Belkasoft: Focus on Usability 2017

Ten years ago, when Belkasoft was just about to start its digital forensic journey, investigation tools were focused on the results only. They were far from being handy, and extensive training was required in order to use these tools effectively.

The situation changed when the first Belkasoft products entered the market. With the slogan “Forensics made easier”, the company tried to introduce tools which do not require in-depth training to conduct productive digital investigations. That’s why our software quickly became quite popular among our first customers.

In this article we would like to describe usability improvements in our flagship computer, mobile, and cloud forensics product, Belkasoft Evidence Center, that were introduced over the course of year 2017.

Among the most notable features aimed to refine usability of Belkasoft Evidence Center are:

Dashboard showing essential case info
Predefined searches, automatically performed without explicit manual actions
Connection between extracted artifacts and their origin raw data. Origin Path property is a great addition that helps understand where this or that artifact came from
Bubble view for chats, showing communication as it is presented in an app on a device
Reworked Bookmarks and Timeline windows, which are now top-level windows of the tool
TaskManager window, conveniently showing all running tasks
SQLite Viewer window, which is also top-level now
Reworked Add Data Source window, touch-screen friendly and allowing to quickly and easily to add and analyze a device or image
Multiple smaller usability enhancements

Let’s look at these features in detail.

Dashboard

Dashboard is a new BEC window which shows basic case information and gives a great overview about existing cases. It includes such information as

Case name and creator
Data sources (devices, images and dumps) added to the case
Predefined searches results
Amount of artifacts found in each analyzed data source and breakdown of these artifacts by artifact type
Two charts showing breakdown of extracted artifacts by application type and artifact type
20 most important contacts in the case, sorted by the amount of communications
All reports run for the case

Predefined searches

Whilst analyzing a data source and indexing text data inside, Belkasoft Evidence Center automatically extracts various forensically interesting things such as credit card numbers, SSN numbers, MAC and IP addresses, video links and so on. These artifacts are conveniently located in the renewed Search Results window.

You can navigate to this or that particular predefined search result from the Dashboard window, where these predefined searches are shown.

Connection between extracted artifacts and origin data

A very important usability update is showing selected artifact in HexViewer. Once you selected an artifact in Item List (such as, Chat list or Picture list), its binary data are populated into HexViewer, so you do not have to manually set an offset to find raw data:

Origin Path property is a great addition that helps understand where this or that artifact came from.

Origin Path is a property of each and every artifact, extracted by BEC out of the box. Using such path you can easily understand from where an artifact was extracted.

Here is an example of an Origin Path:

image.e01//C:\Users\Smith\AppData\Roaming\Skype\smith48\main.db//Messages\Freelist

You can see that this chat originated from an image "image.e01", the path to a profile was "C:\Users\Smith\AppData\Roaming\Skype\smith48\" and finally, it was extracted from a freelist area for Messages table inside the SQLite database "main.db" (main Skype database file). Next to the Origin Path you will also see an offset inside the file (for artifacts recovered in a file) or an offset from the beginning of a partition (for carved artifacts).

Having such information, you will be able to accurately explain how this and that artifact originated, and also check the correctness of the product output manually.

Bubble view for chats

New mode for chat list has been recently introduced in v.8.6: bubble mode. This mode allows you to review chats as they are shown natively on a device. You can switch between standard grid mode and new bubble mode at the bottom right corner of the Chat List:

Bookmarks and Timeline improvements

In v8.6 a new tab was added to the main BEC window: Bookmarks. Before you could only find bookmarked items in Case Explorer, which lead to some confusion when using the product. Now it is a top-level window, easy to find and operate.

Another convenient new tab appeared in v.8.6 was Timeline. Likewise Bookmarks, historically Timeline was a part of Case Explorer, what became no more intuitive with the introduction of Overview window. Now Timeline is also a separate top-level window.

Apart from that, a bookmark creation made easier. You can press Ctrl-B anytime in an Item List what will add the item to the last used bookmark. You can also press Ctrl-Shift-B to add an item to a new bookmark, yet inexistent.

TaskManager improvements

Task Manager screen is also completely reworked. Previously, for a huge case it could contain thousands of tasks impossible to work with. Now, the Task Manager screen is divided by two: the upper part contains only top-level tasks, while the lower shows subtasks of a selected top-level task. Top level task is any task, run by user, such as "Analyze hard drive", "Search a keyword" or "Run a report". Top level tasks also include analysis tasks occurred as a result of finding a nested data source (for example, a mobile backup found inside hard drive being analyzed).

Tasks such as "searching for instant messengers" or "extracting info from a particular application database" are now shown as a subtask and do not burden the overview of work progress.

Apart from that Task Manager was made a "top-level" window, occupying almost entire screen, what helps to review ongoing tasks easier.

The list at the top contains tasks run by user. The list at the bottom contains subtasks for individual analysis of particular profiles.

SQLite Viewer improvements

There were multiple SQLite Viewer improvements throughout the year 2017. First, now, whenever you select any artifact which originates from a SQLite database, the corresponding Item Properties window for this artifact will contain a separate tab called SQLite, where you will be able to review original database. At the corner of this SQLite tab there is a small ("secret") button opening this tab to a full-screen, allowing you to effectively use your screen space or even drag the viewer to another monitor.

Instead of highlighting freelist, journal and WAL records with heavy red or cyan color, now corresponding items are tagged with a corresponding sign in a table, what makes it much more readable:

New Add Data Source window

The Add Data Source screen was reworked, now it allows you to not only add existing datasource, but also to acquire a new one, including hard drive, mobile device and cloud acquisition. Right after acquisition, analysis will start, so you can leave software to work on acquisition without having to wait its completion to schedule the analysis of results.

The new window has handy icons which are big enough to navigate through using fingers on a touch-screen enabled device.

Multiple smaller improvements

Thanks to our customers, who are using BEC more and more frequently, we were able to implement a huge amount of their usability requests. To give an example, one of our customers complained that it was hard to find a chat message with an illicit picture attachment. They were able to find such image in the list of pictures in BEC interface and bookmark it, but it had been a painful routine to track this image back to the original message, until we supported an option of bookmarking parent item along with nested ones. Now, when you bookmark a picture or other message attachment, the original message is bookmarked automatically, too:

On the picture above, a picture called i2.png was an attachment to an email. Once it was added to a bookmark, original email was also bookmarked automatically (you can see 1 item in Mailboxes under the bookmark node). Apart from that, one can inspect parent artifact properties, even when selecting a nested artifact. On the picture you can see properties of an email, containing "i2.png" though email is not selected in the list.

In 2017 the entire Belkasoft team has put a significant effort into improving usability of Evidence Center. The product grew a lot and we are happy to hear praise words from our customers more often this year.

Download the free trial at https://belkasoft.com/trial
Sign up to a webinar at https://belkasoft.com/webinar
More detail on the tool: https://belkasoft.com/ec

Download Free Request a quote

Download quote

Articles

Find out what happened during a ransomware attack on computer

Encryption viruses are the scourge of our time. Companies have to pay tens of millions of dollars to restore access to their data. This article describes how to analyze an encryption attack and establish the way computers were compromised. ... Read more

[ON-DEMAND COURSE] Android Forensics with Belkasoft

Subscribe to our Newsletter