Overview
BlackBag Technologies, Inc. provides digital forensic solutions to investigators, examiners, and corporate citizens around the world. Our forensics software is used by hundreds of Federal, State, and Local law enforcement agencies in conducting digital investigations and cyber security incident response. Our classroom and online training compliment our software by teaching forensic best practices and providing a comprehensive technical curriculum to support our customers' casework. For our law enforcement customers, we also offer forensic services including expert witness consulting and digital forensic analysis.
Products
-
BlackLight
BlackBag’s flagship software product, BlackLight, is a full forensic analysis tool, specifically designed to aid LE investigations by parsing and analyzing a wide range of evidentiary devices including systems running Mac, Windows, and iOS (iPhone/iPad/iPod Touch). BlackLight sets itself apart from the competition with a comprehensive yet intuitive user experience, allowing examiners to quickly and easily find all of the data they need.
-
MacQuisition
MacQuisition is the ultimate dongle-based imaging and acquisition tool for Mac OS X devices, capable of both collecting targeted data and capturing full forensic images. Because MacQuisition is the only tool of its kind on the market that runs off of a native Mac OS X boot environment, it is the only tool of its kind that supports all Intel-based Mac hardware and all Apple proprietary CoreStorage volumes including FileVault2 and Fusion. It is the only Mac imaging and acquisition tool that needs to be in a forensic professional’s arsenal.
-
SoftBlock
SoftBlock allows forensic analysts to quickly mount and write-protect devices by blocking data transfer to evidentiary devices at the kernel level, thereby helping to maintain a forensically sound examination.
On-Demand Webinars
On-Demand Webinars
Take it or Leave it: Triaging Digital Evidence with MacQuisition
A Deep Dive into Keychain and Spotlight Artifacts: Ask the BlackBag Experts
New Triage Capabilities in BlackLight
Whodunit: Identifying Suspects Through Digital Evidence
Windows 10 Activity Timeline: An Investigator's Gold Mine
What's New in BlackLight 2019 R2
Physical Decrypted Images from Macs with the T2 Chip
Timesaving Forensic Techniques
BlackLight and APOLLO: How to Use Apple Pattern-of-Life Data in Your Investigations
Insights Blog
How to Collect Data with MacQuisition Live
So, you’ve downloaded MacQuisition Live, let’s take a look at some ways you can use it. Read More...
Ask the Expert: Analyzing Data From iCloud File Sharing
Apple’s iCloud Drive is a valuable means of storing data in the cloud and making it accessible to all your iCloud connected devices. However, users were unable to share data directly from their iCloud Drive to other users; that is until recently. With the release of macOS10.15.4 and iOS13.4, users can now select files and folders within their iCloud Drive and share them directly with other users. Read More...
New MacQuisition Software Only License
As more employees are required to work from home, we’ve heard from our customers that they need the ability to remotely collect data from Mac systems without having to send MacQuisition hardware to someone’s home. In order to help our customers in this unique time, BlackBag is making a new software only option available to MacQuisition customers for a limited time. Read More...
Exploring the Windows Activity Timeline, Part 2: Synching Across Devices
The Timeline is a Windows 10 facility for tracking many types of user activity so that it can remind the user what they’ve been up to, and let them simply click a UI tile to resume one of those previous activities, e.g., open a browser up to a webpage the user previously visited. Read More...
Exploring the Windows Activity Timeline, Part 1: The High Points
The system configuration that affects the Timeline is complex, but the data is generally stored for the past 30 days, more if you leverage Volume Shadow Copies (VSCs) and backups. Also, depending on configuration, the Timeline on one machine can store this same information about a user’s actions on other machines! Some of the data can even come from other devices that run OSs other than Windows (for instance, Android and macOS). Needless to say, a lot going on here. Read More...
Apple’s (Not Quite) Secure Notes
While I was researching the Apple Notes application on macOS and iOS, I came across peculiar scenarios where “secure” notes were partially and temporarily unsecure. This provides forensic analysts the opportunity to peek into these notes to potentially gather more information about the contents of them, which can potentially benefit your investigations. These examples are from macOS 10.15.3 and iOS 13.3. Read More...
Triaging with MacQuisition
Today’s investigations often involve multiple machines and devices. It can be time consuming to image and process several computers, external hard drives, and other media when there is no guarantee data of relevance will be located on these devices. Imaging multiple macOS computers and external media devices that may or may not contain data relevant to an investigation can waste time, storage space, and other resources. MacQuisition triage capabilities provide access to a new methodology that can decrease the number of devices you need to acquire while increasing your overall efficiency. Read More...
Analyzing Program Execution Windows Artifacts
As Windows has evolved over time several artifacts have appeared that can highlight when programs or applications were executed, and which user executed them. Read More...
BlackLight – Ingestion of Cellebrite Mobile Extractions
With the recent news of BlackBag joining Cellebrite, it seems like the appropriate time to share what we can already do together! Specifically, how to ingest Cellebrite acquisitions into BlackLight. With our latest BlackLight release, BlackBag added additional Cellebrite formats that can be added directly to BlackLight. Our goal is to have Blacklight fully support all Cellebrite extraction types in a future release. In this post, we wanted to share some additional steps you may need to support additional formats and make it as easy as possible until all file formats are fully supported. Read More...
Contracts
Federal
GSA Schedule 70
GS-35F-0119YDec 20, 2011- Dec 19, 2016
SEWP V
NNG15SC03B/NNG15SC27BMay 01, 2015- Apr 30, 2020
State and Local
CMAS
3-12-70-2247EAug 28, 2012- Dec 19, 2016
City of Seattle Contract
0000003265Jul 11, 2014- Dec 19, 2016
Department of General Services PA - Symantec
4400004253May 01, 2009- Jun 17, 2017
Fairfax County IT Hardware, Software, & Services
4400006323Oct 04, 2015- Oct 04, 2020
Oklahoma DIR Contract # SW1056B
SW1056BJun 28, 2017- Jun 28, 2019
Orange County National IPA Co-Op
MA-017-16010236Jun 01, 2015- May 31, 2018
State of Indiana Contract
0000000000000000000021430Aug 01, 2017- Jul 31, 2019
State of New Mexico Contract
80-000-18-00002Aug 01, 2017- Aug 01, 2021
Texas DIR-TSO-3926
DIR-TSO-3926Jun 28, 2017- Jun 28, 2019
Education
Massachusetts Higher Education Consortium (MHEC)
MC15-04Aug 10, 2019- Jun 30, 2022
*Additional Option Years Available
VASCUPP
UVA1482501May 02, 2014- Dec 19, 2016
Events
Events
HTCIA Silicon Valley
May 12-14, 2020 | Santa Clara, CA
SANS DFIR SummitJuly 16-17, 2020 | Austin, TX
August 2-5, 2020 | Phoenix, AZ
September 8-10, 2020 | Excel, London
October 7-8, 2020 | Park City, UT
October 7-8, 2020 | Utrecht, Netherlands
October 24, 2020 | New Orleans, LA
October 25-29, 2020 | Niagara Falls/Toronto, Ontario, Canada
October 26-28, 2020 | Denver, CO
News
Latest News
READ MORE >
READ MORE >
READ MORE >
READ MORE >
READ MORE >
READ MORE >
READ MORE >
READ MORE >
READ MORE >
READ MORE >
READ MORE >
READ MORE >
READ MORE >
Resources
Blog
Case Study