What's new in version 5.4 of Belkasoft Evidence Center

What's New in Version 5.4

Version 5.4 of Belkasoft Evidence Center is a major update, adding a great deal of new forensic features, functional and usability enhancements. The newly added Forgery Detection plugin enables automatic detection of digital photos that have been altered. Memory dump defragmentation greatly enhances Live RAM analysis, carefully assembling fragmented memory blocks together to produce solid evidence. Timeline displays all discovered events in a single view, allowing investigators to quickly glance over recent events or scrutinize a certain time period. Windows Registry support automatically locates and parses registry hives, extracting many types of valuable evidence.

Native SQLite support, UTC/Local conversion, Office 2007-2013 carving and built-in check for updates are just a few other features to mention. Please see the complete list below.

Free upgrade to version 5.4 is available to all users having a non-expired Extended Software Maintenance and Support contract. If you don't have such a contract yet, you can purchase it from your Personal Cabinet.

Belkasoft Evidence Center 5.4

Forgery Detection Plugin
This unique plugin automatically analyzes digital pictures, detecting images that have been altered, modified or edited. The plugin enables law enforcement authorities tell whether submitted pieces of evidence are original or are faked. Supporting more than a thousand camera models, this new plugin is a paid add-on available to the users of Forensic Studio Ultimate.
Improved Live RAM analysis: memory dump defragmentation
Live RAM analysis in Evidence Center 5.4 is greatly improved thanks to the ability to defragment memory sets. In real life, Windows rarely stores volatile data in contiguous fashion. Instead, reasonably large images and other types of data are split into chunks that are scattered along the entire memory content. This is called memory fragmentation. Traditional RAM analysis algorithms have little success analyzing fragmented memory sets. The new BelkaCarving algorithm is based on a scientific research enabling Evidence Center to carefully reconstruct fragmented chunks into contiguous pieces of information, allowing the tool to extract broken pieces such as recently viewed images that no other tool can access. At this time, support is based on memory dumps captured on 32-bit and 64-bit Windows 7 systems. Support for other operating systems is being actively developed.
Timeline: aggregated view of user activities and system events
The Timeline has always been a feature that was highly demanded by law enforcement officials. Evidence Center 5.4 introduces the Timeline, providing the ability to display all detected user activities and system events in a single aggregated view. By using the Timeline, investigators can quickly glance at user activities over a certain time period or scrutinize a particular period of time with ease.

The Timeline view allows convenient filtering, allowing to search for certain types of events of include only selected types of data. Case-sensitive full-text content filtering is supported. Timeline filters are stackable, allowing investigators specify a number of conditions that an event must meet in order to make it to the Timeline view.
Native SQLite parsing
The newest release gets rid of third-party SQLite libraries, enabling fully native SQLite parsing. This new feature allows Evidence Center users to parse even badly damaged, fragmented and incomplete databases such as those resulting from a carving attempt. Previous versions of Belkasoft Evidence Center only allowed limited access to corrupted databases.
SQLite freelist processing
Information deleted from SQLite databases is not wiped immediately. Instead, it is transferred into a so-called freelist. Freelists are not accessible with standard SQLite parsing tools. The newest release of Belkasoft Evidence Center enables the recovery of deleted information stored in SQLite freelists.
SQLite Viewer
Visualizing SQLite databases becomes easier with newly added SQLite Viewer control.
Windows Registry support
The newly added support for Windows Registry artifacts automatically locates and parses registry hives, extracting many types of valuable evidence such as MRU of various applications (e.g. MS Office, Acrobat Reader etc.), UserAssists, program startup data, list of connected USB devices, network cards, wireless profiles and many other types of artifacts. This feature is available in Professional and Ultimate editions. You should re-download your license from Customer Portal.
UTC/Local conversion
The new release now adds the ability to enter default time zone information for each individual case, data source or profile. Time zone information is used to correctly display items obtained from various data sources in the Timeline.
Microsoft Office 2007-2013 and Adobe PDF carving
Evidence Center 5.3 can now carve documents in Office 2007-2013 formats. Adobe PDF files are now also supported.

Other Improvements

Non-ASCII URL decoding
Carving speed improved by 25%
Check for updates
Users can now check for updates from within Belkasoft Evidence Center by invoking the Help -> Check updates menu.
ICQ 8 support
MacOS X instant messengers
A list of instant messengers for MacOS X was added. Fixed issues with Adium and AIM Mac messengers.
Hibernation and page files automatically added as data sources
All hibernation and page files discovered are now added to the list of available data sources automatically.
Email attachment support
The new release adds the ability to save email attachments to a specified folder. Attachments from multiple email messages can be saved.

Bug Fixes in Version 5.4

Fixed exporting issues in the Portable edition
Fixed the Database Locked error
Fixed NOT filters for images and documents
Fixed the No filesystem found (dd/Linux) error
Removed a rarely used filter from the Case Tree