最新版 BlackLight 2020 R1 更新於 2020/4/20
最新版 MacQuisition 2020 R1 更新於 2020/2/20
最新版 Mobilyze 2019 R1 更新於 2019/5/15
BLACKLIGHT
BlackLight 可以快速分析電腦儲存區和移動設備。它揭示了用戶的行為,現在甚至包括對內存圖像的分析。BlackLight允許輕鬆搜索,過濾和篩選大型數據集。它可以在邏輯上獲得Android和iPhone / iPad設備,在Windows和Mac OS X上運行,並且可以在一個界面內分析來自所有四個主要平台的數據。它只是智能,全面分析的最佳選擇。
特色
ACTIONABLE INTEL
EASILY UNCOVER USER ACTIONS
BlackLight’s Actionable Intel view allows examiners to view various data points that can be attributed to a user's actions. Traces of potentially important user activity from many disparate locations are organized for practical, efficient examination. Elements include:
- Windows Registry artifacts - recently executed files and programs, link files, jumplists, Prefetch and Superfetch data
- Device connection data for all devices previously connected to the system, including USB device connection dates/times and the associated user account
- iOS device backups
- Recent file downloads
- Trash (for Mac OS X volumes) and Recycle Bin (for Windows volumes)
- Current and deleted user account info
MEMORY
ANALYZE WINDOWS MEMORY FILES
- Analyzes several types of memory files, including raw dumps, Hibernation files (Windows Vista to Windows 10), pagefile.sys, and crash dumps (full, from Windows Vista or 7)
- Performs file carving and bulk extraction content searches (for numerous items such as URLs, addresses, phone numbers, etc.)
- Features a Memory subview for analyzing processes, libraries, sockets, handles, and drivers
- Processes memory files many times faster than traditional open-source forensic tools
FILE FILTER VIEW
EFFICIENTLY SIFT THROUGH LARGE DATA SETS
BlackLight's signature File Filter view includes examiner-defined filter options to quickly pinpoint relevant data within large data sets. Filter criteria include:
- File name, kind, size, or extension
- Date created, modified, or accessed
- Picture metadata attributes, including GPS coordinates and camera (iPhone/iPad device) type
- Positive and negative hash set filtering
Examiners may apply any number of filters or inverse filters to quickly isolate important data from system files or base application files. BlackLight comes with several pre-set file filters, including those that filter by file type, file attribute, geolocation coordinates, and source device type.
MEDIA
FIND THE PICTURE AND VIDEO EVIDENCE YOU NEED
BlackLight's Media view has built-in support for all commonly used picture and video file types, and it includes several helpful and examiner-oriented analysis features, such as:
- Built-in GPS Mapping:
- All media files containing GPS data will be identified with a placemark badge
- Examiners can view media geolocation data on a Mercator map (offline) or using Google Maps (online) directly from the built-in GPS view
- Proprietary Skin Tone Analysis Algorithm:
- Sort picture and video files by the skin tone percentage contained in the file
- Video Frame Analysis:
- BlackLight initially displays video files as 4x4 frame sequences, allowing examiners to quickly triage multiple video files in order to locate potential evidence
COMMUNICATIONS
RECOVER EVERY MESSAGE FROM THE MOST COMMON SOURCE
The Communication view in BlackLight allows examiners to see a full log of calls, voicemail, social media activity, and more. Most importantly, examiners can view messaging threads in list view or in their native format, with support for data from:
- Text Services (SMS/MMS, iMessage)
- Messaging Apps (Skype, Kik, TextPlus, TextFree, Tango)
- Social Media (Facebook, Twitter, LinkedIn, Foursquare/Swarm)
REPORTING
CUSTOMIZE YOUR REPORT
BlackLight is designed to make reporting incredibly flexible. Examiners may export large data sets in an easily readable format, and can export reports in a variety of formats to enable easy information sharing with all interested third parties. With BlackLight's Report view, you can:
- Easily tag evidence and include any and all relevant metadata in the examiner report
- Export your report in your choice of formats, including .pdf, .html, .docx, and .txt
- Export eDiscovery data to a generic Concordance load file that is compatible with all major review platforms
- Mask (blur) sensitive data contained within examiner reports that may be shared with non-authorized third parties
更新介紹
To enhance our forensic analysis tool, BlackLight 2020 R1 includes:
• Apple Keychain Processing
• Processing iCloud Productions obtained via search warrants from Apple
• Additional processing of Spotlight Artifacts
• Updated Recent Items parsing for macOS In Actionable Intel
• Parsing AirDrop Artifacts
