) the suspect's hard drive is formatted with the Hierarchical File System Plus , commonly referred to as HFS+, the default file system since Mac OS X's release in 2000.
    [Show full text]
  • Security Analysis and Decryption of Filevault 2
    Chapter 23 SECURITY ANALYSIS AND DECRYPTION OF FILEVAULT 2 Omar Choudary, Felix Grobert and Joachim Metz Abstract This paper describes the first security evaluation of FileVault 2, a vol- ume encryption mechanism that was introduced in Mac OS X 10.7 (Lion). The evaluation results include the identification of the algo- rithms and data structures needed to successfully read an encrypted volume. Based on the analysis, an open-source tool named libfvde was developed to decrypt and mount volumes encrypted with FileVault 2. The tool can be used to perform forensic investigations on FileVault 2 encrypted volumes. Additionally, the evaluation discovered that part of the user data was left unencrypted; this was subsequently fixed in the CVE-2011-3212 operating system update. Keywords: Volume encryption, full disk encryption, FileVault 2 1. Introduction The FileVault 2 volume encryption software was first included in Mac OS X version 10.7 (Lion). While the earlier version of FileVault (intro- duced in Mac OS X 10.3) only encrypts the home folder, FileVault 2 can encrypt the entire volume containing the operating system – referred to as “full disk encryption.” This has two major implications. The first is that there is a new functional layer between the encrypted volume and the original filesystem (typically a version of HFS Plus). This new functional layer is actually a full volume manager, which Apple calls CoreStorage. Although the full volume manager could be used for more than volume encryption (e.g., mirroring, snapshots and online storage migration), we do not know of any other applications. Therefore, in the rest of this paper we use the term CoreStorage to refer to the com- bination of the encrypted volume and the functional layer that links the volume to the HFS Plus filesystem.
    [Show full text]
  • Paragon NTFS for Mac
    PARAGON Software GmbH Heinrich-von-Stephan-Str. 5c 79100 Freiburg, Germany Tel. +49 (0) 761 59018201 Fax +49 (0) 761 59018130 Internet www.paragon-software.com E-mail [email protected] Paragon NTFS for Mac User Manual Copyright© 1994-2017 Paragon Software GmbH. All rights reserved. 2 Contents Introduction .......................................................................................................................... 4 Features Overview ................................................................................................................. 4 Key Features ............................................................................................................................................... 4 Supported Media ........................................................................................................................................ 4 Getting Started ...................................................................................................................... 6 System Requirements ................................................................................................................................. 6 Installing the Driver .................................................................................................................................... 6 Activating the Driver ................................................................................................................................... 8 Online Activation ...................................................................................................................................................................
    [Show full text]
  • HX Secure – Encrypted Mobile Drive User Manual
    1 store your future HX Secure – Encrypted Mobile Drive User Manual TABLE OF CONTENTS IMPORTANT NOTICES 4 • Safety Notices ________________________________________________________ 4 • General Notices • Capacity Disclaimer ___________________________________________________ 4 • Care and Handling 4 GENERAL 6 • Introduction ____ ________________________________________________ 6 • Box Contents 7 • Minimum System Requirements _____________________________________ 8 • Connectors and Hawker rear view 6 MUST BE READ FIRST _________________________________________________ 9 QUICK INSTALLATION 11 • How to Connect the Interface Cables - Connecting the Drive ___________________ 11 • Cable Types: FireWire 800, FireWire 400, USB and SATA 13 INSTALLING YOUR DRIVE 15 • Hawker as a bootable device ____________________________________________ 15 • Disconnecting Your Drive 15 o PC _______________________________________________________________ 15 o Mac 16 • Reformatting Your Drive ________________________________________________ 16 o Reformatting via PC (Window based computers) 16 o Reformatting via Mac _______________________________________________ 16 • Important Note 16 • How to Daisy-Chain through FireWire ports to your Hawker Drive at one time _____ 17 PARTITIONING AND FORMATTING THE HAWKER DRIVE ON A MAC OS 17 • Warning _____________________________________________________________ 17 • Important Notes 17 • Instructions for Partitioning and Formatting from FAT 32 to HFS+ _______________ 18 PARTITIONING & FORMATTING the HAWKER Drive on WINDOWS 2000,
    [Show full text]
  • Installing FAT32 on My WD Passport - Macrumors Forums 5/4/13 10:28 AM
    installing FAT32 on my WD passport - MacRumors Forums 5/4/13 10:28 AM Front Page Mac Blog iOS Blog Roundups Buyer's Guide Forums Search Forums... Register FAQ / Rules Community Forum Spy Today's Posts Search MacRumors Forums > Apple Systems and Services > Windows, Linux & others on the Mac User Name User Name Remember Me? installing FAT32 on my WD passport Password Log in Thread Tools Search this Thread Display Modes Apr 12, 2012, 07:49 PM #1 kellsnz installing FAT32 on my WD passport macrumors newbie Ok need a little or a lot of advise. I have a WD passport which i have set up to work with my Mac, now i need to use it Join Date: Apr 2012 on a normal PC and have been advised to put FAT32 onto it. Which is fine but i have absolutely no idea how to do it and every time i try to download FAT32 it says it is not a Mac program. Help please. 0 Apr 13, 2012, 04:06 PM #2 Grannyville7989 FAT32 isn't an application, it is a file system that is used to for storing files on storage devices, like hard drives, memory macrumors 6502a sticks, etc. Join Date: Aug 2010 There are other file systems, such as HFS+ (Hierarchical File System plus) that is used by Mac OS X and NTFS (New Technology File System) that is used by Windows. FAT32 (File Allocation Table) is a file system that Mac, Windows, and Linux can read from and write to. To format your external drive to be FAT32..
