Articles

Building a Timeline: A Case for Belkasoft Evidence Center

Timeline is a crucial notion of digital forensics. Numerous lasting crimes are essentially sequences of actions leaving digital footprints, which are to be examined step by step in their development and interrelation. Even if one deals with a single-point crime, it always has a background and its implications constituting a coherent storyline that can be investigated on a temporal basis. That is why it is often not an exaggeration to say that digital forensics is all about resolving complex timelines. This importance is the basis of the deliberate attention Belkasoft pays to develop an advanced timeline.

Read entire article

Read more

"I took Belkasoft Evidence Center for a spin around the block"

Brett Shavers from DFIR.training reviewed Belkasoft Evidence Center. As he puts: "BEC does a really good job at running across data, putting everything into its own category, and creating an easy view of the entire case. There is some deep dive analysis use, and some user control, but the strength lies in the ease of laying out the data in a manner that practically anyone can see and understand. It does make it easy and working a case is faster when the data is organized in this fashion."

Read entire article

Read more

Belkasoft Evidence Center: a View from Spain

As a digital forensics company, we are constantly striving to get timely feedback from our users in order to identify their needs: the interview below is an example.
Let us introduce Guillermo Román Ferrero working as an Incident Response Expert for a Computer Security Incident Response Team. He is also a prolific author with his ‘Follow the White Rabbit’ blog. Mr. Ferrero tried our solution recently and kindly agreed to share his experience and thoughts with us.

Read entire article

Read more

How to Use Connection Graphs by Belkasoft for Complex Cases with Multiple Individuals Involved: a Real-life Scenario and Guide

A proper connection graph is a must if you need to investigate a complex case with numerous individuals using different communication media. To name a few, it may be a drug-related case with several dealers and a network of buyers or a ring of sexual predators. The corporate sector might need graphs to investigate a circle of white-collar criminals stealing their company’s money or groups responsible for data leaks, data breaches, and even hacking incidents.

As a rule, cases of this kind require visualization of profiles together with connections between them to grasp, analyze, and demonstrate the essence of a case. That is the most efficient way of detecting and understanding links, patterns, and suspicious episodes.

This article is intended to show how one can use the relevant capabilities of Belkasoft Evidence Center or BEC (https://belkasoft.com/ec). As such, it will combine a brief overview of BEC’s Connection Graph (‘how-to’) with a real-world scenario based on a group of card fraudsters. The case itself was, in general terms, is based on a real-life scenario.

Read entire article

Read more

Walkthrough: How to Perform Remote Acquisition of Digital Devices with Belkasoft Evidence Center

Remote acquisition of digital devices is a useful option for the modern-day organizations, both commercial and government ones. Remote acquisition is a must-have nowadays: it reduces costs, increases transparency, and does not interfere with your workplace climate when is not needed.

Read entire article

Read more

How To Analyze Windows 10 Timeline With Belkasoft Evidence Center

Temporal analysis of events (Timeline) can be beneficial when you want to reconstruct events related to computer incidents, data breaches, or virus attacks taking place on a victim’s computer.

Recently Microsoft introduced a new type of Windows artifact: Windows 10 Timeline. It offers new opportunities to investigators, with greater clarity. This article describes these new forensic capabilities with Windows 10 Timeline.

Read entire article

Read more

How To Use Cross-Case Search With Belkasoft Evidence Center

Diving deeper may be the key to the eventual success of a digital forensic investigation. This is true not only when it comes to a single given case, but also when it comes to intersections between different cases.

Sometimes, a person being investigated may have associates who are problematic, or who have been involved in different forms of misconduct. Consequently, in the course of a digital investigation, investigators may need to examine links between a current case and other opened (or recently archived) cases. A reliable tool is needed to get a clear and coherent picture in its entirety.

That is why Belkasoft Evidence Center has a ‘Cross-Case Search’ function. This article is intended to demonstrate, step by step, how to use this feature productively.