• Updates to information parsed for macOS systems in Extended Information
• Added support for log file parsing from logical evidence files or folders
• Support added for Volexity Surge Memory images
• Email loading process improved for faster load times
• Support added for extended attributes in logical evidence files
• Newly parsed items added to Smart Index (Keychain, Spotlight, and AirDrop)
系統需求
| OPERATING SYSTEM SPECIFICATION | Mac OS Sierra (10.12.6) or newer / Windows 10 or newer |
| COMPATIBILITY | BlackLight runs on Intel® based systems only |
| BlackLight requires the following additional software: | |
| • iTunes 12.6 or higher | |
| • QuickTime 7.6.9 or higher for Mac, and Windows Media Player 12 for Windows | |
| MINIMUM REQUIREMENTS |
• macOS Sierra (10.12.6) or newer |
| • Windows 10 or newer | |
| • Windows Server 2016 or newer | |
| • 2.7 GHz Intel Core i7 | |
| • 16 GB DDR3 | |
| • 1024 x 768 or higher screen resolution | |
| • 5GB of Disk Space (installation only) and 25 GB (Temp Space) | |
| OPTIMUM REQUIREMENTS |
• macOS Mojave (10.14.6) or Windows 10 |
| • 3.1 GHz 6-Core Intel Xeon E5 or better | |
| • 32 GB DDR3 or higher | |
| • 1680 x 1050 or higher screen resolution | |
| • 5GB of Disk Space (installation only) and 25 GB (Temp Space) |
*Note: For Windows systems, BlackLight uses whatever the default app may be for playing media files. Windows Media Player 12 is recommended. If Windows examiners do not have QuickTime installed and they wish to play certain file types such as .AMR files (voicemail, etc.) they will need to install some non-default codecs, following the instructions found here: http://shark007.net/win8codecs.html
We strongly recommend against using macOS versions .0 and .1, for example 10.15.0 or 10.15.1.
iOS
- iPhone 3G and newer with iOS 4.0 or later
- All iPads with iOS 4.0 or later
- iPod Touch 2G and newer with iOS 4.0 or later
Android
- Using Windows OS – Devices running Android 4.0.4 or later
- Using macOS – Devices running Android 5.0 or later
- Devices manufactured by: Samsung, Motorola, HTC, LG, Google Nexus
- Note: Additional devices running Android 4.0 or later may function properly if the appropriate USB driver for Windows OS is installed.
MOBILYZE
全球擁有超過40億個智能設備,移動數位數據現在已成為每項調查的一部分。立即獲得這種法醫證據至關重要。Mobilyze允許調查人員獲取,查看和保存任何iOS或Android設備上的數據。
特色
OVERVIEW
MAKE INVESTIGATIONS EASIER
With the dynamic acquisition capabilities of Mobilyze, investigators can instantly examine data and quickly decide which evidence requires further forensic investigation.
Mobilyze is perfect for investigators with minimal digital forensics experience:
- Support for Apple's mobile devices with iOS 12.0
- Ability to set timezone display
- Improved support for Android group message on Samsung devices
- Mobilyze is now a 64-bit application
- User-friendly, with minimal training required to use Mobilyze in the field
- Simply plug the iOS or Android device into the system’s USB port running Mobilyze, and immediately start acquiring data
- Perform logical acquisitions, allowing investigators to acquire a full or limited data collection in real time
- Discover evidence quickly through an easy-to-use integrated interface
- Examine data through various categories, filters, searches and views
- Securely preserve all relevant user data in a forensically sound manner
Mobilyze significantly reduces an investigators’ dependency on specialized investigators or high tech units. For more comprehensive analysis, Mobilyze cases seamlessly import into Blacklight, without the need to perform another data collection.
ACQUISITION
CHOOSE COLLECTION OPTIONS AND QUICKLY ACQUIRE DATA
- View data in real time during the device acquisition
- Unplug the device at any time, preserving all acquired data
- Get an immediate snapshot of key user info from the device
- Select the order in which third party application data is collected
- Even with a locked iPhone/iPad, the model number, device name and iOS software version are displayed
TRIAGE
LOCATE EVIDENCE OF INTEREST IN CLEAR, ORGANIZED VIEWS
- Easily navigate between views (Communications, Media, Locations, Apps, Internet and Productivity)
- View all messages (SMS, WhatsApp, etc.) in a native format or an indexed list
- Filter any data set by keyword and/or date/time
- View files with geolocation data alongside the built-in Google Maps GPS pane
REPORTING
CUSTOMIZE YOUR REPORT
- Identify and tag collected data, even while it is still being acquired
- Tailor the elegant report to either include all data, or just tagged evidence
- Quickly export to HTML or PDF
- Click the image to the left to view a full sample HTML Report!
