2019 has been an eventful year for Belkasoft. Our flagship product,
Belkasoft Evidence Center, made significant progress and was upgraded,
step by step, from ver. 9.5 to ver. 9.9. These changes made it possible for BEC
to stay what it is, i.e. a price-efficient all-in-one digital forensics solution
that covers all the fresh tech developments and investigative capabilities in high
demand.
This article summarizes the most important new features of 2019, one can find
in Belkasoft Evidence Center. BEC is your direction to go, whether you are
an individual investigator or a member of a big DFIR lab, a law enforcement professional
or a corporate security employee.
This article is inevitably incomplete, otherwise it would be too long. It
rather covers most significant improvements in the product made this year. You can
find comprehensive list of improvements at https://belkasoft.com/new;
make sure you scrolled down to the version history section.
Advanced Mobile Device Acquisition
Probably the most sensational news from Belkasoft was the newly introduced function
of iOS acquisition: with the newest checkra1n jailbreak and even
without jailbreak! In both cases a full file system copy can be acquired
by Belkasoft Evidence Center.
Belkasoft agent on an iPhone screen where it was installed without jailbreaking
the device
Needless to say, that Evidence Center can analyze such iOS extractions
and finds dozens of newly supported artifacts, such as chats (e.g. WhatsApp, Telegram,
etc), health data (e.g. FitBit or MiFit), CarPlay, browser and email artifacts and
many more. In the latest version 9.9 Belkasoft improved its support for
GrayKey extractions.
Earlier this year, we started with full logical extraction on already jailbroken
iOS devices, the feature first appeared in 2019. Belkasoft was one of the
first digital forensic companies to update its product with support for iOS
13 and iTunes Windows App. This year, we supported lockdown-based acquisition
of iOS devices, the method which help you to obtain an iTunes backup without
unlocking the device!
The product also got MTK-based devices acquisition functionality in 2019.
MTP/PTP-based acquisition was introduced. Finally, existing
Android methods were massively improved, including standard ADB acquisition and
acquisition based on Belkasoft agent for Android. In latest versions, Belkasoft
Evidence Center supports TWRP dumps analysis.
Remote Acquisition
This year,
BEC supported
remote acquisition
of PCs (including RAM) and connected smartphones. With this tool at your disposal,
you can obtain images of various information sources even in the most complex and
dispersed IT environment, with fewer employees, without any interruptions.
Remote Acquisition screen of Belkasoft Evidence Center shows you devices available
for acquisition
Incident Investigation
Incident Investigation
module made Evidence Center a
valuable tool for corporate customers doing Incident
Response. If your company's infrastructure is attacked, you can use BEC to examine
event logs, registries, and memory dumps to identify traces related to the attack.
The available sources of artifacts for your analysis embrace Syscache, Scheduled
Tasks, Amcache, Remote connections (RDP, Remote Connection, TeamViewer, etc.), BAM/DAM,
AppInit DLLs, ShimCache, Startup Tasks, Browser extensions, Event logs and many
others. As a result, suspicious-looking and problematic traces are located and presented
to the responder.
Newly appeared Incident Investigation screen groups artifacts, related to hacking
attempts and malware, in several nodes such as Execution, Persistence, Remote connections
and others
Cross-Case Search
You can perform a
Cross-Case Search
across several cases at once. The goal of Cross-Case Search is to find intersections
between different cases. Here, 'intersections' imply some info related to your current
case that can be interlinked with relevant info detected in other cases.
Multi-User Team Edition
Belkasoft is now fully capable of helping large and dispersed investigative teams
with its
massively updated Multi-User Team Edition.
If you activate it, you will be able to store cases in a database available via
the LAN, get remote access to cases from various places within the same LAN. The
system of access rights makes it possible to create different roles.
Graphical Timeline
BEC allows you to build
Graphical Timeline
that is synchronized with your Grid Timeline. It means that our customers can
visually detect anomalies, analyze the density of various points, and utilize time-based
filters with your mouse in a simple fashion.
Graphical Timeline window shows variouso types of events in the case and allows
to filter them by date and time range by simply using your mouse
Connection Graph
Updated Connection Graph are also of importance to the BEC users. While the feature itself was introduced
long ago, the upgraded look and feel of our Connection Graph deserves your attention.
As we mentioned in one of our recent articles, a proper
Connection Graph
is the most efficient way of detecting and understanding links, patterns, and suspicious
episodes associated with a complex case.
One of the unique features of Connection Graph is its communities detection.
On the screenshot you can see four groups of different colors, automatically assigned
by the product
CarPlay and Other iOS Apps
Belkasoft Evidence Center supports analysis of numerous apps from full system
iOS copies, regardless of how you obtained them: via GrayKey or by using
built-in Belkasoft acquisition. One particularly interesting app is
CarPlay: Belkasoft will
retrieve some important CarPlay data such as the start and end time of a CarPlay
session and the last Siri request in text.
Other Improvements
As for other improvements and upgrades, the list is enormous and impressive:
- Belkasoft became the first company in the world to support Telegram X
decryption on Android devices
- Belkasoft now decrypts FileVault, PGP, VeraCrypt, DriveCrypt, Symantec,
TrueCrypt, etc. with a recovery key or known password
- The support for Xiaomi MIUI and Huawei HiSuite backups added
- A lot of updates made to
LNK file analysis
including carving and analysis of damaged LNK files
- The product works with Flash-Friendly File System, F2FS, used by
Google for Pixel 3, among other things
- Belkasoft Evidence Center examines TikTok, one of the fastest-growing
social media
- Multiple new types of archives are supported as data sources. Types
of archives include .rar, .tar, .gz, .zip, .7z and many others
- For low-level forensics, we added support for SHA-256 hashing algorithm
as well as a possibility to whilelist files with known hashes
- Multi-partitioned APFS images were supported to complete APFS support
added in 2018
- Picture analysis with artificial neural networks became much more
robust, including explicit image detection and gun detection. The product now
works without need of GPUs (and performance is the same!) and additional libraries
such as Anaconda, Python etc
- New search engine ElasticSearch replaced older one, what allowed
for much quicker and more robust indexing
- The last but not least: new 3-day Belkasoft Evidence
Center certified training was introduced. Now you can become BelkaCE
(Belkasoft Certified Examiner) at the affordable price and in short training
time
In 2020, BEC will reach a new stage of our activities. Belkasoft team will continue
monitoring all the important industry trends, fresh tech challenges, and customer
feedback. Download BEC for the coming year and stay tuned!
References
Please read some of our articles published in 2019 which we referred to in this
summary: