Our engineers have conducted numerous tests using BlackLight and recommend some do's and don'ts to provide the best performance.
For best performance we DO recommend the following setup for using BlackLight:
1- Make sure the internal disk of the analysis machine where the operating system is installed, maintains a minimum of 30 GB of free space at all times. (This keeps the operating system happy).
2- Install BlackLight to the default location suggested in the BlackLight installer.
3- Create the case file on an internal disk of the analysis machine (formatted as NTFS, APFS or HFS+). For Windows users, create the case file close to root.
4- Place the evidence image on a separate internal disk or external local drive (formatted as NTFS, HFS+, APFS or FAT32).
5- Choose an analysis machine with at least 32 GB 1866 MHz DDR3 (RAM).
6- If the case is not related to encrypted files, save time and resources by not selecting Entropy in the Advanced processing options.
7- For even faster performance, use PCIe SSDs for the internal disk and/or external drive.
Note: if you are not permitted to have the case file on the internal OS disk, a second option would be a different internal disk or locally attached external drive.
BlackLight does NOT support the following:
- Creating the case file on a network location or a drive formatted as ExFAT or FAT32
- Creating the case file on the same external drive as the evidence image
- Storing the evidence image on a drive that was formatted by macOS drivers as ExFAT