• slide
  • slide
  • slide
  • slide


BlackBag Technologies, Inc. provides digital forensic solutions to investigators, examiners, and corporate citizens around the world. Our forensics software is used by hundreds of Federal, State, and Local law enforcement agencies in conducting digital investigations and cyber security incident response. Our classroom and online training compliment our software by teaching forensic best practices and providing a comprehensive technical curriculum to support our customers' casework. For our law enforcement customers, we also offer forensic services including expert witness consulting and digital forensic analysis.


  • BlackLight

    BlackBag’s flagship software product, BlackLight, is a full forensic analysis tool, specifically designed to aid LE investigations by parsing and analyzing a wide range of evidentiary devices including systems running Mac, Windows, and iOS (iPhone/iPad/iPod Touch). BlackLight sets itself apart from the competition with a comprehensive yet intuitive user experience, allowing examiners to quickly and easily find all of the data they need.

  • MacQuisition

    MacQuisition is the ultimate dongle-based imaging and acquisition tool for Mac OS X devices, capable of both collecting targeted data and capturing full forensic images. Because MacQuisition is the only tool of its kind on the market that runs off of a native Mac OS X boot environment, it is the only tool of its kind that supports all Intel-based Mac hardware and all Apple proprietary CoreStorage volumes including FileVault2 and Fusion. It is the only Mac imaging and acquisition tool that needs to be in a forensic professional’s arsenal.

  • SoftBlock

    SoftBlock allows forensic analysts to quickly mount and write-protect devices by blocking data transfer to evidentiary devices at the kernel level, thereby helping to maintain a forensically sound examination.

On-Demand Webinars

Insights Blog

How to Collect Data with MacQuisition Live

So, you’ve downloaded MacQuisition Live, let’s take a look at some ways you can use it. Read More...

Ask the Expert: Analyzing Data From iCloud File Sharing

Apple’s iCloud Drive is a valuable means of storing data in the cloud and making it accessible to all your iCloud connected devices.  However, users were unable to share data directly from their iCloud Drive to other users; that is until recently. With the release of macOS10.15.4 and iOS13.4, users can now select files and folders within their iCloud Drive and share them directly with other users. Read More...

New MacQuisition Software Only License

As more employees are required to work from home, we’ve heard from our customers that they need the ability to remotely collect data from Mac systems without having to send MacQuisition hardware to someone’s home. In order to help our customers in this unique time, BlackBag is making a new software only option available to MacQuisition customers for a limited time. Read More...

Exploring the Windows Activity Timeline, Part 2: Synching Across Devices

The Timeline is a Windows 10 facility for tracking many types of user activity so that it can remind the user what they’ve been up to, and let them simply click a UI tile to resume one of those previous activities, e.g., open a browser up to a webpage the user previously visited. Read More...

Exploring the Windows Activity Timeline, Part 1: The High Points

The system configuration that affects the Timeline is complex, but the data is generally stored for the past 30 days, more if you leverage Volume Shadow Copies (VSCs) and backups. Also, depending on configuration, the Timeline on one machine can store this same information about a user’s actions on other machines! Some of the data can even come from other devices that run OSs other than Windows (for instance, Android and macOS). Needless to say, a lot going on here. Read More...

Apple’s (Not Quite) Secure Notes

While I was researching the Apple Notes application on macOS and iOS, I came across peculiar scenarios where “secure” notes were partially and temporarily unsecure. This provides forensic analysts the opportunity to peek into these notes to potentially gather more information about the contents of them, which can potentially benefit your investigations. These examples are from macOS 10.15.3 and iOS 13.3. Read More...

Triaging with MacQuisition

Today’s investigations often involve multiple machines and devices.  It can be time consuming to image and process several computers, external hard drives, and other media when there is no guarantee data of relevance will be located on these devices.  Imaging multiple macOS computers and external media devices that may or may not contain data relevant to an investigation can waste time, storage space, and other resources.  MacQuisition triage capabilities provide access to a new methodology that can decrease the number of devices you need to acquire while increasing your overall efficiency. Read More...

Analyzing Program Execution Windows Artifacts

As Windows has evolved over time several artifacts have appeared that can highlight when programs or applications were executed, and which user executed them. Read More...

BlackLight – Ingestion of Cellebrite Mobile Extractions

With the recent news of BlackBag joining Cellebrite, it seems like the appropriate time to share what we can already do together! Specifically, how to ingest Cellebrite acquisitions into BlackLight. With our latest BlackLight release, BlackBag added additional Cellebrite formats that can be added directly to BlackLight. Our goal is to have Blacklight fully support all Cellebrite extraction types in a future release. In this post, we wanted to share some additional steps you may need to support additional formats and make it as easy as possible until all file formats are fully supported. Read More...



