Belkasoft Evidence Center Features
What's new in version 7.1?
Why Belkasoft Evidence Center?
- Reduced cost of investigation
- Reduced investigation time
- Less specific knowledge required for investigator
- Ideal for triage
- Simultaneous work of several analysts on the same case
Search a seized drive for histories
There is a seized hard drive in your lab and you want to find all history and document files contained there. You do not know which means of online communication and software the suspect has been using. The product allows you to search the whole hard
drive for all supported types of evidence: Instant Messenger chats, Browser
URLs history, Mailboxes, P2P data, Multi-user Online Games, Office documents, Pictures and Videos, Mobile Device Backups:
- All drives or particular ones may be selected
- You can select a particular folder to search through
- Histories to be looked for may be limited to a particular type (e.g.
Skype files only)
- You can search a drive or image in industry formats such as EnCase evidence file (both E01, Ex01), S01, DD, AFF
- It is possible to manually select a history to analyze
After the software found history profiles for you, it is possible to
select any of them and add to a case. At this point you can instruct the
software to calculate the profiles' hash values to make sure they are not
changed during the investigation.
Besides communication histories, the product allows to locate documents, picture
and video files and include them in a case for subsequent analysis.
Download product brochure
Read product help
Analyze found histories
The product does all the communications analysis with two mouse clicks:
- No password required
- You do not have to be logged under a history owner
- No write access required. The product works with write-blocking devices
Analyze found images and videos
The product allows you to run complicated analysis against picture and video
files, such as:
For your convenience, detected results are then correspondingly grouped, for
example, in an item called "Images with faces" or "Images with text".
To analyze a video file, it is broken into a series of key frames in advance.
This feature, even alone, is extremely useful to lessen emotional stress of an investigator,
who has to deal with video analysis of particular kinds. Instead of watching hours
of unpleasant video, they can simply cut it on a hundred of key frames, which can
be inspected — even without automation — very quickly without loosing any evidence.
Analyze Office documents
The product can search and extract data out of all major Office documents. Besides raw text, it will extract all metadata and files, embedded in such documents.
Find encrypted files and decrypt them
The product detects encrypted files on drives and drive images. It shows encryption type and features, advises on which attack should be used in order to decrypt a file. In case Passware Kit Forensic (or EnCase with Passware) is installed, it can decrypt files right from within its user interface, thanks to Passware integration.
Retrieving deleted history
If some history was deleted by a user, chances are that part of it can still
be found on the drive. In order to do it, the product uses so-called 'carving' techniques
which helps to retrieve deleted conversations.
The following features are supported:
- Carving FAT, exFAT, NTFS, ext*, HFS/HFS+, YAFFS/YAFFS2 drives.
- Carving drives attached through write-blocking device
- Carving drive images (EnCase, SMART or DD format; Windows, MacOS and Linux file
systems supported) and virtual machine files
- Live memory investigation (carving RAM image made in win32dd/win64dd, FTK
Imager or Encase)
Note! This feature allows to retrieve conversations, deleted
from a drive. It will not help you in case some history was never stored on that
drive, except for RAM image carving.
Explore extracted histories
The product shows extracted information in a user-friendly form:
Within the user interface you can:
- See all found history profiles
- See all contacts belonging to a chat profile
- See all mail folders belonging to an email profile
- See all conversations with a selected contact
- See all emails within a selected mail folder
- See a profile's original hash value and current hash value to make sure
nothing has changed since the profile was added to a case
- Sort by various criteria
- Search history. Do simple searches through history and advanced searches
using a file with a set of words to look for. Experienced users can benefit
from searching by regular expressions, which is very useful while searching
for templates or phrases with fuzzy structure, for example, credit card numbers
- View pictures included to a case
- View pictures with GPS coordinates, on Google Maps or Google Earth
- See all key frames for a video
- See all documents' metadata
You can mark any extracted information by using named bookmarks. Bookmarks are
persistent and stored in the same database as the case is. You can see all the pieces
of information in a bookmark, go to the original item and, vice versa, from an item
to any bookmark which contains that item. Bookmarked items are highlighted with
another color, so you will not miss them on an item list.
After completing your investigation, you need to export histories of interest
in a readable form. The product allows you to:
- Export histories to plain text, HTML, XML, CSV, PDF, DOCX, XLSX, RTF
- Limit exported histories to selected dates and contacts
- Split huge histories into separate files, broken by contact or mail folder
- Split reports into smaller files by specifying a number of items to be included
in the report, for example, 50 messages per report file
It is possible to customize report, for example, include your logo or change fonts and colors.
The product allows you to manage information for different cases. You can add
information you are working with to a named case, give a name and a description
to a case, create, edit and delete a case. This is handy when you work with multiple
cases at a time.
All found information is now stored in a database. Unlike the older products,
this product allows you to safely shut it down because all data is stored right
after it is extracted. This enables you to work with multiple cases and handle big
cases, for example, those involving multiple huge Outlook mailboxes. The product
does not have a limit of 2Gb of Outlook mailbox space which the previous products
Center integrates all the work with Instant Messengers, Browsers, Emails, P2P, MMORPG, Documents, Pictures and Videos in one
user interface. You can perform all operations with a piece of evidence in a uniform
way: it is possible, for example, to search through all found chats, URLs and emails
in a single search operation.
Multiple monitor support
The product has a number of windows showing various aspects of a case you are
working with: Case Explorer, Item List, Item Properties, Task Manager and Web Browser, to name just a few. To make it more efficient to work with this number
of windows, the product supports multiple monitors, so you can arrange windows and
resize them as you find convenient. The product will remember your preferences and
automatically restore the window positions and sizes the next time you run product.
Instant Messengers supported
The product supports regular file analysis, deleted history carving and Live
RAM analysis for more than 90 Instant Messenger types/versions, including Windows, MacOS and Linux messengers. Some of them are listed below.
For the complete list, please refer to
- Skype versions 2, 3, 4, 5
- ICQ (all versions from 97a to ICQ 7)
- Microsoft MSN/LiveMessenger
- Yahoo! Messenger
More details on Instant Messenger support.
The following browsers are supported:
- Microsoft Internet Explorer (except for password recovery), including IE 10 and newer
- Mozilla Firefox starting v.2
- Google Chrome
- Apple Safari (except for password recovery)
details on Browser support.
The following mailbox types are supported:
- Microsoft Outlook 2003, 2007 and 2010
- Microsoft Outlook Express
- Mozilla Thunderbird
- Yahoo! Webmail
- RITLabs The Bat!
- Windows Live Mail
More details on Mailbox support.
Social Networks supported
The following social networks supported:
More details on Social Network support
Cloud Applications supported