Read entire article

Read more

Reasons Why You Need Belkasoft Evidence Center to Fight Workplace Bullying. Part II

Having discussed what workplace bullying generally implies and how Belkasoft could help you to deal with this problem in broad terms, we now can get a closer look at what you can do, practically. To begin with, workplace bullying, as a special sort of abusive behavior, can manifest itself in the following three forms:

Read entire article

Read more

5 Reasons Why Corporate Investigators Need Belkasoft to Fight Workplace Bullying. Part 1

Corporate investigators face new challenges every day. In addition to ‘classical’ concerns (such as data leakages, business espionage, fraud, and other forms of ‘white collar crime’) new ones emerge regularly. For instance, both the general public and corporate executives nowadays recognize bullying as a problem that must be taken seriously. Companies that fail to address this challenge in a proper fashion inevitably incur severe risks ranging from productivity losses to reputation damage and even lawsuits.

The sheer scale of this issue should not be underestimated. Let’s look at the American case as an example. After all, the US shares numerous negative issues with other developed and developing countries. And the dimensions are truly astonishing when it comes to bullying.

This article briefly describes the phenomenon of workplace bullying. It then briefly discusses how BEC help you investigate this problem.

Read entire article

Read more

Fast Detection of Mobile Malware and Spyware with Belkasoft

Over the past several years there has been a rapid increase in the number of mobile devices with mobile malware and spyware installed on them. Belkasoft Evidence Center has a feature that allows to quickly detect mobile malware or spyware installed on a smartphone. This article is focused on this very feature.

It is easy to detect mobile malware or spyware on analyzed mobile devices with the help of Belkasoft Evidence Center. The data extracted from a mobile device helps the investigator to understand how the investigated device was infected.

Read entire article

Read more

Carving and its Implementations in Digital Forensics

Carving is an irreplaceable technique widely used in data recovery and digital forensics. By using carving, we essentially perform a low-level scan of the media for various artifacts, looking for signatures—specific sequences of bytes, characteristic of this or that type of data.

This article reviews the concept of carving. It defines the unallocated space, free space and slack space. It gives the information on the existing carving methods and compares their features (File carving vs. Data carving).

Belkasoft Evidence Center has a unique functionality for carving different file types: standard files that are supported out of the box, and custom user files via signatures. Evidence Center can use carving to restore deleted SQLite database records including carving from an unallocated space. The article describes the flexibility of Belkasoft Evidence Center carving features and BelkaScript.

Read entire article

Read more

WeChat. The Forensic Aspects Of and Uses For Evidence from a Super-App

WeChat is one of the world’s most successful apps ever. If you’re a digital forensics examiner, the chances are that you’ve heard of it and probably even worked with it. The app is so successful that it is often referred to as a “SuperApp”.

This article will briefly provide some details about WeChat itself. Then it will explore the nature of the evidence itself and share the experience with who engages a private digital forensics expert to extract the evidence and to what use it is commonly put. Finally, this article will discuss some of the challenges experienced by digital forensics examiners when extracting, analyzing and reporting on matters involving WeChat evidence.

Read entire article

Read more

Comprehensive Forensic Chat Examination with Belkasoft

Call logs, SMSes, emails, social networks communications and, of course, chats in instant messengers can give you a lot of important information in a course of a forensic investigation. Let's see how one single chat product can be examined from different aspects, each of which gives one more – unique! – part of puzzle.

In our case, the suspect had Skype installed on his laptop and mobile device which were seized and investigated with Belkasoft Evidence Center.

Read entire article

Read more

I Have Been Hacked

This article was inspired by an active discussion in one of the forensic listservs. Original post was asking on how to fight with an argument “This is not me, this is a malware”. The suspect was allegedly downloading and viewing illicit child photos and was denying that, explaining the fact of these photos’ presence by malicious software they presumably had. So how can you figure out whether or not the suspect’s computer has actually been subject to unauthorized activities?