GSA Schedule 70

Dec 20, 2011- Dec 19, 2021


May 01, 2015- Apr 30, 2025


Mar 03, 2015- Aug 10, 2020
*Additional Option Years Available

State and Local


Aug 28, 2012- Mar 31, 2022

City of Seattle Contract

Jul 11, 2014- Dec 19, 2021

Department of General Services PA - Symantec

May 01, 2009- Dec 19, 2021

Fairfax County IT Hardware, Software, & Services

Oct 04, 2015- Dec 04, 2021
*Additional Option Years Available

Oklahoma DIR Contract # SW1056B

Jun 28, 2017- Jun 28, 2021
*Additional Option Years Available

Orange County National IPA Co-Op

Jun 01, 2015- May 31, 2021

State of Indiana Contract

Aug 01, 2017- Jul 31, 2021

State of New Mexico Contract

Aug 01, 2017- Aug 01, 2021

Texas DIR-TSO-3926

Jun 28, 2017- Jun 28, 2021
*Additional Option Years Available


Massachusetts Higher Education Consortium (MHEC)

Aug 10, 2019- Jun 30, 2022


May 02, 2014- Dec 19, 2021



Aug 31, 2020- Aug 30, 2025
*Additional Option Years Available



HTCIA Silicon Valley

May 12-14, 2020 | Santa Clara, CA


July 16-17, 2020 | Austin, TX

DoDIIS Worldwide Conference

August 2-5, 2020 | Phoenix, AZ

Forensic Europe Expo

September 8-10, 2020 | Excel, London

PFIC (Paraben)

October 7-8, 2020 | Park City, UT

DataExpert - Digital Experience Netherlands

October 7-8, 2020 | Utrecht, Netherlands

Bsides NOLA

October 24, 2020 | New Orleans, LA

Ontario Provincial Strategy Multidisciplinary Training Workshop

October 25-29, 2020 | Niagara Falls/Toronto, Ontario, Canada

Techno Security & Digital Forensics Conference - Denver

October 26-28, 2020 | Denver, CO


Latest News

BlackBag Technologies, a Cellebrite company, announces new live, instructor-led virtual training to give examiners of all levels the opportunity to experience a comprehensive, in-depth curriculum. We ...
Cellebrite Acquires BlackBag Technologies and soidifies its position as the global leader in Integrated Digital Intelligence Solutions. The acquisition adds a key building block to Cellebrite’s ...
BlackLight 2019 R3 is released! This release includes new integrations and updates to allow BlackLight to work seamlessly with other tools essential to your forensic toolkit. We’ve also enhanced ...
BlackBag Technologies announces a new partnership with the leader in encrypted electronic evidence discovery and decryption, Passware. BlackBag Technologies, an industry leader in forensic acquisition ...
The features BlackBag has incorporated into BlackLight 2019 R2 provide law enforcement agencies with AI based image recognition technology to assist with child abuse investigations
BlackLight 2019 R2 is now available! This release is packed full of powerful features customers have requested and need to complete investigations quickly and efficiently.
BlackBag Technologies announces a new partnership with industry-leading vehicle forensics company, Berla.
BlackBag reaffirms its commitment to Windows forensics with a specialized Windows investigative course.
BlackBag Technologies announces a new partnership with Semantics 21, a digital forensics software company specializing in reviewing, analyzing and grading images and videos.
BlackBag Technologies is proud to announce the release of the first and only solution to produce a decrypted physical image of the latest Mac systems utilizing the Apple T2 chip in MacQuisition 2019 ...
BlackLight 2019 R1 is officially released with several important updates, improvements and new features that BlackBag is excited for customers to take on their next case.
BlackBag Technologies is proud to announce the first and only solution to produce a decrypted physical image of Apple’s latest Mac systems utilizing the T2 chip.
BlackBag’s premier computer forensics tool, BlackLight, will now filter images for threat categories through a partnership with the most trusted provider of offensive pictures and video recognition ...



With the release of BlackLight 2020 R1, BlackBag expanded the macOS artifacts processed. By user request, features were added to process: AirDrop artifacts, built-in iCloud productions, additional data in macOS about Recent Items, and mac OS user account information.

Starting with macOS 10.12 Apple changed to a new Unified Log format. Rather than relying on one file to track the logged information, the new Unified Logs track information in a number of files, across new directories. See tips on adding unified logs gathered live here.

Check out our latest blog to see the new artifacts BlackLight parses in action.

Case Study

Jordanian Family Protection Department Catch Child Pornography Suspect

Proving the User Had Knowledge of and Manipulated the Files

Officers Use Mobilyze for Immediate Data Collection

Protecting the Informant

On-scene Acquisition of iPhone for Homicide Investigation

BlackLight Used to Analyze SQLite Databases

Trained Detectives Access Android Data