Paul Henry is a Senior Instructor with the SANS Institute and one of the world's foremost global information security and computer forensic experts with more than 30 years of experience covering all 10 domains of network security. Paul began his career in critical infrastructure / process control supporting power generation and currently manages security initiatives and incident response for Global 2000 enterprises and government organizations worldwide.

"To date, in my opinion Belkasoft has evolved into a formattable complete forensics suite on its own merit... Hence, for myself I can see shifting in 2021 from my legacy forensic tool suites to Belkasoft as my “new” forensics’ suite to not only reduce my support and maintenance costs for my forensic tools but in addition I get the added benefit of its seemingly unmatched support for third party applications, mobile devices and memory analysis."

In The Early Days Of Computer Forensics Bigger Was Not Always Better

Since the early 1990s the evolution of computer forensics products has been one primarily focused on the forensic communities investigative needs. For myself this was seen in fulfilling my needs to be able to perform a complete forensics investigation of some of the most popular software in use by my clients that ran on top of windows. Early in the days of computer forensics the tools typically handled the primary vendor such as Microsoft Windows seemingly in depth, but they simply did not handle password protected files, encryption, third party applications and never the less the complete capture and memory analysis when running Windows as the base operating system.

I can recall back in 1996 I had an intellectual property theft case where the disk image contained multiple password protected Microsoft Word files that had been emailed to a third party by the suspect. Hence it was probable that the Word files in question might contain components of the customers intellectual property. Unfortunately, my primary forensic software while it could identify the Word files could not easily come up with a password to allow me to open the Word files. I reached out to the community and someone suggested I take a look at Accessdata. In looking at the capability of Accessdata it could handle the password protected files and it became my first purchase of another tool outside of my primary forensics tool. I was able to quickly use reveal the passwords, open the Word documents and prove that the suspect had cut and pasted the company’s intellectual property into Word files and emailed them to a competitor that apparently the suspect was trying to obtain employment from – case closed.

Back in 2005 I was working on a case where an employee was thought to possibly be visiting websites outside of those permitted from work as part of the company’s acceptable use policies. My primary forensic tools could parse out the sites visited but did not put them in a user-friendly format that would be easy for management at the company to understand. I again reached out to the community and someone suggested I take a look at Belkasoft. It was a comprehensive solution that seemed at that time to focus on browser history and not only gave the URL, the date it was added and the last time it was visited, it also eliminated duplicates making the report output that much more understandable.

Shortly thereafter in 2006 I had another acceptable use case where the suspect had been using Yahoo Messenger to communicate which was not permitted per the company’s acceptable use policies. My primary forensic tools simply could not parse the Yahoo Messenger files. Again, reaching out to the community I learned that the current version of Belkasoft (which I regrettably failed to pay support and maintenance on) could handle Yahoo Messenger. I paid my support and maintenance fees and up graded Belkasoft to the current version and was able to get all of the users Yahoo Messenger history – case closed.

Yet again in 2008 I found my primary forensics tools could in most cases get the job done but I regularly found that I needed Belkasoft yet again to perform my forensic analysis. This case involved an employee possibly abusing the companies right of use policies by using possibly Skype to communicate and move files over chat. This began as what was assumed to be an unacceptable use policy violation of the companies right of use policies. My primary forensic tool was not able to parse or understand Skype and I found Belkasoft could easily handle Skype and I was able to provide management with an easily understandable report on Skype usage that also included capturing the historical transfer of files using Skype by the user. The case very quickly expanded from just a simple policy violation to that which included intellectual property theft, as the files transferred via Skype by the user were files that contained the companies intellectual property - case closed.

I had a case in 2016 whereby a user was thought to have been using an unauthorized application - WhatsApp. The IT department had taken a look at the user’s machine and did not see any files associated with WhatsApp. While my primary forensics tools did a poor job (if at all) of supporting WhatsApp, Belkasoft had it covered. I produced a forensic disk image and used Belkasoft to recover deleted WhatsApp files and was able to piece together a large part of the users WhatsApp history – case closed. I also noted at that time that Belkasoft was quickly evolving into becoming a full forensics tool suite by and of itself.

Since 2016 I still used my primary forensic tool suites first but always seemed to typically go back to (for no better choice of words smaller tool sets) tools such as Belkasoft. The cases I am typically involved with now involved many third party supporting applications such as Google Drive, Android Phone syncing, Apple Phone and Memory Analysis. I still regularly found my primary tools just did not do as through of a job as I was later able to do with tools such as Belkasoft. While up until now I had always used Belkasoft when my other primary tools could not get the job done with a third party resource. The Evolution of Belkasoft now made it a formattable primary tool and evolved to a point where it seemed to be able to perhaps replace my previous primary tools.

This brings us to today in 2021, when I look at the support and maintenance I am paying for my popular tool suites the move to Belkasoft as my primary tool simply made a lot of sense. I got my full forensic suite along with better popular third-party application software support which is regularly more in depth then my previous tool suites. I have learned a great lesson along the way since 1996 with my initial exposure to Belkasoft, bigger is not necessarily better unless it is all encompassing of the applications you need to analyze. While my primary tool suites did evolve over-time they always seemed to be a step behind solutions like Belkasoft. Having said that, the evolution of Belkasoft has transitioned from a product that specialized in third party applications to that of a complete forensics’ suite.

Many of the popular forensic suites I have used over the years since 1996 been acquired by larger enterprise security providers. These products are now for better or worse a small part of a larger product offering with the ability to deploy agents to machines across the network and then forensically access any machine across the enterprise environment. While there clearly is a need for this type of product in computer forensics today in my opinion it seems to have perhaps slowed down their support the analysis of third-party application data. In my practice I typically am fortunately only needing to analyze a specific machine that is part of an acceptable use policy violation and occasionally a malware infected machine where someone clicked on a link they should not have. Simply put I need new and better third party application support more then I need enterprise wide support.

To date, in my opinion Belkasoft has evolved into a formattable complete forensics suite on its own merit. Their support of third-party applications and its ability to fully provide a forensics analysis of that application is still perhaps the best I have seen in the computer forensics solution marketplace. Hence, for myself I can see shifting in 2021 from my legacy forensic tool suites to Belkasoft as my “new” forensics’ suite to not only reduce my support and maintenance costs for my forensic tools but in addition I get the added benefit of its seemingly unmatched support for third party applications, mobile devices and memory analysis.

See also