using BlackLight in investigations
BlackLight quickly analyzes computer volumes and mobile devices. It sheds light on user actions and now even includes analysis of memory images. BlackLight allows for easy searching, filtering and otherwise sifting through large data sets. It can logically acquire Android and iPhone/iPad devices, runs on Windows and Mac OS X, and can analyze data from all four major platforms within one interface. It’s simply the best option available for smart, comprehensive analysis.
Locating Investigative Leads
How to Gain Quick Access to Relevant Data
On the evening of April 1, 2014, officers and detectives from a California law enforcement agency respond to a grisly murder scene. In a quiet neighborhood, a nursing program professor at the local community college, was found brutally stabbed to death in the home she shared with her husband, a physician in a nearby county. The 74-year old female victim was also part of a research team that was a recipient of a Nobel Prize.
Earlier in the day, officers were at the residence responding to a 911 call. A 68-year old neighbor, friendly with the victim and her husband, called 911 at the urging of the victim. The 911 caller reported an extremely threatening confrontation between the victim and her son. The responding officers were familiar with the son from previous 911 calls at the residence. The son was known to make verbal threats of bodily injury, as well as cause physical injury to both the victim and her husband in the past.
The residence was searched detectives seized the following digital evidence: two MacBook Pro’s, one iPad, one iPhone, an HP laptop, and several USB drives. On-scene interview conducted by detectives led them to believe the son was responsible for the victim’s death.
An interview of the neighbor and 911 caller was conducted at 10:00 pm at the agency’s office. During the interview, neighbor revealed he was a retired journalist living on a limited income. Detectives then asked for permission to acquire the data on his phone, for purposes of documenting 911 calls and the call logs and messages between him and his neighbors. The neighbor consented and the acquisition was started as he was interviewed. After approximately two hours, the interview was completed. Unfortunately, the acquisition of the phone was not complete but had to be stopped because the neighbor needed to leave. The acquisition tool did not save any of the data acquired since the collection did not complete.
The following morning, the detective in charge of the investigation felt there was an immediate need to triage the digital media seized. With limited digital forensic capabilities within the investigating agency, the supervising detective contacted the assigned Deputy District Attorney regarding the possibility of having the county crime lab expedite the triaging of the seized devices. This was met with resistance due to the county crime lab’s backlog of cases. The county crime lab provided a time frame of “several” months before they would be able to analyze the seized digital evidence.
Due to the reputation of their analyst and instructor staff, BlackBag technologies was contacted and an agreement was made to allow BlackBag Technologies’ Forensic Analyst and Instructors (FAI’s) access to the devices for triaging and acquisition. At the request of the supervising detective, two BlackBag Technologies’ FAI’s arrived at the agency to assist the assigned digital examiner with triage and acquisition. MacQuisition was used to acquire the two MacBook Pros. BlackLight was used to triage these acquired images. BlackLight was also used to acquire the iOS devices, the iPad and iPhone.
The initial triaging of the iPad in BlackLight revealed data in the Pages application that alluded to two “IOU” payments of $80,000 from the victim’s husband to the neighbor. Investigation of the neighbor’s finances revealed the neighbor was near penniless. This prompted the question why would a financially secure physician borrow $160,000 from a retired journalist living on a fixed income? This finding during the triaging stage, as well as additional information gathered about the neighbor, indicated the neighbor was now the main suspect. This new information negated the on-scene interviews that son was responsible for the crime.
The neighbor was asked to return to the agency’s office to clarify his previous statements. During the second interview, he again consented to the acquisition of his phone. This acquisition showed the phone had been wiped of all data. A search warrant was then executed at the neighbor’s residence. Six computers and 19 mobile devices were seized, none of them yielded and additional information.
Analyzing the digital devices at the onset changed the direction of the investigation. The critical data steered the investigators to the true perpetrators of the crime. Having MacQuisition and BlackLight to acquire and triage the devices, including the iOS devices, was vital to a speedy resolution. MacQuisition and BlackLight were used in this case by trained examiners to efficiently acquire and analyze the digital data, provide investigative leads, and solve the crime. The immediate triage digital evidence implicated the responsible persons of interest and exonerated the innocent.
Case Study at a Glance:
- Initial on-scene interviews implicated the son of the victim was responsible for the crime.
- The ability to quickly acquire and triage digital devices quickly changed the direction of the investigation.
- The iPad in BlackLight revealed data that alluded to two “IOU” payments of $80,000 from the victim’s husband to the neighbor.
- Quick access to investigative leads on the digital devices altered the course of the investigation to find the person responsible for the crime.
Features: Triaging iOS devices with Blacklight and acquiring macOS devices with MacQuisition.
Problem Solved: Timely triaging and analysis provided quick Investigative Leads Generation
Solution Provided: Triage and acquisition of digital devices locating investigative leads
Overall Results: Effective investigative leads exonerated the initial person of interest and steered detectives to the persons responsible for the crime.
"The immediate triage digital evidence implicated the responsible persons of interest and exonerated the innocent."
For more information about BlackLight, please contact a member of the BlackBag Sales Team.