Read entire article

Read more

SSD and eMMC Forensics 2016 - Part 3

In the previous part of the article, we talked about eMMC storages and external SSDs. We also mentioned TRIM when talking about trimming behavior of eMMC. We will talk a bit more about TRIM this time and then move on to some real-life cases.

Read entire article

Read more

SSD and eMMC Forensics 2016 - Part 2

This publication continues the series started with an article on SSD forensics we published in 2012. We investigated the issues of SSD self-corrosion, demystified trimming, garbage collection and data remapping. Two years later, we revisited the issue. Back then, manufacturers released innovations in quick succession. 3D TLC, bigger and faster drives, the end of compressing controllers and the introduction of self-encrypting SSD drives were all big news. Fast-forward to 2016, and we have abundance of cheaper SSD models with seemingly little changes on the high-tech battlefront.

In addition to 2.5-inch models, we have seen a new popular form factor used in super-slim ultrabooks, and a new type of solid-state memory introduced by Samsung and used in many mobile devices. On the lower end of the spectrum, we are seeing eMMC chips being used in low-end Windows tablets and subnotebooks, where these chips take place of traditional SSD drives. In this article, we will try to figure out what all this means for a forensic investigator.

As this publication is designed to continue the original series, we skipped most of the basics, including definitions. If you are in the beginning of your journey into the world of SSD forensics, please consider reading the original publications first. Information provided in the original series still stands.

Read entire article

Read more

SSD and eMMC Forensics 2016 - Part 1

This publication continues the series started with an article on SSD forensics we published in 2012. We investigated the issues of SSD self-corrosion, demystified trimming, garbage collection and data remapping. Two years later, we revisited the issue. Back then, manufacturers released innovations in quick succession. 3D TLC, bigger and faster drives, the end of compressing controllers and the introduction of self-encrypting SSD drives were all big news. Fast-forward to 2016, and we have abundance of cheaper SSD models with seemingly little changes on the high-tech battlefront.

In addition to 2.5-inch models, we have seen a new popular form factor used in super-slim ultrabooks, and a new type of solid-state memory introduced by Samsung and used in many mobile devices. On the lower end of the spectrum, we are seeing eMMC chips being used in low-end Windows tablets and subnotebooks, where these chips take place of traditional SSD drives. In this article, we will try to figure out what all this means for a forensic investigator.

As this publication is designed to continue the original series, we skipped most of the basics, including definitions. If you are in the beginning of your journey into the world of SSD forensics, please consider reading the original publications first. Information provided in the original series still stands.

Read entire article

Read more

BelkaScript: How to Get Most out of Digital Forensic Software

Digital investigator nowadays has access to a wide array of solid forensic tools. Some of them offer mobile forensics only, some help with computer or laptop analysis, some – like Belkasoft Evidence Center – support all types of devices, but the task flow and product logic is more or less fixed in every product. If an investigator faces an unusual task, it is hard to solve it within the workflow offered by a product. And unusual tasks are not that rare – we hear about them very often, just take a glance at various forensic forums.
In this article, we will discuss some real life stories that involved cases hard to solve with the standard workflow in Belkasoft Evidence Center:
  • Good Employee, Bad Employee
  • Bar Fight
  • Digging Deep Inside Photos

However, it became possible with BelkaScript, a free built-in scripting module that allows users to write custom scripts to extend Evidence Center capabilities. Scripts can be used to automate some of the routine (for example, reporting or bonding together two operations) or to extend product’s functionality for a specific situation. But it most certainly does not end there as we will now show on real-life examples.

Read entire article

Read more

The Future of Mobile Forensics: November 2015 Follow-up

Mobile forensics is a moving target. In our recent article, “The Future of Mobile Forensics”, we described acquisition techniques that used to be state-of-the art back then. Weeks later, some things have changed already. Three months after the publication a lot of things have changed. Our publication was published on Forensic Focus and discussed in online forums, with readers pointing to certain inaccuracies in our article. In this follow-up, we will use up-to-date information to address the issues of concern in the original article.

