Belkasoft Evidence Center 2019 v.9.3 (or, in short, BEC) is an all-on-one forensic solution, combining computer, RAM, mobile and cloud forensics in a single tool. Given its affordable price, it is one of the best choices among other available products on the market.

Version 9.3 of BEC 2019 is a major new release with a pack of new features for all supported types of acquisition and analysis

• Mobile acquisition: agent-based and EDL acquisition for Android devices supported
• Support for Elcomsoft and GrayKey iOS images ingestion and analysis added
• Ingestion of zip and tar archives supported
• New important artifact: Windows 10 Timeline
• Custom carving introduced, including support for Scalpel and FTK sets
• Massive update of cloud forensics features
• Single-file case container allows quicker case copying and saves disk space
• Pornography detection using ANN (artificial neural networks) is supported. Re-training on custom sets allows to find case-specific images
• As usual, a pack of new and updated computer and mobile apps are supported
• Besides, with BEC 2019 Belkasoft is introducing official training and BelkaCE certification. Two courses are available: Belkasoft Essentials and Belkasoft Advanced, both are 2 days long. Available onsite locations for 2018: USA and Europe.

Sign up for a webinar on BEC v.9.3!

Upgrading to version 9.3 is free to all customers with a non-expired Extended Software Maintenance and Support contract. Customers without a current contract can purchase it from the Customer Portal. An affordable User Refresher Course is also available for those who would like to catch up on all recent improvements. Training with optional certification is available.

New features in detail

Acquisition

• Agent-based acquisition for Android devices is supported. Standard ADB backup is missing a lot of forensically important data and is shaky: a single app which behaves incorrectly, may spoil the whole acquisition. Agent-based approach allows you to reach much broader set of data, including various chat and mail apps. A small program, called "agent" is temporarily uploaded to a phone, helping to acquire maximum amount of data. Once the acquisition is finished, the agent is removed.
• EDL acquisition for Android devices supported. Android devices with Qualcomm processors allow to enter so called Emergency Download mode (in short, EDL). Using this mode BEC 2019 can acquire data which is not available with standard and agent-based acquisition.

Analysis

• Elcomsoft and GrayKey iOS images supported. Elcomsoft products allow a user to acquire an iOS image from a jailbroken device while GrayKey allows to acquire similar image from even locked iPhone. Both types of images are now supported by BEC 2019: you can ingest them and analyze for various iOS artifacts.
• ANN (Artificial neuron network)-based pornography detection introduced. In previous version of the product we used skin detection to search for explicit images. This may lead to false positives since not all images with skin are indeed explicit. Using new technologies such as ANN, it is possible to detect such image with much higher certainty. BEC 2019 is equipped with a pre-trained neural network which works out of the box. However, if you have specific image sets, which you would like to use as an example of what you are typically looking for, it is possible to re-train BEC on your own set to detect this particular type of images.

  Important: In order to run this kind of analysis you have to have a GPU card with CUDA support from the following list. Without the card this option is disabled.

• Windows 10 Timeline analysis supported. Windows Timeline is a new forensically important artifact, similar to a jumplist, but having a lot of extra information.
• Possibility to specify custom signatures for carving introduced. Previously, the only way to do custom carving was to write a specific BelkaScript, what required some programming experience. Now you can specify your own signature or import third-party signature sets, such as Scalpel or FTK ones.
• APFS support improved. While APFS was already supported in v.9.2, BEC v.9.3 works even faster when analyzing APFS images.

Performance and usability

• Carved data deduplication significantly improved. This helps carving process to avoid producing files already extracted with other types of analysis, thus making your case size smaller and decreasing overall analysis time.
• Single case container introduced. In previous versions all produced files, such as carved files or files extracted from email or document attachments, were stored separately in a case folder. Now all of them are stored in a single case file, what decreases space required on a disk, greatly speeds up moving a case or exporting it to Evidence Reader and also deleting case.
• Browser profiles redesigned. The way how BEC 2019 detects and shows browser profiles are significantly improved, what leads to much smaller amount of nodes in the Case Explorer window and simplifies overview of extracted browser data.
• Search is significantly improved (both predefined search speedup and correctness) - less false positives, more accurate showing of search match and so on.

GUI

• New interface allows you to import FTK and Scalpel signature sets for custom carving.
• Original columns can now be shown for bookmarked items.
• The way BEC shows carved data is significantly improved. While previous versions of BEC were showing carved data in separate nodes of Case Explorer, now the data is merged to corresponding nodes with artifacts found with regular analysis. To give an example, if a chat is carved, it is shown under Instant Messengers node, along with chats extracted from existing profiles. This greatly simplifies examination of artifacts of the same type because you do not have to look at different places for similar artifacts anymore.
• Email body preview column can be added to Mail list.
• General interface performance improved.

Reporting

• Complete e-mail body can be added to a report now.
• To customize Report columns, you can select needed ones in the Advanced Report options window.
• It is now possible to create report for bubble view.

Cloud forensics

Cloud data acquisition was massively updated to allow a user downloading major cloud services data:

• G Suite data downloading updated.
• iCloud data downloading updated.
• Instagram data downloading updated.

New and updated artifacts

• Browsers analysis updated for each supported browser.
• Bluetooth device extraction added for iOS.
• Apple Mail support updated.
• inbox.lv, inbox.lt, mail.ee apps supported.
• Windows 10 Timeline supported.

About 200 smaller improvements and bugfixes are made.