    [Show full text]
  • Setting up Mac OS X Server (10.2) for Xserve
    LL2133.book Page 1 Friday, May 24, 2002 11:17 AM Setting Up Mac OS X Server for Xserve Includes software installation and setup information for Mac OS X Server and Xserve LL2133.book Page 2 Friday, May 24, 2002 11:17 AM K Apple Computer, Inc. © 2002 Apple Computer, Inc. All rights reserved. Under the copyright laws, this manual may not be copied, in whole or in part, without the written consent of Apple. Your rights to the software are governed by the accompanying software license agreement. The Apple logo is a trademark of Apple Computer, Inc., registered in the U.S. and other countries. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Every effort has been made to ensure that the information in this manual is accurate. Apple is not responsible for printing or clerical errors. Apple Computer, Inc. 1 Infinite Loop Cupertino, CA 95014-2084 408-996-1010 www.apple.com Apple, the Apple logo, AppleScript, AppleShare, AppleTalk, FireWire, iBook, Mac, Macintosh, PowerBook, QuickTime, and WebObjects are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. Disk First Aid, Finder, and Xserve are trademarks of Apple Computer, Inc. Adobe and PostScript are trademarks of Adobe Systems Incorporated. Netscape Navigator is a trademark of Netscape Communications Corporation. Other company and product names mentioned herein are trademarks of their respective companies. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation.
    [Show full text]
  • This Technical Note Was Created for Application Developers Interested in Writing Software That Is Compatible with Mac OS X
    This Technical Note was created for application developers interested in writing software that is compatible with Mac OS X. This list includes changes that affect API level programming and product testing, it is not intended to be an exhaustive list of all the changes in this software update. CONTENTS CoreFoundation CFNetwork Apple Help CFString AppleScript CFURL Scripting Additions Dock Script Editor File Systems Script Runner Tools AFP Server Finder Scripting AppleShare Client HFS Audio HFS+ MSDOS Audio HAL NFS Audio Toolbox ISO 9660 AudioUnit SMB IOAudioFamily UDF Sound Manager WebDAV Speech Recognition Manager Graphics BSD Commands Carbon ColorSync Draw Sprocket Alias Manager ImageCapture Appearance Manager OpenGL / OpenGL Carbon / AGL Apple Type Services (ATS) Printing ATSUI Quartz 2D Apple events QuickTime Carbon Core Code Fragment Manager Hardware/Devices Component Manager Control Manager Disk Arbitration Date & Time Utilities IOKit Dialog Manager KEXT Management Drag Manager Mass Storage Event Manager PCCard Support File Manager SCSI Architecture Model (SAM) Folder Manager Font Manager Java FontSync Gestalt Manager AWT Help Tags Bridge Technology Icon Services Embedding Menu Manager Graphics MLTE HotSpot Navigation Services Swing Process Manager Kernel QuickDraw Script Manager BSD Kernel Text Encoding Converter Mach Kernel Text Services Manager Launch Services Unicode Utilities Window Manager LoginWindow Networking Classic Runtime Cocoa AppleTalk DHCP and BOOTP AppKit Directory Services Foundation Internet Config NSDrawer LDAP Plug-in NSFileManager PPP NSFileWrapper URL Access NSOpenPanel NSSavePanel Security NSScrollView NSSplitView Authorization NSString CSP NSTableView Keychain NSTabView Security Framework NSTextField NSTextStorage Tools NSTextView NSToolbar gdb NSToolTip gcc NSView Interface Builder NSWindow Objective C Runtime Printing (AppKit) Performance Tools Keyboard UI (Cocoa) Project Builder References Downloadables [Oct 15 2001] Apple Help Apple Help provides system-wide instructional help services for virtuallyall aspects of Mac OS.
    [Show full text]