Read entire article

Read more

Countering Anti-Forensic Efforts - Part 2

In the first part of this paper we talked about the most common - and also some of the simplest - ways suspects can try to cover their tracks in an attempt to slow down the investigation. This part of the article is dedicated to some of the more advanced techniques that sometimes can really be challenging to deal with. Let's take a look at some of the possible workarounds when the data we are looking for was deleted or encrypted.

Read entire article

Read more

Countering Anti-Forensic Efforts - Part 1

Computer forensic techniques allow investigators to collect evidence from various digital devices. Tools and techniques exist allowing discovery of evidence that is difficult to get, including destroyed, locked, or obfuscated data. At the same time, criminals routinely make attempts to counter forensic efforts by wiping data, deleting files, faking or clearing logs, histories and other traces of performed activities. Anti-forensic efforts are not limited to just that. In this whitepaper, we will have a brief overview of common anti-forensic techniques frequently used by suspects who are not specialists in high-tech, and ways to counter them during the investigation.

What this paper does not discuss is the suspects’ use of advanced tools dedicated to countering forensic efforts. Instead, we will talk about the most common anti-forensic techniques. In this paper, we will move from easy to moderately difficult anti-forensic techniques, explaining who might be using these methods and how to counter them.

Read entire article

Read more

NAS Forensics Explained

Network Attached Storage (NAS) have a long track history of corporate deployments. Their scaled-down versions (ranging from single-bay to four-drive enclosures) are frequently used at homes and in the offices. These smaller-size appliances are often called “personal clouds” for providing some parts of functionality of online cloud services.

More and more people prefer using their laptop computers at home instead of a full-size desktop. As many laptops are equipped with relatively small, non-expandable storage, NAS becomes an obvious and convenient way to increase available storage. In home environments, NAS storage are often used for keeping backups and/or storing large amounts of multimedia data such as videos, music and pictures, often including illicit materials. Due to the sheer size of these storage devices and their rapidly increasing popularity with home users, NAS forensics becomes increasingly important.

When acquiring information from the suspect’s computer, investigators often face a challenge of extracting information also from all external storage devices. Why is NAS acquisition a challenge, and what can be done to overcome it?

Read entire article

Read more

Future of Mobile Forensics

Most would agree that the golden age of mobile forensics is over. There is no longer an easy way to get through the passcode in new iOS devices running the latest version of iOS. Chip-off acquisition is dead for iOS devices due to full-disk encryption, while physical acquisition of Apple hardware is dead since the introduction of 64-bit devices and versions of iOS 8 that cannot be jailbroken. Blackberries were highly resistant to chip-off acquisition from the beginning, and Android is getting there quickly. In this whitepaper, we will look into the current state of mobile forensics for the different platforms and devices, analyze current trends and attempt to predict how mobile forensics will look in the years ahead.

To gather these predictions, Belkasoft analyzed state-of-the-art tools, methods and hardware offered by leading manufacturers, and interviewed experts working for manufacturers of digital forensic products. Since manufacturers often specialize in specific areas (e.g. producing equipment for breaking iPhone passcodes), we questioned multiple representatives to be able to see the whole picture. Today, we are ready to share our findings.

Read entire article

Read more

Acquiring Windows PCs

In this publication, we will talk about the acquisition of Windows computers – desktops and laptops. This class of devices has their own share of surprises when it comes to acquisition. The obvious path of acquiring a Windows PC has always been “pull the plug, take the disk out, connect to an imaging device and collect evidence”. Sounds familiar? Well, in today’s connected world things do not work quite like that.

In this article, we will have a look at measure the investigator has to take before taking the disk out, and even before pulling the plug, review Windows security measures and how they can work in combination with the computer’s hardware.

