Belkasoft Evidence Center: Summary of 2019

2019 has been an eventful year for Belkasoft. Our flagship product, Belkasoft Evidence Center, made significant progress and was upgraded, step by step, from ver. 9.5 to ver. 9.9. These changes made it possible for BEC to stay what it is, i.e. a price-efficient all-in-one digital forensics solution that covers all the fresh tech developments and investigative capabilities in high demand.

This article summarizes the most important new features of 2019, one can find in Belkasoft Evidence Center. BEC is your direction to go, whether you are an individual investigator or a member of a big DFIR lab, a law enforcement professional or a corporate security employee.

This article is inevitably incomplete, otherwise it would be too long. It rather covers most significant improvements in the product made this year. You can find comprehensive list of improvements at https://belkasoft.com/new; make sure you scrolled down to the version history section.

Advanced Mobile Device Acquisition

Probably the most sensational news from Belkasoft was the newly introduced function of iOS acquisition: with the newest checkra1n jailbreak and even without jailbreak! In both cases a full file system copy can be acquired by Belkasoft Evidence Center.


Belkasoft agent on an iPhone screen where it was installed without jailbreaking the device

Needless to say, that Evidence Center can analyze such iOS extractions and finds dozens of newly supported artifacts, such as chats (e.g. WhatsApp, Telegram, etc), health data (e.g. FitBit or MiFit), CarPlay, browser and email artifacts and many more. In the latest version 9.9 Belkasoft improved its support for GrayKey extractions.

Earlier this year, we started with full logical extraction on already jailbroken iOS devices, the feature first appeared in 2019. Belkasoft was one of the first digital forensic companies to update its product with support for iOS 13 and iTunes Windows App. This year, we supported lockdown-based acquisition of iOS devices, the method which help you to obtain an iTunes backup without unlocking the device!

The product also got MTK-based devices acquisition functionality in 2019. MTP/PTP-based acquisition was introduced. Finally, existing Android methods were massively improved, including standard ADB acquisition and acquisition based on Belkasoft agent for Android. In latest versions, Belkasoft Evidence Center supports TWRP dumps analysis.

Remote Acquisition

This year, BEC supported remote acquisition of PCs (including RAM) and connected smartphones. With this tool at your disposal, you can obtain images of various information sources even in the most complex and dispersed IT environment, with fewer employees, without any interruptions.

Remote Acquisition screen of Belkasoft Evidence Center shows you devices available for acquisition

Incident Investigation

Incident Investigation module made Evidence Center a valuable tool for corporate customers doing Incident Response. If your company's infrastructure is attacked, you can use BEC to examine event logs, registries, and memory dumps to identify traces related to the attack. The available sources of artifacts for your analysis embrace Syscache, Scheduled Tasks, Amcache, Remote connections (RDP, Remote Connection, TeamViewer, etc.), BAM/DAM, AppInit DLLs, ShimCache, Startup Tasks, Browser extensions, Event logs and many others. As a result, suspicious-looking and problematic traces are located and presented to the responder.

Newly appeared Incident Investigation screen groups artifacts, related to hacking attempts and malware, in several nodes such as Execution, Persistence, Remote connections and others

Cross-Case Search

You can perform a Cross-Case Search across several cases at once. The goal of Cross-Case Search is to find intersections between different cases. Here, 'intersections' imply some info related to your current case that can be interlinked with relevant info detected in other cases.

Multi-User Team Edition

Belkasoft is now fully capable of helping large and dispersed investigative teams with its massively updated Multi-User Team Edition. If you activate it, you will be able to store cases in a database available via the LAN, get remote access to cases from various places within the same LAN. The system of access rights makes it possible to create different roles.

Graphical Timeline

BEC allows you to build Graphical Timeline that is synchronized with your Grid Timeline. It means that our customers can visually detect anomalies, analyze the density of various points, and utilize time-based filters with your mouse in a simple fashion.

Graphical Timeline window shows variouso types of events in the case and allows to filter them by date and time range by simply using your mouse

Connection Graph

Updated Connection Graph are also of importance to the BEC users. While the feature itself was introduced long ago, the upgraded look and feel of our Connection Graph deserves your attention. As we mentioned in one of our recent articles, a proper Connection Graph is the most efficient way of detecting and understanding links, patterns, and suspicious episodes associated with a complex case.


One of the unique features of Connection Graph is its communities detection. On the screenshot you can see four groups of different colors, automatically assigned by the product

CarPlay and Other iOS Apps

Belkasoft Evidence Center supports analysis of numerous apps from full system iOS copies, regardless of how you obtained them: via GrayKey or by using built-in Belkasoft acquisition. One particularly interesting app is CarPlay: Belkasoft will retrieve some important CarPlay data such as the start and end time of a CarPlay session and the last Siri request in text.

Other Improvements

As for other improvements and upgrades, the list is enormous and impressive:

  • Belkasoft became the first company in the world to support Telegram X decryption on Android devices
  • Belkasoft now decrypts FileVault, PGP, VeraCrypt, DriveCrypt, Symantec, TrueCrypt, etc. with a recovery key or known password
  • The support for Xiaomi MIUI and Huawei HiSuite backups added
  • A lot of updates made to LNK file analysis including carving and analysis of damaged LNK files
  • The product works with Flash-Friendly File System, F2FS, used by Google for Pixel 3, among other things
  • Belkasoft Evidence Center examines TikTok, one of the fastest-growing social media
  • Multiple new types of archives are supported as data sources. Types of archives include .rar, .tar, .gz, .zip, .7z and many others
  • For low-level forensics, we added support for SHA-256 hashing algorithm as well as a possibility to whilelist files with known hashes
  • Multi-partitioned APFS images were supported to complete APFS support added in 2018
  • Picture analysis with artificial neural networks became much more robust, including explicit image detection and gun detection. The product now works without need of GPUs (and performance is the same!) and additional libraries such as Anaconda, Python etc
  • New search engine ElasticSearch replaced older one, what allowed for much quicker and more robust indexing
  • The last but not least: new 3-day Belkasoft Evidence Center certified training was introduced. Now you can become BelkaCE (Belkasoft Certified Examiner) at the affordable price and in short training time

In 2020, BEC will reach a new stage of our activities. Belkasoft team will continue monitoring all the important industry trends, fresh tech challenges, and customer feedback. Download BEC for the coming year and stay tuned!

DOWNLOAD A TRIAL
REQUEST A QUOTE

References

Please read some of our articles published in 2019 which we referred to in this summary: