• slide
  • slide
  • slide
  • slide

Overview

BlackBag Technologies, Inc. provides digital forensic solutions to investigators, examiners, and corporate citizens around the world. Our forensics software is used by hundreds of Federal, State, and Local law enforcement agencies in conducting digital investigations and cyber security incident response. Our classroom and online training compliment our software by teaching forensic best practices and providing a comprehensive technical curriculum to support our customers' casework. For our law enforcement customers, we also offer forensic services including expert witness consulting and digital forensic analysis.

Products

  • BlackLight

    BlackBag’s flagship software product, BlackLight, is a full forensic analysis tool, specifically designed to aid LE investigations by parsing and analyzing a wide range of evidentiary devices including systems running Mac, Windows, and iOS (iPhone/iPad/iPod Touch). BlackLight sets itself apart from the competition with a comprehensive yet intuitive user experience, allowing examiners to quickly and easily find all of the data they need.

  • MacQuisition

    MacQuisition is the ultimate dongle-based imaging and acquisition tool for Mac OS X devices, capable of both collecting targeted data and capturing full forensic images. Because MacQuisition is the only tool of its kind on the market that runs off of a native Mac OS X boot environment, it is the only tool of its kind that supports all Intel-based Mac hardware and all Apple proprietary CoreStorage volumes including FileVault2 and Fusion. It is the only Mac imaging and acquisition tool that needs to be in a forensic professional’s arsenal.

  • SoftBlock

    SoftBlock allows forensic analysts to quickly mount and write-protect devices by blocking data transfer to evidentiary devices at the kernel level, thereby helping to maintain a forensically sound examination.

On-Demand Webinars

Insights Blog

How to Collect Data with MacQuisition Live

So, you’ve downloaded MacQuisition Live, let’s take a look at some ways you can use it. Read More...

Ask the Expert: Analyzing Data From iCloud File Sharing

Apple’s iCloud Drive is a valuable means of storing data in the cloud and making it accessible to all your iCloud connected devices.  However, users were unable to share data directly from their iCloud Drive to other users; that is until recently. With the release of macOS10.15.4 and iOS13.4, users can now select files and folders within their iCloud Drive and share them directly with other users. Read More...

New MacQuisition Software Only License

As more employees are required to work from home, we’ve heard from our customers that they need the ability to remotely collect data from Mac systems without having to send MacQuisition hardware to someone’s home. In order to help our customers in this unique time, BlackBag is making a new software only option available to MacQuisition customers for a limited time. Read More...

Exploring the Windows Activity Timeline, Part 2: Synching Across Devices

The Timeline is a Windows 10 facility for tracking many types of user activity so that it can remind the user what they’ve been up to, and let them simply click a UI tile to resume one of those previous activities, e.g., open a browser up to a webpage the user previously visited. Read More...

Exploring the Windows Activity Timeline, Part 1: The High Points

The system configuration that affects the Timeline is complex, but the data is generally stored for the past 30 days, more if you leverage Volume Shadow Copies (VSCs) and backups. Also, depending on configuration, the Timeline on one machine can store this same information about a user’s actions on other machines! Some of the data can even come from other devices that run OSs other than Windows (for instance, Android and macOS). Needless to say, a lot going on here. Read More...

Apple’s (Not Quite) Secure Notes

While I was researching the Apple Notes application on macOS and iOS, I came across peculiar scenarios where “secure” notes were partially and temporarily unsecure. This provides forensic analysts the opportunity to peek into these notes to potentially gather more information about the contents of them, which can potentially benefit your investigations. These examples are from macOS 10.15.3 and iOS 13.3. Read More...

Triaging with MacQuisition

Today’s investigations often involve multiple machines and devices.  It can be time consuming to image and process several computers, external hard drives, and other media when there is no guarantee data of relevance will be located on these devices.  Imaging multiple macOS computers and external media devices that may or may not contain data relevant to an investigation can waste time, storage space, and other resources.  MacQuisition triage capabilities provide access to a new methodology that can decrease the number of devices you need to acquire while increasing your overall efficiency. Read More...

Analyzing Program Execution Windows Artifacts

As Windows has evolved over time several artifacts have appeared that can highlight when programs or applications were executed, and which user executed them. Read More...

BlackLight – Ingestion of Cellebrite Mobile Extractions

With the recent news of BlackBag joining Cellebrite, it seems like the appropriate time to share what we can already do together! Specifically, how to ingest Cellebrite acquisitions into BlackLight. With our latest BlackLight release, BlackBag added additional Cellebrite formats that can be added directly to BlackLight. Our goal is to have Blacklight fully support all Cellebrite extraction types in a future release. In this post, we wanted to share some additional steps you may need to support additional formats and make it as easy as possible until all file formats are fully supported. Read More...