Read entire article

Read more

Capturing RAM Dumps and Imaging eMMC Storage on Windows Tablets

While Windows desktops and laptops are relatively easy to acquire, the same cannot be said about portable Windows devices such as tablets and convertibles (devices with detachable keyboards). Having no FireWire ports and supplied with a limited set of external ports, these devices make attaching acquisition media more complicated in comparison to their full-size counterparts. Equipped with soldered, non-removable eMMC storage, Windows tablets are extremely difficult to image while following the required forensic routine. Finally, the obscure Windows RT does not allow running unsigned desktop applications at all while restricting the ability to boot into a different OS, making forensic acquisition iffy at best.

In this article, we will have a look at how Windows-based portable electronic devices are different from traditional laptops and desktops, review new security measures and energy saving modes presented by Windows tablets and discuss hardware, methods and tools we can use to acquire the content of their RAM and persistent storage.

Read entire article

Read more

Kik Messenger Forensics

Kik Messenger is a popular free messaging app for all major mobile platforms. Available for Android, iOS and Windows phone, Kik Messenger had a user base of more than 130 million users just a year ago. Today, the company claims over 200 million registered accounts, with another 250,000 users added each day. The messenger’s user base consists of teenagers and young adults. It is estimated that approximately 40 per cent of 13- to 25-year-olds in the United States are using Kik.

As a result, Kik Messenger becomes one of the forensically important messenger apps. With hundreds of millions of users communicating with Kik on daily basis, ignoring this popular messenger during an investigation may lead to missing important evidence. With Kik’s user base mostly consisting of teenagers and young adults, Kik messages can come especially handy when investigating cases of molesting.

Read entire article

Read more

Analyzing Windows Phone 8.1 JTAG and UFED Dumps

In recent months, we’ve started receiving calls from our customers asking us about extracting files and looking for evidence in binary dumps extracted out of Windows Phone 8 devices. We’ve got dozens of requests from European police departments, especially those from Germany, Italy, and the UK about extracting and analyzing JTAG and UFED-produced dumps of Windows phones. While in the past we were reluctant to work in this direction considering how small of a market share these devices had, the recently published numbers of every 10th device sold in Europe being a Windows Phone made us change our mind.

Read entire article

Read more

Forensic Analysis of SQLite Databases: Free Lists, Write Ahead Log, Unallocated Space and Carving

SQLite is a widely popular database format that is used extensively pretty much everywhere. Both iOS and Android employ SQLite as a storage format of choice, with built-in and third-party applications relying on SQLite to keep their data. A wide range of desktop and mobile Web browsers (Chrome, Firefox) and instant messaging applications use SQLite, which includes newer versions of Skype (the older versions don’t work anyway without a forced upgrade), WhatsApp, iMessages, and many other messengers.

Forensic analysis of SQLite databases is often concluded by simply opening a database file in one or another database viewer. One common drawback of using a free or commercially available database viewer for examining SQLite databases is the inherent inability of such viewers to access and display recently deleted (erased) as well as recently added (but not yet committed) records. In this article, we’ll examine the forensic implications of three features of the SQLite database engine: Free Lists, Write Ahead Log and Unallocated Space.

Read entire article

Read more

SSD Forensics 2014. Recovering Evidence from SSD Drives: Understanding TRIM, Garbage Collection and Exclusions

We published an article on SSD forensics in 2012. SSD self-corrosion, TRIM and garbage collection were little known and poorly understood phenomena at that time, while encrypting and compressing SSD controllers were relatively uncommon. In 2014, many changes happened. We processed numerous cases involving the use of SSD drives and gathered a lot of statistical data. We now know more about many exclusions from SSD self-corrosion that allow forensic specialists to obtain more information from SSD drives.

