What Is BlackBox?

BlackBox is a remote forensic data collection tool that addresses the age old problem in eDiscovery: data custodians who are hell-bent on self-collection to save money and/or time, but still need a defensible collection/preservation. BlackBox allows custodians to self-collect while maintaining defensible and secure forensic standards. BlackBox also lends itself well for use in data preservation and incident response matters.

 

 

How Does BlackBox Work?

BlackBox collections are securely configured and then triggered by the data custodian. Below we provide detail about the process of using BlackBox for data collections – or you can watch it in action.


Purchase Tokens
Before BlackBox can be activated, you must purchase tokens from blackboxforensics.com.

Activate Your Drive
Once BlackBox tokens are purchased on blackboxforensics.com, any NTFS-formatted external hard drive can be activated and configured to run BlackBox.  Your external hard drive is activated when tokens, one per collection, are added to your BlackBox drive.  This is done with the following steps:

Start BlackBox:

Press the Ctrl key at the bottom of the keyboard, which will launch the login screen shown below.  Use your blackboxforensics.com account login information here.

Once logged in, the status screen of the device will be shown:

From this screen, BlackBox can be configured for a data collection if at least one token is available, or additional tokens can be added, if available, from your blackboxforensics.com account.

To transfer tokens to your collection drive, click the Transfer button, which will open the transfer tokens screen, similar to the image below.


Configuring BlackBox
Once your BlackBox drive has been activated with tokens, from the status screen, click on the Configure button.


This is the main configuration screen. Here you will pick what you want copied from the custodian’s hard drive. You can copy the whole disk, a logical drive or a subset of files based on folders, file types and file dates.

Note: The configuration filename must match the email that the custodian types in when they launch the collection on their end.

Once the drive is configured, it is ready to be sent to the custodian for data collection.


Custodian: Running BlackBox
When the custodian receives the configuration file on a licensed BlackBox device, they are ready to begin the collection. When they launch BlackBox, the custodian will start with the same screen:

But the custodian will hit “Start BlackBox” button and the collection will begin.

They will then be prompted to enter some information. Note: The email entered must match the configuration filename.

When the collection is completed, a chain of custody will be created for the custodian to print off.

Finally, the custodian packs up the drive and ships it back.


Don’t Worry
The captured data is automatically encrypted, and an audit log is generated.  The audit logs tracks everything done during the collection, as well as key information, such as the person logged in running the collection and model/serial number of the source drive.

Is Remote Collection Defensible?

Remote data collection tools allow legal teams to maintain control over the collections without requiring them to be physically present for the collection. Despite the many advantages of employing remote collection tools, some remain skeptical about the overall defensibility of remote collection. As with any new technology, people want to know why they should place their trust in a new way of doing things. This post will outline three key features of remote collection tools that ensure the defensibility.

1. Encrypted Collection Settings
After the legal team determines the collection parameters required for the matter at hand, the configuration of the data to be collected is locked down by encryption. Encrypting the collection settings prevents the custodian from changing what the legal team wishes to collect. In summary, this feature ensures that the custodian cannot tamper with the collection settings determined by the legal team, allowing the legal team to maintain control.

 

2. Audit Logs
Audit logs document EVERY action performed by the custodian from the beginning of the remote collection to the end, including any errors during the collection. In addition, the audit log includes the information about the system being used to perform the collection, including the user logged into the system that triggered the collection as well as the make, model and serial number of the hard disk. Tamper-resistant methods, utilizing hashing algorithms and encryption, detect efforts to manipulate the data after the collection is completed.

 

 

3. Encryption of Data Collected
Once the remote collection is complete, the resulting data collected is protected from interception by ne’er-do-wells thanks to strong encryption. Encrypting the collection ensures that it arrives safely back to the legal team without risk of tampering en route.

By far, the primary factor that boosts the confidence of legal teams that utilize this new technology is that the process is documented and controlled by them rather than the custodian. All of these features ensure a simple, cost-effective and defensible ESI collection process that the legal team can be confident will hold up in court. The three features outlined above, along with the chain of custody documentation, provide for the defensibility and admissibility of ESI collected by an on-site remote collection tool in court.

How is BlackBox different from other remote collection tools?

To recap the previous three posts in this series, we’ve learned that (1) BlackBox is a forensically sound remote data collection software tool (See What is BlackBox?), (2) BlackBox collections are securely configured by the legal team and then triggered by the data custodian on-site (See How Does BlackBox Work?), and (3) you can trust that BlackBox is completing a defensible collection because it’s tamper-resistant technologies relies on hashing algorithms, audit logs and encryption (See Is Remote Collection Defensible?). Now, let’s talk about how and why BlackBox is different (and better) than the other tools in this space.

BlackBox Is The Thoughtful Solution
BlackBox caters to the needs of every user likely to be involved in a data collection scenario, making the process user-friendly for all.

  • Legal Teams. BlackBox gives legal teams control over what is collected. They also get the peace of mind that comes with knowing the data custodian onsite cannot alter the collection.
  • Digital Forensics/Electronic Discovery Vendors Technicians are spared traveling to remote places. Industry standard safeguards in place assure that the collection is defensible and verifiable. Technicians can stay productive completing analysis in the lab rather than traveling to then waiting around onsite for a collection to run.
  • Data Custodians. BlackBox makes their role painless. Data custodians simply plug BlackBox into their machine and hit Start. Once the collection is finished a Chain of Custody pre-filled with the collection specifics is generated. Custodians simply click the “Print Chain of Custody” button and sign it. Then they’re done.

BlackBox is not hardware-dependent
BlackBox software can be loaded onto any NTFS-formatted hard drive or storage device (such as a thumb drive). Since you can use BlackBox with basically any storage device, BlackBox is infinitely scalable to meet your data collection needs. Having the hardware required for a large scale collection at a moments notice is no longer a concern.

Pricing is clear and upfront with BlackBox
There is no guessing what you’ll pay for a collection using BlackBox. BlackBox lists the cost of $99 per collection clearly on their website for all to see. The price remains the same regardless of the size of the hard drive being collected, whether it’s 250GB or 1TB. There are no minimum purchase requirements, buy only the number of tokens you need, as you need them.

BlackBox is a true global data collection solution
BlackBox allows hard drives to be remotely licensed thus eliminating the delays and costs associated with initially shipping remote collection devices to the custodian.

“BlackBox provided a trouble-free process for me to get forensic images out of a third world country from the comfort of my office. I would not have been able to get these images without BlackBox.”
–Jerry Hatchett, aka ChopOMatic, Certified Computer Examiner, Red Forensic

Depending upon the needs of your case, a BlackBox hard drive can alternatively be licensed and configured by the legal team at their location then shipped out to the data custodians.

Conclusion
BlackBox was designed to address the unique concerns and needs of each user during the data collection process, whether an attorney, technician, or data custodian. All the features of BlackBox add up to equal a data collection product that is greater than the sum of it’s parts.

BlackBox Forensics