系統需求
| OPERATING SYSTEM SPECIFICATION | Mac OS X Yosemite (10.10) or higher / Windows 7 or higher |
| COMPATIBILITY | Mobilyze runs on Intel® based systems only |
| Mobilyze requires the following additional software: | |
| • iTunes 12.6 or higher | |
| • QuickTime 7.6.9 or higher for Mac, and Windows Media Player 12 for Windows | |
| MINIMUM REQUIREMENTS | • Mac OS X Yosemite (10.10) or Windows 7 (64 bit) |
| • 2.6 GHz Intel Dual Core i5 | |
| • 8 GB 1067 MHz DDR3 | |
| • 25GB of Disk Space | |
| • 1024 x 768 or higher screen resolution | |
| OPTIMUM REQUIREMENTS | • Mac OS X macOS Sierra (10.12.5) or Windows 10 (64 bit) |
| • 3.1 GHz 6-Core Intel Xeon E5 or better | |
| • 16 GB 1866 MHz DDR3 | |
| • 25GB of Disk Space | |
| • 1680 x 1050 or higher screen resolution |
*Note: For Windows systems, Mobilyze uses whatever the default app may be for playing media files. Windows Media Player 12 is recommended. If Windows examiners do not have QuickTime installed and they wish to play certain file types such as .AMR files (voicemail, etc.) they will need to install some non-default codecs
IOS
- iPhone 3G and newer with iOS 5.0 to 12, including iPhone models - XS, XS Max and XR
- All iPads with iOS 5.0 to 12
- iPod Touch 2G and newer with iOS 5.0 to 12
ANDROID
- Devices running Android 4.0.4 to 8.0 (without encryption)
- Devices manufactured by: Samsung, Motorola, HTC, LG, Google Nexus
- Note*: Additional devices running Android 4.0 or later may function properly if the appropriate USB driver for Windows OS is installed
MACQUISITION™
MacQuisition是一款功能強大的三合一解決方案,適用於即時數據採集,目標數據採集和取證成像。MacQuisition經驗豐富的審查員經過十多年的測試和使用,可在Mac OS X操作系統上運行,安全地啟動並從原生環境中的185多種不同的Macintosh電腦模型中獲取數據 - 甚至是Fusion Drives。當你有MacQuisition時,不需要復雜的拆分。
特色
TARGETED DATA COLLECTION
SELECTIVELY ACQUIRE
- 目標和取證獲取文件,文件夾和用戶目錄,同時避免已知的系統文件和其他不需要的數據
- 通過維護與原始文件的關聯來保留有價值的元數據
- 使用任何或所有MD5,SHA-1或SHA-256哈希函數對收集的數據進行身份驗證
- 在整個收集過程中徹底記錄數據採集和源設備屬性
- 有選擇地以每用戶,每卷為基礎獲取電子郵件,聊天,地址簿,日曆和其他數據
LIVE DATA ACQUISITION
COLLECT FROM LIVE SYSTEMS
- 實時捕獲重要的實時數據,如Internet,聊天和多媒體文件
- 合理地獲取並將易失性隨機存取存儲器(RAM)內容保存到目標設備
- 從26種獨特的系統數據收集選項中進行選擇,包括活動系統進程,當前系統狀態和打印隊列狀態
- 在整個收集過程中廣泛記錄實時數據採集信息
FORENSIC IMAGING
CREATE FORENSIC IMAGES
- MacQuisition可自動識別Fusion Drive中的組合音量並將其呈現用於成像
- 如果FileVault 2存在,審查員可以使用密碼,Keychain文件或恢復密鑰,以只讀方式安裝卷,允許分類或收集文件
- 使用源計算機自己的系統通過從MacQuisition USB加密狗啟動來創建取證圖像
- 寫保護源設備,同時保持對目標設備的讀寫訪問
系統需求
MacQuisition is a unique forensic imaging and acquisition tool capable of booting hundreds of Mac OS X systems, as well as acquiring live targeted data. MacQuisition is the trusted forensic solution that runs within a native OS X boot environment.
Below is the range of Mac systems supported by the newest version of MacQuisition, followed by instructions for examiners in need of a solution for older Mac hardware. For Mac models with a USB-C port, we advise using an Apple USB-C adapter. Other third party USB-C accessories may not be compatible.