Read entire article

Read more

Recovering Destroyed SQLite Evidence, iPhone/Android Messages, Cleared Skype Logs

The SQLite format is extremely popular with developers. Android and Apple iOS are using SQLite extensively throughout the system, storing call logs, calendars, appointments, search history, messages, system logs and other essential information. Desktop and mobile versions of third-party apps such as Skype, Yahoo Messenger, eBuddy, PhotoBox, Picasa Explorer and hundreds of other tools are also using SQLite. Major Web browsers such as Mozilla Firefox, Chrome and Safari are using SQLite to store cache, downloads, history logs, form data and other information. With all those operating systems and applications relying heavily on SQLite, this database becomes one of the most important formats for digital investigations. Learn how Evidence Center helps investigators recover destroyed evidence stored in SQLite databases.

Read entire article

Read more

Detecting Altered Images

Are digital images submitted as court evidence genuine or have the pictures been altered or modified? We developed a range of algorithms performing automated authenticity analysis of JPEG images, and implemented them into a commercially available forensic tool. The tool produces a concise estimate of the image’s authenticity, and clearly displays the probability of the image being forged. This paper discusses methods, tools and approaches used to detect the various signs of manipulation with digital images.

Read entire article

Read more

Catching the ghost: how to discover ephemeral evidence with Live RAM analysis

Many types of evidence are only available in computer’s volatile memory. However, until very recently, this additional evidence was often discarded. Approaching running computers with a “pull-the-plug” attitude used to be a standard practice, without recognizing the amount of evidence lost with the content of the computer’s volatile memory. Certain information just never ends up on the hard drive, while some other information may be stored securely on an encrypted volume with all the decryption keys conveniently available in the computer's volatile memory.

By simply pulling the plug, forensic specialists will slam the door to the very possibility of recovering these and many other types of evidence. Read about how to capture and analyze volatile data, learn how to make a RAM dump and perform a comprehensive analysis of the memory dump.

Read entire article

Read more

Why SSD Drives Destroy Court Evidence, and What Can Be Done About It

Solid State drives (SSD) introduced dramatic changes to the principles of computer forensics. Forensic acquisition of computers equipped with SSD storage is very different of how we used to acquire PCs using traditional magnetic media. Instead of predictable and highly possible recovery of information the suspect attempted to destroy, we are entering the muddy waters of stochastic forensics where nothing can be assumed as a given.

Read entire article

Read more

Retrieving Digital Evidence: Methods, Techniques and Issues

This article describes the various types of digital forensic evidence available on users’ PC and laptop computers, and discusses methods of retrieving such evidence.

Read entire article

Read more

Interviews

Forensic Interviews project

Renowned experts in computer forensics, owners and executives of multiple forensic companies, investigators, software resellers and law enforcement officials give their interviews to Yuri Gubanov, CEO of Belkasoft and computer forensic expert. Check out extremely interesting interviews from active or retired police investigators, experts from such companies as Digital Intelligence, Paraben, ADF Solutions, Videntifier, F-Response, Fulcrum Management, DFLabs and others!

Go to the f-interviews site
Read more

Belkasoft CEO's interview to ForensicFocus

Yuri Gubanov gives an interview to industry known online magazine about Belkasoft history, its tools and gave some predictions on computer forensics future.

Read the interview
Read more

Older articles

Forensic Instant Messenger Investigation

This article deals with the subject of forensic investigation of Instant Messenger histories: why it is needed, what messenger types there are, what difficulties are involved in investigating histories, and what tools can help overcome those difficulties.

Read all article
Read Chinese version
Read more

Secure Instant Messenger Communication

These days Instant Messengers cannot surprise anyone. They are widely used by people with access to the Internet, by people of any age, gender and occupation. You can exchange jokes with your friends via your IM, discuss business questions with your colleagues, support your customers, make a date with your girlfriend, and even to propose marriage through your favorite messenger. A important question arises immediately: How secure is all this communication? Are you and your recipient the only ones who can see your conversation? Can anybody else access your history which is probably confidential, especially when it comes to business and personal matters? Can any malicious user or your boss or your parent learn your secrets?

Read all article
Read more

Other Articles