BlackBox collections are securely configured and then triggered by the data custodian. Below we provide detail about the process of using BlackBox for data collections – or you can watch it in action.
Before BlackBox can be activated, you must purchase tokens from blackboxforensics.com.
Activate Your Drive
Once BlackBox tokens are purchased on blackboxforensics.com, any NTFS-formatted external hard drive can be activated and configured to run BlackBox. Your external hard drive is activated when tokens, one per collection, are added to your BlackBox drive. This is done with the following steps:
Press the Ctrl key at the bottom of the keyboard, which will launch the login screen shown below. Use your blackboxforensics.com account login information here.
Once logged in, the status screen of the device will be shown:
From this screen, BlackBox can be configured for a data collection if at least one token is available, or additional tokens can be added, if available, from your blackboxforensics.com account.
To transfer tokens to your collection drive, click the Transfer button, which will open the transfer tokens screen, similar to the image below.
Once your BlackBox drive has been activated with tokens, from the status screen, click on the Configure button.
This is the main configuration screen. Here you will pick what you want copied from the custodian’s hard drive. You can copy the whole disk, a logical drive or a subset of files based on folders, file types and file dates.
Note: The configuration filename must match the email that the custodian types in when they launch the collection on their end.
Once the drive is configured, it is ready to be sent to the custodian for data collection.
Custodian: Running BlackBox
When the custodian receives the configuration file on a licensed BlackBox device, they are ready to begin the collection. When they launch BlackBox, the custodian will start with the same screen:
But the custodian will hit “Start BlackBox” button and the collection will begin.
They will then be prompted to enter some information. Note: The email entered must match the configuration filename.
When the collection is completed, a chain of custody will be created for the custodian to print off.
Finally, the custodian packs up the drive and ships it back.
The captured data is automatically encrypted, and an audit log is generated. The audit logs tracks everything done during the collection, as well as key information, such as the person logged in running the collection and model/serial number of the source drive.