*Note: Not all recent systems have been fully tested. The compatibility table represents the full list of systems that MacQuisition is built to support. If you have any issues with system compatibility
| Type | Earliest Compatible System* | Most Recent Compatible System |
| iMac | iMac (Late 2012) | iMac (2019) |
| Model Identifier: iMac13,1 / 13,2 | Model Identifiers: iMac19,1 / 19,2 | |
| iMac Pro | iMac Pro (Late 2017) | iMac Pro (Late 2017) |
| Model Identifier: iMacPro1,1† | Model Identifier: iMacPro1,1† | |
| Mac mini | Mac mini (Late 2012) | Mac mini (Late 2018) |
| Model Identifier: Macmini6,1 / 6,2 | Model Identifiers: Macmini8,1 | |
| Mac Pro | Mac Pro (Late 2013) | Mac Pro (2019) |
| Model Identifier: MacPro6,1 | Model Identifier: MacPro7,1 | |
| MacBook | MacBook (Early 2015) | MacBook (Mid 2017) |
| Model Identifier: MacBook8,1 | Model Identifier: MacBook10,1 | |
| MacBook Air | MacBook Air (Mid 2012) | MacBook Air (2019) |
| Model Identifier: MacBookAir5,1 / 5,2 | Model Identifiers: MacBookAir8,2 | |
| MacBook Pro | MacBook Pro (Mid 2012) | MacBook Pro (2019) |
| Model Identifier: MacBookPro9,1 / 9,2 | Model Identifiers: MacBookPro16,1 |
* Certain older models that are not supported by the MacQuisition 2020 R1 partition may be bootable by other MacQuisition boot partitions. Having trouble identifying a Mac OS X system? We recommend the MacTracker App, available for free at the App Store.
† T2 chip default encryption may be present.
LEGACY MACS
Trouble booting older Mac systems? Within each MacQuisition dongle, there is a legacy version of the software that can boot Intel-based Mac systems that predate the compatibility table above. For even older systems, including those running OS 9 (Classic), all MacQuisition customers have access to an ISO boot disk. ISO downloads are available within MacQuisition customers' individual account pages on BlackBag's website. Please contact [email protected] with any questions regarding current compatibility or use of the ISO boot disk.
SOFTBLOCK
SoftBlock™是一種基於軟體的取證寫入阻止工具。SoftBlock可快速識別新連接的硬體設備,並根據用戶偏好使用只讀或讀寫權限安裝設備。該取證軟體旨在滿足大型數位取證實驗室和個人法醫從業者的需求。SoftBlock允許取證審查員在導入數據之前快速安全地預覽證據設備上包含的數據。SoftBlock可以在法醫檢查員的分析機器上運行; 不需要額外的昂貴或笨重的硬體。
Note: The current version of SoftBlock (1.1.0) is compatible with OS X 10.9.5 - 10.13.3. SoftBlock 1.0.7 is compatible with OS X 10.7.x - 10.10.x. If you are running a version of OS X that is older than 10.7, you will need SoftBlock 1.0.5.
特色
SUPPORT FOR MAC OS X
SoftBlock runs on OS X 10.9.5 - 10.13.3.
SCALABILITY
SoftBlock handles as many hardware devices as a forensic analysis machine allows.
MOBILITY
Avoid purchasing expensive write-blocking hardware. SoftBlock blocks data transfer at the kernel-level.
DEVICE MANAGEMENT
A true time-saver. Quickly and safely mount and preview multiple external devices.
SEAMLESS WORKFLOW INTEGRATION
SoftBlock features an intuitive user interface. Once installed, SoftBlock runs in the background and is available for use on demand.
ADDITIONAL INFORMATION
| OPERATING SYSTEM SPECIFICATION | Mac OS X |
| COMPATIBILITY | Ver 1.1.0 Supports Mavericks (from 10.9.5), Yosemite (10.10.x), El Capitan (through 10.11.5), and Sierra (through 10.12.0) |
| Ver 1.0.7 Supports Lion (10.7.x), Mountain Lion (10.8.x), Mavericks (10.9.x), and Yosemite (10.10.x) | |
| Ver 1.0.5 Supports Snow Leopard (10.6.x), Lion (10.7.x), and Mountain Lion (10.8.x) | |
| Ver 1.0.4 Supports Leopard (10.5.X) and Snow Leopard (10.6.X) | |
| MINIMUM REQUIREMENTS | 2GB RAM |
| 25 MB Install space | |
| OPTIMUM REQUIREMENTS | No |