As we discussed in our last post, BlackBox is a remote forensic data collection tool. BlackBox collections are securely configured by the legal team and then triggered by the data custodian on-site. This post will provide a more in depth look at how the collection process works using BlackBox.

Decide what to Collect
A BlackBox license is purchased from an authorized Partner for each device to be collected. BlackBox runs on any NTFS-formatted external storage drive using Microsoft Windows® operating systems. After purchase, the BlackBox license is ready for configuration. During configuration you decide what you are going to collect. You can capture the whole disk or selected ESI file types based on a date range or relevant groupings such as business documents, e-mails, pictures or video. BlackBox’s simple interface, shown below, allows the flexibility to create a collection customized to your needs.


Provide the BlackBox-enabled storage device to the data custodian. The custodian plugs the drive into their machine, and hits the Start button.



Don’t Worry
The captured data is automatically encrypted, and an audit log is generated. Once the collection is complete, BlackBox generates a chain of custody pre-filled with specifications of the device collected. All that is left for the custodian to do is sign the chain of custody and return it along with BlackBox to the legal team for review.