Belkasoft X Cloud forensics support

Cloud applications and services are constantly evolving. Belkasoft X provides the following cloud forensics support:

  • Analysis of cloud client applications
    • Google Drive
    • Dropbox (with decryption)
    • One Drive
    • Yandex.Disk
    • Flickr

Belkasoft X can also analyze the RAM artifacts for cloud services that lack client applications.

  • Acquisition and analysis of data stored in the cloud
    • Email:
      • Yahoo
      • Hotmail
      • Opera
      • Yandex
      • Mac.com
      • and 25 more webmail clouds
    • Google Clouds:
      • Google Drive
      • Google Keep
      • Gmail
      • Google Timeline
      • Google Sync
      • Google MyActivity
    • Huawei
    • iCloud (applications data)
    • iCloud (backup downloading) and keychain
    • Instagram
    • MEGA
    • Microsoft 365
    • Telegram
    • VK
    • WhatsApp
    • WhatsApp with the help of a QR code

You can acquire a cloud account and add it as a data source.

  1. Go to the top of the window. Click on Edit.
  2. From the list, select Add data source.
    (Tip: To quickly add a data source, use the Ctrl + Shift + F shortcut)
  3. Click on Cloud.
  4. Choose the cloud service provider or application you want to analyze.

Email

If you select Email, select the email service provider:

  1. Type in the email address and password.
  2. Specify the mail protocol
  3. Click on the Next button

Note: If you cannot find a webmail cloud in the Server list, you can select Custom server on the previous screen and fill in Address and Port manually (they will be enabled in this case).

Google Clouds

If you select Google Clouds, do the following:

  1. Select the specific Google service
  2. On the authentication screen, choose your preferred authentication method
  3. Click on the Next button

In general, you can use any of the following options to authenticate the login:

  • Consent screen: If you click on the Next button on the Consent screen, you will be directed to a browser window where the Google request page loads. If the user account from which you want to acquire data is logged in, you will just have to click on the Allow button. Otherwise, you will have to input the account credentials.
  • Refresh token: If you have a refresh token, you can use it to access the account without going through the consent/authentication screen.
  • Email address and password: If you know the email address and password for an account, you can enter them to enter the account’s mailbox and download the data there.
  • Account login and password: If you know the user credentials for iCloud, Instagram, or WhatsApp, you can enter them to access the profile and download the account data.

If you try to log into an account that has two-factor authentication enabled, you will be prompted to enter the code that was sent to the phone number linked with the account.

See also