Digital investigator nowadays has access to a wide array of solid forensic tools. Some of them offer mobile forensics only, some help with computer or laptop analysis, some – like Belkasoft Evidence Center – support all types of devices, but the task flow and product logic is more or less fixed in every product. If an investigator faces an unusual task, it is hard to solve it within the workflow offered by a product. And unusual tasks are not that rare – we hear about them very often, just take a glance at various forensic forums.

In this article, we will discuss some real life stories that involved cases hard to solve with the standard workflow in Belkasoft Evidence Center:

  • Good Employee, Bad Employee
  • Bar Fight
  • Digging Deep Inside Photos

However, it became possible with BelkaScript, a free built-in scripting module that allows users to write custom scripts to extend Evidence Center capabilities. Scripts can be used to automate some of the routine (for example, reporting or bonding together two operations) or to extend product’s functionality for a specific situation. But it most certainly does not end there as we will now show on real-life examples.

Good Employee, Bad Employee

In the case of Good Employee, Bad Employee our customer used Belkasoft Evidence Center 7.2 to analyze a criminal case. There was a computer used by two workers of a company. However, both of them were using the same Windows account, which made it hard to distinguish whose actions were whose.

Some inappropriate traffic was detected, and the computer was taken away for investigation. The investigator was able to successfully find the URL history they were looking for using built-in Evidence Center functionality. They even restored some of the recently cleared browser histories by analyzing a memory dump created with Belkasoft Live RAM Capturer. The issue was that there were merely harmless data mixed with obviously fault activities, and the investigator needed to separate those. They contacted our support asking if the product was capable of doing it. Such a narrow feature was not built into the product, and there is where BelkaScript came in handy. Using the scripting module the customer created a script, which allowed sorting all of the found records by time, as the investigator required, since the employees were taking shifts to work.

Let’s see how easy it was.

First, the user should create an empty script. This is what is created by BEC by default:

// ************************************************************
// This BelkaScript demonstrates outputting basic case details.
// ************************************************************

// Do not rename main function: it must be called “Main”
public void Main()
{
  // Write current case properties to
  // the Output window of Evidence Center
  Output.WriteLine(“Current case name: {0}”, CurrentCase.Name);
  Output.WriteLine(“Created by: {0}”, CurrentCase.CreatedBy);
  Output.WriteLine(“Description: {0}”, CurrentCase.Description);
  Output.WriteLine(“Created at: {0}”, CurrentCase.CreatedAt);
}

Let’s delete the sample code outputting case details and write code to enumerate all URLs in all browsers in the case:

foreach (DataSource dataSource in CurrentCase.DataSources)
{
  foreach (Browser browser in dataSource.Browsers)
  {
    FilterUrls(browser.Urls);
  }
}

CurrentCase.DataSources is a collection of data sources added to a case. It contains hard drives, images such as EnCase or X-Ways, mobile backups or UFED dumps, hibernation or page files, memory dumps and other sources of data supported by BEC.

The line foreach (DataSource dataSource in CurrentCase.DataSources) will enumerate all such sources one by one.

The line foreach (Browser browser in dataSource.Browsers) enumerates all browsers within a data source.

Finally, the line FilterUrls(browser.Urls); executes a function, which we still have to write. This function will do actual filtering of URLs, so it accepts a parameter browser.Urls, which stores all links visited in a given browser.

Now let us do the actual filtering. First, let’s declare two collections: for the first user’s URLs and for the second one’s:

List<Url> firstPersonUrls = new List<Url>();
List<Url> secondPersonUrls = new List<Url>();

This code can be placed before the Main function.

Now the function FilterUrls:

void FilterUrls(IEnumerable<Url> urlList)
{
  int FirstPersonStartTime = 9;
  int SecondPersonStartTime = 16;

  foreach (Url url in urlList)
  {
    if (url.LastVisitTimeUtc.Value.Hour >= FirstPersonStartTime &&
    url.LastVisitTimeUtc.Value.Hour < SecondPersonStartTime)
    {
      firstPersonUrls.Add(url);
    }
    else
    {
      secondPersonUrls.Add(url);
    }
  }
}

The line foreach (Url url in urlList) enumerates actual URLs passed to the function (remember, we pass to this function all browsers URLs from all data sources).

Next the line if (url.LastVisitTimeUtc.Value.Hour >= FirstPersonStartTime && url.LastVisitTimeUtc.Value.Hour < SecondPersonStartTime) checks last visit date and time for a given URL. If it was visited in the first person working hours, the URL is added to the first URL collection, otherwise it goes to the second one.

Now, after sorting data, the script can create two separate reports with of browser histories, on for each user, thus helping to identify and prosecute the employee that was involved into criminal activities, leaving the innocent one with their name completely clean:


void GenerateReport(List<Url> urls)
{
  string ReportPath = @”C:\Cases”;
  Report.Generate(urls, ReportPath, TargetFormat.Pdf);
}

This function accepts a list of URLs and uses BelkaScript API function Report.Generate to create a report in PDF format in the C:\Cases folder.

Almost done! The final thing to do is to include a call to GenerateReport function to the Main function:


List<Url> firstPersonUrls = new List<Url>();
List<Url> secondPersonUrls = new List<Url>();

public void Main()
{
  foreach (DataSource dataSource in CurrentCase.DataSources)
  {
    foreach (Browser browser in dataSource.Browsers)
    {
      FilterUrls(browser.Urls);
    }
  }

  GenerateReport(firstPersonUrls);
  GenerateReport(secondPersonUrls);
}

Bar Fight

(Belkasoft is grateful to Fedor Korzhov, the author of the original script, which kindly allowed us to publish his results)

Most of us go to a bar to relax and step back from everyday routine. But sometimes people “relax” too much, leading to heated up conversations which, in their turn, might result in a brawl. And, if the fight gets big enough, someone will get hurt. Now, after the dust settles down, it is time to realize that getting someone injured is against the law.

