Belkasoft Evidence Center (or BEC) is an all-in-one digital forensic product,
which helps investigators to acquire, extract and analyze digital data. The product
offers out of the box analysis of hundreds of important artifacts (such as
documents, emails, pictures and videos, chats and browser links, registry and system
data, etc), as well as low level analysis of files and processes.
In this article we will discuss how BEC supports the second type of analysis:
low level investigation of files and processes.
Sign up to the free webinar on BEC 2017:
https://belkasoft.com/webinar
File System and File Analysis with BEC 2017
You start your investigation by acquiring data from a data source. BEC supports
acquisition of hard or removable drives, computer RAM memory, mobile devices and
cloud data:
BEC is able to acquire Google cloud and iCloud
Besides, you can also add already acquired data, such as a mobile phone dump
or a backup, a folder, a virtual machine file and so on. In the screenshot below,
we add an E01 image:
All popular types of images are supported, including EnCase, FTK, UFED and X-Ways
The product asks whether you would like to analyze the image or not. Here, "analysis"
means out of the box extraction of 700+ types of artifacts BEC supports, such as
the above-mentioned ones. We do not need this now, thus the checkbox is not ticked in order
to save time by skipping out of the box analysis.
Once a data source is added to the case, it immediately appears in the File System
Explorer window. This window allows you to see the volume, partition and folder
structure of the data source. BEC allows you to see all folders, including hidden
and system ones:
Particularly, BEC allows you to analyze all or selected VCS snapshots
You can select any folder and inspect its contents in the File list on the right.
Besides, you can right click on a folder and select "Copy files recursively" what
helps you to unpack a part of image or mobile device backup to the host computer for further
analysis with other tools:
Why extract contents of an entire phone? Extract only needed folders with BEC
File list shows you all files, including deleted ones, and allows filtering by
different criteria. In particular, you can sort and filter by various types of time stamps,
including specific NTFS times such as "MFT created":
When a file is selected in the File list, its binary content is shown in the
HexViewer window of Evidence Center. HexViewer shows hex values of the file contents
along with its string representation at the right. You can go to a specific offset,
search for hex or text, select block of bytes and save it to a file, or copy it.
These capabilities allow you to do custom carving by searching a
signature inside HexViewer and then saving block of bytes following this signature
to a file. It is important to mention that you can review the entire image or partition
contents in the HexViewer by selecting it in File System Explorer window. Thus you
can do search and custom carving inside the entire image or partition.
If you work with a file of unknown structure, two Belkasoft features will help
you to effectively unveil that structure. First, you can create bookmarks of different
colors to give a meaning to various groups of bytes. To do so, create a bookmark
and edit it by clicking Edit bookmark button. In the open window you can specify
a color and give a description. The color markup will help you to make various hypothesis
on the meaning of different byte groups.
You can give bookmark a name, a color and a description
Note, that HexViewer bookmarks are persistent, so you will find them at the same
place when you reopen the case and select the same file.
BEC allows you to easily navigate between bookmarks in HexViewer with arrow buttons
Second, you can select a group of bytes and see different interpretations of
these bytes in Type Converter screen. Type Converter shows you how the selected
group of bytes can be interpreted as ANSI or Unicode string, fixed or floating integer,
Unix time, IP v.4 or v.6 and so on. You can change the byte interpretation order
(known as Big Endian or Little Endian):
Live RAM Process Analysis with Belkasoft
BEC allows you to acquire a running Windows machine's live memory (RAM) using
free Belkasoft Live RAM Capturer tool, which is included into your BEC installation.
In order to analyze an acquired RAM dump, add it to the case using "Live RAM image"
option:
BEC will successfully analyze the dump, regardless of whether it was created
with Belkasoft or any other third-party tool. At the second page select all artifacts
and click "Advanced carving options". If you like to extract processes, select "BelkaCarving"
option here. If you only need to extract artifacts out of memory dump, do not check
this option.
After the analysis process is completed, the "File System" tab shows you all
extracted processes which were running at the moment of dump creation and even recently
finished:
Note, that BEC shows not only live processes, but dead ones also, that is, unloaded
by the time of making a memory dump
Likewise with files, if you select a process in the list of processes, BEC shows
you its binary contents in the HexViewer window, which allows you to do the same
things like search, selection and saving of groups of bytes to a file, bookmarking,
type conversion and so on.
Apart from low-level binary analysis of RAM processes, BEC can carve RAM data
for hundreds of various applications. The list of apps is different than those for
hard drives because in RAM it is possible to find even data never stored on a hard
drive, such as Facebook chats, Gmail emails, sites visited in InPrivate/Incognito
modes and so on.
If you have selected "BelkaCarving" option, all found artifacts are broken per
process in the Case Explorer window:
You can also review them conveniently without grouping by process in the Overview
window:
In Overview, artifacts grouped by artifact type only, which eases review of all
artifacts of the same type.
Low Hanging Digital Forensic Fruits Analysis
As shown above, BEC effectively solves different tasks of low level file
system and RAM analysis. However, in most of the cases you can avoid performing
this time-consuming work. BEC can extract hundreds of artifacts for you
out of the box which alone can solve most of cases. Among automatically extracted
artifacts are:
- Office documents (including Open Office)
- Emails and webmails
- Pictures
- Videos
- Mobile apps
- Web browsers
- Chats and Instant messengers
- Social network communications
- System files including jumplists, thumbnails, TOAST notification, event
logs, etc
- Registry files
- Encrypted files and volumes
- SQLite databases
- Plist files
- and some more
Apart easily analyzing existing files, the product does less obvious work
of recovering deleted data, carving individual artifacts, restoring freelist, WAL
and unallocated data from SQLite, analyzing Live RAM, detecting faces, scanned texts,
skin and forgery on pictures and videos, extract keyframes from videos, analyze
Volume Shadow Copy, and decrypts encrypted iTunes backups.
All these types of analysis and artifacts are supported for Windows, Mac OS,
iOS, Linux, Unix, Android, Blackberry and some other operating systems.
Sign up to the free webinar on BEC 2017:
https://belkasoft.com/webinar