Contracts

GSA Schedule Contracts

GSA Schedule 70

GSA Schedule 70 GSA Schedule No. GS-35F-0119Y Term: December 20, 2011- December 19, 2021


SEWP Contracts

SEWP V

Contract Number: Group A Small: NNG15SC03B Group D Other Than Small: NNG15SC27B Term: May 1, 2015 - May 1, 2025


State & Local Contracts

City of Seattle Contract

Contract #0000003265 Term: December 19, 2021

CMAS

Contract # CMAS 3-12-70-2247E Term: through March 31, 2022

Fairfax County IT Hardware, Software, & Services

Virginia- Fairfax County CONTRACT EXPIRATION: October 4, 2020 (with 5 option years)

National Intergovernmental Purchasing Alliance (National IPA - TCPN)

Term: through November 30, 2021

Orange County National IPA Co-Op

Through May 31, 2020 (with 2 option years)

VASCUPP

Contract Number: UVA1482501 Term: May 2, 2014– December 19, 2021


Events

Events


HTCIA Silicon Valley

May 12-14, 2020 | Santa Clara, CA

SANS DFIR Summit

July 16-17, 2020 | Austin, TX

DoDIIS Worldwide Conference

August 2-5, 2020 | Phoenix, AZ

Forensic Europe Expo

September 8-10, 2020 | Excel, London

PFIC (Paraben)

October 7-8, 2020 | Park City, UT

DataExpert - Digital Experience Netherlands

October 7-8, 2020 | Utrecht, Netherlands

Bsides NOLA

October 24, 2020 | New Orleans, LA

Ontario Provincial Strategy Multidisciplinary Training Workshop

October 25-29, 2020 | Niagara Falls/Toronto, Ontario, Canada

Techno Security & Digital Forensics Conference - Denver

October 26-28, 2020 | Denver, CO

News

Latest News

BlackBag Technologies, a Cellebrite company, announces new live, instructor-led virtual training to give examiners of all levels the opportunity to experience a comprehensive, in-depth curriculum. We ...
READ MORE >
Cellebrite Acquires BlackBag Technologies and soidifies its position as the global leader in Integrated Digital Intelligence Solutions. The acquisition adds a key building block to Cellebrite’s ...
READ MORE >
BlackLight 2019 R3 is released! This release includes new integrations and updates to allow BlackLight to work seamlessly with other tools essential to your forensic toolkit. We’ve also enhanced ...
READ MORE >
BlackBag Technologies announces a new partnership with the leader in encrypted electronic evidence discovery and decryption, Passware. BlackBag Technologies, an industry leader in forensic acquisition ...
READ MORE >
The features BlackBag has incorporated into BlackLight 2019 R2 provide law enforcement agencies with AI based image recognition technology to assist with child abuse investigations
READ MORE >
BlackLight 2019 R2 is now available! This release is packed full of powerful features customers have requested and need to complete investigations quickly and efficiently.
READ MORE >
BlackBag Technologies announces a new partnership with industry-leading vehicle forensics company, Berla.
READ MORE >
BlackBag reaffirms its commitment to Windows forensics with a specialized Windows investigative course.
READ MORE >
BlackBag Technologies announces a new partnership with Semantics 21, a digital forensics software company specializing in reviewing, analyzing and grading images and videos.
READ MORE >
BlackBag Technologies is proud to announce the release of the first and only solution to produce a decrypted physical image of the latest Mac systems utilizing the Apple T2 chip in MacQuisition 2019 ...
READ MORE >
BlackLight 2019 R1 is officially released with several important updates, improvements and new features that BlackBag is excited for customers to take on their next case.
READ MORE >
BlackBag Technologies is proud to announce the first and only solution to produce a decrypted physical image of Apple’s latest Mac systems utilizing the T2 chip.
READ MORE >
BlackBag’s premier computer forensics tool, BlackLight, will now filter images for threat categories through a partnership with the most trusted provider of offensive pictures and video recognition ...
READ MORE >

Resources

Blog

With the release of BlackLight 2020 R1, BlackBag expanded the macOS artifacts processed. By user request, features were added to process: AirDrop artifacts, built-in iCloud productions, additional data in macOS about Recent Items, and mac OS user account information.

Starting with macOS 10.12 Apple changed to a new Unified Log format. Rather than relying on one file to track the logged information, the new Unified Logs track information in a number of files, across new directories. See tips on adding unified logs gathered live here.

Check out our latest blog to see the new artifacts BlackLight parses in action.

Case Study

Jordanian Family Protection Department Catch Child Pornography Suspect

Proving the User Had Knowledge of and Manipulated the Files

Officers Use Mobilyze for Immediate Data Collection

Protecting the Informant

On-scene Acquisition of iPhone for Homicide Investigation

BlackLight Used to Analyze SQLite Databases

Trained Detectives Access Android Data