This is precisely what happened in our Bar Fight case. The Bar must have been used to an occasional scuffle, because there were 5 security cameras installed that perfectly captured a particularly bad fight where there were was a suspect who maimed a victim. This caused a court case, and the prosecutors were interested in recordings from the security cameras, since these ought to have contained the most significant evidence. One may imagine how unhappy they were when they found that the DVR was visibly empty – for reasons unclear, management of the Bar formatted it on the day when it was to be taken.

However, the physical storage visibly contained some data that was structured as videos would be structured. Carving could restore chunks of information, but definitely not the whole videos. The pictures seemed to be mixed chaotically, but, after some putting the pieces together, examiners were able to conclude that it these chunks were, in fact, frame-by-frame streams, just mixed up from all the five cameras. For instance, the first five pictures were not five consecutive frames from one video. Instead, these were the first five frames of each video. The next five were, therefore, the second frames from different videos, and so on. Using Hex Viewer, the investigator was able to identify typical signatures of frames. Using BelkaScript, they then wrote a script that would search for these signatures, sorting out the frames with similar signatures into five different files. As a result, although with a lot of effort and time consumed, the experts were able to pull together five videos from the security cameras, which later served to prove the suspect guilty of causing grievous bodily harm.

Due to the large size of the script, it would not fit into this article, but it is available upon request at support@belkasoft.com.

Digging Deep Inside Photos

As reported by one of the users, they found BelkaScript to be particularly useful while working with photos. Indeed, looking through and exporting metadata of each individual photo seems to be at least inefficient. That is why automating some operations such as reporting can be useful while working with images. The user created two custom scripts that we thought were actually brilliant.

The first script allows us to export GPS data from images into a KML file. The KML report contains file names, modification times, coordinates, as well some other metadata all sorted out in a convenient manner.


// **************************************************************
// This script creates a KML file based on data from image files
// **************************************************************

public void Main()
{
  // Enumerate all images, hard drives, mobile devices
  // in a case

  foreach (DataSource dataSource in CurrentCase.DataSources)
  {
    // Skip data sources, which do not contain any pictures
    if (dataSource.Pictures.Count() == 0)
    {
      continue;
    }

    // Create a report: KML file
    StreamWriter KML_FILE = new StreamWriter(“d:\\GPS-Data.kml”);

    // Filling in headers in KML file:
    KML_FILE.WriteLine(
      “<?xml version=\”1.0\” encoding=\”UTF-8\”?>”);
    KML_FILE.WriteLine(
        “<kml xmlns=\”http://www.opengis.net/kml/2.2\”>”);
    KML_FILE.WriteLine(“<Document>”);
    KML_FILE.WriteLine(
      ” <Folder> <name> Labels ” + CurrentCase.Name + “</name>”);

    // Variable with coordinates
    Tuple <double, double> gps;
    // List of photos
    Picture picture = dataSource.Pictures.First();

    foreach(var photo in dataSource.Pictures)
    {
      // Read coordinates
      gps = photo.GpsCoordinates;
      // if coordinates are present
      if (Gps.Item1 != 0.0)
      {
        // show in console
        Output.WriteLine(
          “Found file with GPS coordinates : {0}”, photo.FileName);
        Output.WriteLine(
          “GPS coordinates : {0}”, photo.GpsCoordinates);
        Output.WriteLine(“GPS coordinates : {0}”, Gps.Item1);
        Output.WriteLine(“================================================”);
        // Export to KML file
        KML_FILE.WriteLine(“<Placemark>”);
        KML_FILE.WriteLine(“<name> {0}”, photo.FileName);
        KML_FILE.WriteLine(“</name>”);
        KML_FILE.WriteLine(
          “<description> Date of latest modification UTC: \n”
         + photo.FileModificationTime + ” </description>” );

        KML_FILE.WriteLine(“<Point>”);
        KML_FILE.WriteLine(“<coordinates> ” +
          gps.Item2.ToString() + “,” +
          gps.Item1.ToString() + “,0”);
        KML_FILE.WriteLine(“</coordinates>”);
        KML_FILE.WriteLine(“</Point>”);
        KML_FILE.WriteLine(“</Placemark>”);
      }
    }

    KML_FILE.WriteLine(“</Folder>”);
    KML_FILE.WriteLine(“</Document>”);
    KML_FILE.WriteLine(“</kml>”);
    KML_FILE.Close();
  }
}

The result of running the second of the user’s scripts is a structured report with focus on camera model, manufacturer, and date of capture pulled out from EXIF. This script, showing how easy-to-use the BEC scripting module is, can also be requested via support@belkasoft.com.

Try BelkaScript Yourself

As shown above, BelkaScript certainly adds versatility to Evidence Center as it provides you with virtually unlimited possibilities of modifying the product in the way you need – from simple task automation to fulfilling unusual tasks in an efficient manner. We encourage you to try creating scripts as it may truly help you to ease and speed up digital investigations.

Interested in getting sample scripts or other investigators’ scripts? Would like to learn more about BelkaScript? To get samples and complete API reference, please proceed to our website: https://belkasoft.com/scripting or request assistance at support@belkasoft.com.

If you do not have a license of Belkasoft Evidence Center but would like to try BelkaScript and other features, please request a fully functional trial version at https://belkasoft.com/trial.