Rounding out our Platinum sponsorships: BlackBag Technologies, the Mac forensics experts, who are bringing three labs to Indian Wells. Between Monday and Tuesday, BlackBag CTO Derrick Donnelly and forensic analyst Don Brister will present “Mac Triage, and How to Image Without Losing Your Nuts,” “Everything that You Need to Know about iOS Forensics, but Forgot to Ask,” and a demo of the latest MacQuisition™, as well as the upcoming BlackLight™ version which is slated for release shortly after our conference.
iPhone and iPad forensics
In their vendor-agnostic training, Donnelly and Brister will focus on where to find information on iOS devices. “There’s a lot of misinformation about iOS devices,” says Drew Fahey, BlackBag VP of Product Development. “So we’ll cover how the iOS came to be and where it’s going, how and where data is located on the devices, how to get to it and how to extract and analyze it.”
Imaging, encryption and key files and databases will be covered, along with changes from version to version of the iOS – including the tracking information that was available up to version 4.3.3 (Fahey says this is still widely available as evidence on devices that have not yet been updated).
Deleted SQLite records will also be covered. “The number one request from examiners we hear from is the need for both saved and deleted SMS and MMS,” says Fahey. “We take that a step further, and show them how to recover other deleted information, such as voicemail and contact data.”
Fahey says a soon-to-be-released version of BlackBag’s MacQuisition™ software will include triage functionality, including the ability to make both “live” (memory) and “dead” acquisitions. This tool – and the lab – reflect the growing user base for Macs, a market share that has grown from only 5 percent to 15 percent (for desktops alone) in just a few years, thanks largely to the popularity of iOS devices. Together with iOS devices, the market share is closer to 40 percent, Fahey says.
More users, of course, means more suspects using Macs. “I’ve heard from examiners who see a Mac per week, and sometimes per day, in labs where they never saw them before,” says Fahey. And because the operating system is virtually the same across Mac desktops, laptops and mobile devices, he adds, dividing attention between “computer forensics” and “mobile forensics” can be a problem for labs seeking economies of scale.
As such, Fahey says the conference lab will also cover the importance of analyzing a Mac on a Mac. “You can miss a lot when you analyze Mac data in Windows, regardless of the product you’re using,” he explains.
Mac and iOS forensic analysis with BlackLight™
The latest version of BlackLight™, BlackBag’s forensic analysis software, will be released shortly after HTCIA, but this session will offer examiners a preview of what’s coming.
In particular, the new version will offer completely revamped tagging, reporting and data export functionality, a response to popular demand. “Examiners have been asking for more flexibility in identifying, tagging and exporting files, metadata or even parts of files,” says Fahey. “The new version of BlackLight™ will let them do that and much more. We are very aware of the fact that examiners use multiple products across multiple platforms for large investigations. This new functionality in BlackLight™ is specifically designed to offer them the flexibility needed to quickly mesh their BlackLight™ findings with other data and in other reports.”
Seeing more Macs and/or iOS devices in your investigations? Spaces are going fast in the BlackBag labs, so register today to get the chance to sign up!