Home > Belkasoft Acquisition
& Analysis Suite
Four Steps to Perform Digital Forensic Investigation
with Belkasoft Acquisition & Analysis Suite
Step One: Capturing a Live RAM dump
|This essential first step is often omitted. Yet, we strongly believe
that any digital investigation must begin with acquiring a memory dump.
Considering the rapidly growing popularity of whole volume encryption and
cloud services, it becomes vital for an investigation to capture a volatile
memory dump first, before triggering the power switch.
Memory dumps routinely contain information that could be essential for
an investigation, including binary decryption keys for encrypted volumes
(TrueCrypt, BitLocker, PGP WDE), recently viewed pictures, loaded registry
keys, recent Facebook communications, emails sent and received via Web services
such as Gmail or Hotmail, active malware, open remote sessions, and so on.
Belkasoft offers a tiny portable tool for capturing live RAM dumps. The
tool uses 32-bit and 64-bit code running in the system’s most privileged
kernel mode, which guarantees acquisition of the complete content of the
computer’s RAM even if an active anti-dumping system is running. Sized under 20KB, Belkasoft Live RAM Capturer ensures minimum acquisition footprint
while preserving the maximum amount of data.
The forensically sound tool is portable, read-only and ready to run out of the
Please note that we don’t use a proprietary format to store memory dumps.
The resulting memory image can be processed by Belkasoft Evidence Center as well
as many other commercial tools with similar functionality.
Step Two: Acquiring a Disk Image
|Creating a forensic image of the suspect’s hard drive is an essential
step and a must-do in any investigation. We offer a combination of hardware
and software to help acquire forensic disk images while overcoming all possible
- The hardware is designed to acquire hard drives damaged to the point
where competing imaging products stall.
- You are in full control of how to process reading errors. The product
notifies you of any issues immediately, without the need to wait till
the imaging completes.
- You can bypass ATA passwords including those found in the latest
SATA 6 drives.
- You can reset HPA/DCO if present.
The hardware supports cloning and imaging to a file, enabling you to
make up to 3 copies of the source device with a SATA, IDE and USB interface.
The receiving device can be a SATA, SSD or USB drive or a file on your computer.
You can upload the image onto a remote PC via an Ethernet connection. Full
remote operation is supported allowing you to control the imaging process
from another location.
Please note that we don’t use a proprietary format to store drive images.
The resulting images can be processed by Belkasoft Evidence Center as well as many
other commercial tools with similar functionality.
Step Three: Discovering and Analyzing Evidence
During this step, you may have multiple images created with Belkasoft
Live RAM Capturer as well as the disk imaging tool. The supplied analytic
tool, Belkasoft Evidence Center, will help
you get the most out of these images, retrieving existing and deleted evidence
in full auto mode. With hundreds of formats supported, the tool will quickly
extract you the most forensically important information.
The following types of data can be located or recovered if deleted:
- Office documents
- Mobile application data
- Web browser histories, cookies, passwords, cache, etc.
- Chats and instant messenger histories
- Social network communications
- System files including jumplists, thumbnails and event logs
- Encrypted files
- Registry files
- SQLite databases
- PCAP files
Belkasoft Evidence Center accepts memory images and disk images in all popular
forensic formats, allowing you to process images acquired with non-Belkasoft imaging
tools. The following data sources are supported:
- EnCase E01 and Ex01 images
- FTK images
- UFED physical dumps for mobile phones
- DD images
- SMART images
- Mobile chip-off dumps
- VMWare and Virtual PC files
- Hibernation and page files
Belkasoft Evidence Center processes the following systems:
- Mac OS X
The following types of analysis are available:
- Search and analysis of existing and deleted files
- Data carving and destroyed evidence recovery
- Live RAM analysis
- Hibernation and page file analysis
- Native SQLite analysis with freelist support (discovers deleted SQLite records,
e.g. Skype conversations, WhatsApp messages, iPhone deleted SMS/text messages,
Chrome downloads etc.)
- Picture/photo analysis including EXIF and GPS analysis, face/pornography/text/forgery
- Video key frame extraction
- Encryption detection
- Network traffic analysis
- And many others
You can also purchase Belkasoft Evidence Center
standalone. We offer a free trial of this product; to request the free evaluation
version, please refer to http://belkasoft.com/trial.
Step Four: Creating Reports, Sharing Evidence, Getting Ready for a New Case
Belkasoft Evidence Center allows you to create reports in all most popular formats:
from PDF and HTML to XLSX and XML. The report options are highly customizable, resulting
report can be presented in court or shared with a colleague.
Portable Belkasoft Evidence Reader tool, which is included into the Suite, allows
users to share evidence, collected with the help of Evidence Center. Even users
without license of Acquisition & Analysis Suite can review collected data using
Finally, the imaging hardware supports secure data destruction, allowing you to
prepare your storage media for the next case upon completion of current one. You
can erase the device with DoD and NIST compliant algorithms. You can also trim SSD
drives, thus increasing the speed of subsequent acquisition up to 4 times.