using BlackLight in investigations
BlackLight quickly analyzes computer volumes and mobile devices. It sheds light on user actions and now even includes analysis of memory images. BlackLight allows for easy searching, filtering and otherwise sifting through large data sets. It can logically acquire Android and iPhone/iPad devices, runs on Windows and Mac OS X, and can analyze data from all four major platforms within one interface. It’s simply the best option available for smart, comprehensive analysis.
Mass Shooting: Columbia, Maryland Mall Shooting
On January 25, 2014, at approximately 11:14 am, 19-year-old Darion Aguilar exited a dressing room at the Zumiez store armed with a shotgun and began shooting at The Mall in Columbia located in the Baltimore, Maryland suburbs. Before ultimately killing himself, he killed two young victims and injured five other innocent people.
In the days following the incident, the digital forensic analysis of the shooter’s Apple iPhone, computer, and iPhone backups played a pivotal role in the investigation. The digital forensic analysis was performed using the assistance of BlackBag’s BlackLight software. The investigation revealed a timeline of events leading up to the shooting and uncovered details about the shooter’s research, planning, and mental state. It was also the digital forensic investigation which led police to discover the shooter’s Tumblr blog and the last post he made with his iPhone moments before shooting his first victim.
IntelliGenesis LLC, Director of Digital Forensics, Dave Proulx was the lead Digital Forensic Examiner Detective on the case. “The process of not only extracting SQLite databases, in a forensically sound way, then separately analyzing each using a third-party tool, is an extremely exhausting process,” explains Former Detective Dave Proulx. “If you’re relying solely on the parsed information supported by the tool, you’re potentially missing key information and evidence of the unsupported apps,” Proulx added.
Using BlackLight, Mr. Proulx located and analyzed application data that even today would have fallen into the category of thousands of unsupported apps which are not parsed by any tool. Using the (BlackLight) SQLite viewer and query features built into BlackLight, Detective Proulx determined the shooter used apps on his iPhone to plot his journey to the Columbia Mall mixing public and private transportation.
“In an age where a smartphone can have 60, or more dB files (database), the ability to analyze and query these databases without using third-party software or running scripts is, unfortunately, a rare find. It’s still hard to find these features (since Jan. 2014) in some of the more popular forensic and eDiscovery products," former Detective Proulx explained.
Forensic software companies are always in a race to create data parsing for hundreds of the most common applications. The capability of not only being able to validate the parsed data but to analyze unsupported application files has been an unsung feature of the BlackLight software for several years.
BlackLight is also a great tool to identify apps and other online services possibly not known to the investigation. Usernames, profile IDs are right there in the plists and databases of many mobile app such as Snapchat, WhatsApp, Facebook, Twitter, Dropbox, and even Tumblr.
“Searching the ‘Application Tab’ in BlackLight is part of my initial work-flow when performing smartphone forensics. I want to find as many accounts and IDs used as possible to not only gain insight into apps being used but to provide investigators the information needed to begin any legal processes of getting data from the host service providers,"former Detective Proulx told us.
In December of 2013, (the month before the shooting), the shooter’s iPhone received the first iOS release which introduced the iCloud backup option. Previously, this feature was only available on iTunes. Detective Proulx explained that it was extremely beneficial being able to utilize BlackLight to analyze an iCloud backup which had been created the night before the shooting. Combining the iPhone acquisition and backups from the cloud and his laptop, BlackLight assisted in building the timeline which ultimately pieced together months of the shooter's online activities and research.
In The Columbia Mall shooting, like so many other cases, BlackBag’s BlackLight software helped Howard County Police in Maryland provide closure for the community and the families of the victims: 21-year-old Brianna Benlolo and 25-year-old Tyler Johnson.
For more information about BlackLight, please contact a member of the BlackBag Sales Team.