Effective Evidence Sharing with Belkasoft Evidence Reader
Investigators, legal teams, and clients frequently need to work together on shared data sources. However, collaborating on digital evidence is often complicated by either access limitations or licensing constraints. This article examines how Belkasoft Evidence Reader addresses these challenges, including:
- Belkasoft’s approach to the sharing of digital evidence
- Key features and benefits of using Belkasoft Evidence Reader
- Practical applications of Belkasoft Evidence Reader in real-world scenarios
Read on to learn how, with Belkasoft X, you can share analysis results with the necessary stakeholders.
Belkasoft’s perspective
Digital forensics investigations can be complex and involve many different stakeholders, locations, and skill levels. To facilitate collaboration among teams working on the same case, we have developed Belkasoft Evidence Reader.
Provided at no additional cost, Belkasoft Evidence Reader offers several benefits:
- Read-only access: Non-technical users can examine evidence findings without risk of altering case data.
- Portability: The software is self-contained and does not require licensing, which makes it easy to transfer and review data on any Windows PC.
- Familiar interface: For those who have worked with Belkasoft X before, the interface will be very similar.
By leveraging Belkasoft Evidence Reader's features, teams can quickly share information and collaborate on cases without tech-related headaches, so stakeholders can focus on the actual case.
Sharing findings: The export workflow
After Belkasoft X extracts artifacts from a data source, you can export this data to a “portable case” that can be opened on any compatible Windows system. Out of the box, you have two options to share your case:
- Full case export: Such an export workflow allows for easy transfer and review of the full case without requiring any additional setup.
- Selective export: Package only specific case elements by selecting the target data sources, artifact categories, profiles, or folders in the Artifacts window.
To share the whole case, use the Export to Evidence Reader command found on the Dashboard in Belkasoft X.
Export to Evidence Reader option in the dashboard
Alternatively, if you want to export a part of your case, such as specific artifact categories, app data, conversations, or mailboxes, you can select specific artifact nodes in the Artifacts window. This option packages only selected case elements.
Exporting selected artifact nodes to Evidence Reader
After you launch one of the exports, use the Export to Evidence Reader dialog to specify the Target folder for case files and define additional options:
- Copy Evidence Reader executables: This option exports portable Evidence Reader executables the recipient can use to explore the case data. Executables have the size of about 1.6 GB; if you are exporting multiple cases for the same recipient, you can save storage space by copying executables with only one of them. Note that the Evidence Reader and case data must be exported from the same version of Belkasoft X for compatibility.
- Save media files: This option saves media files such as pictures, audio, and video, together with case data. If you disable it, the portable case will only include metadata of the media files. You can skip saving media files if you do not need to share their content or if you plan to give recipients the data source associated with the case.
Export to the Evidence Reader window
The resulting export will include the following components:
- Case data in read-only format
- Configuration files
- Belkasoft Evidence Reader executable (if enabled)
- Media files (if enabled)
Reviewing an exported case
To open a case, navigate to the exported case folder and launch Evidence Reader.exe.
Belkasoft Evidence Reader output results
If you want to view a different case, navigate to the Home window, click Open case and browse to the case folder. When you are opening an exported case in Evidence Reader, make sure that you use the same version that the case was exported from in Belkasoft X.
Reconnecting data sources
The exported case contains artifacts extracted from data sources by Belkasoft X. If you want your stakeholders to also be able to view raw data, you will need to provide them with the data source they can connect to the case.
When launched on a different machine, the Evidence Reader will show a warning sign against every data source that it cannot locate by the original path:
Detached data source
To reconnect the data source from the Evidence Reader dashboard, double-click the red exclamation mark icon. Then, specify the new path to the corresponding source files:
Fixing a detached data source
Similarly, you can also reconnect a data source from the Artifacts window: right-click on the highlighted data source and select the Attach data source option.
Key features of Evidence Reader
Belkasoft Evidence Reader is designed for simplicity, security, and accessibility:
- No installation required: Evidence Reader runs from any folder or removable device. It requires no administrator privileges and leaves no system traces.
- Read-only mode: Users can view, but not alter, the exported data. Such an approach protects forensic integrity and ensures compliance with chain-of-custody standards.
- Familiar interface: The Evidence Reader interface is visually consistent with Belkasoft X. Users can navigate the timeline, examine artifacts, and review connections.
- File system and raw data viewers: If the original data source is available, they can also browse the file system and explore raw data in SQLite, Registry, and PList viewers.
- Search and filter functions: Stakeholders can perform full-text searches and use filters to locate key evidence items, which makes it easy to extract meaning from large datasets.
- Support for visual media: Users can view extracted images, videos, documents, and communication records in their original formats, along with relevant metadata.
- Built-in reporting: Each stakeholder can generate reports in formats like CSV, PDF, RSMF, EML, and more.
Artifact review in Belkasoft Evidence Reader
These features make it easy for non-specialists to understand the material while retaining the analytical depth needed by digital forensics professionals.
Use cases
Exporting case data with Belkasoft Evidence Reader offers numerous benefits in various scenarios. By allowing easy sharing and review of evidence, our tool streamlines collaboration, facilitates legal compliance, and ensures long-term accessibility.
Collaboration between analysts
When multiple investigators are assigned to a case, splitting the workload is essential for efficient progress. Exporting segments from Belkasoft Evidence Reader enables examiners to easily share their work with colleagues or supervisors.
For instance, a field investigator may export chat conversations or email correspondence for a cybercrime specialist to interpret. The recipient can access the exported package using Evidence Reader without having to access the original environment or install a full Belkasoft X.
Client and legal team review
Clients and legal stakeholders frequently require access to evidence but do not need to navigate a forensic suite. Evidence Reader simplifies legal discovery by enabling reviewers to access artifacts of their interest and allowing them to skip excessive data.
A prosecution team can receive a package containing the communication history of a suspect, complete with metadata and relevant files, without the need to interpret raw forensic images. Similarly, a corporate client can review data breach details without needing to access proprietary tools or formats.
Long-term archival
When archiving evidence for extended periods, such as in historical cases, ongoing investigations, or legal proceedings, the goal is to preserve the state of analysis as it existed at the time of review, not just the raw data. Exporting a static snapshot using Belkasoft Evidence Reader ensures the case remains locked in its original form, safeguarding its relevance for future reference. Such an approach covers several considerations:
- Version compatibility risks: Opening a case exported from an older version in a newer version of Belkasoft X may trigger automatic updates to align with the new database schema. This may render the case incompatible with older versions of the software. In certain instances, substantial schema changes may render a case unreadable in the new version.
- Analysis re-evaluation: While re-analyzing a data source is possible, updated analyzers (often improved or expanded) may produce different results. This can affect the reliability of reports, especially if legal or investigative decisions were based on earlier findings.
- Immutable output: The exported dataset reflects the exact state of the analysis as prepared by the original examiner. Stakeholders cannot modify, delete, or alter the original data, ensuring findings remain unchanged for future review.
This approach ensures that results and context from the original investigation are preserved in their original form, critical for legal, compliance, or re-examination purposes. It addresses the need to share findings without risking version mismatches or altered analysis outcomes, making it a key feature for archiving results rather than raw data.
Conclusion
Belkasoft Evidence Reader is a simple yet powerful tool for effective evidence sharing. It enables forensic professionals to present findings clearly and securely, supports cross-functional collaboration, and ensures long-term accessibility of case data.
Whether you are working across departments, briefing a legal team, or archiving cases for future reference, the Evidence Reader provides a consistent, secure, and user-friendly solution. With its free availability and strong forensic safeguards in place, it empowers investigators to focus on what matters most: uncovering and communicating the truth accurately.
Explore Belkasoft X Timeline features—and more!