Sneak Peek of BEC 2020 v.9.7

Sneak Peek of Belkasoft Evidence Center 2020 v.9.7

Belkasoft announces the upcoming release of BEC (Belkasoft Evidence Center 2020) version 9.7. In v.9.7, Belkasoft significantly expanded BEC support of various mobile data sources and added support for more operating systems in its Remote Forensics module.

Among features expected in the upcoming release of BEC 2020 there are:

Acquisition of MTK based devices; acquisition via MTP/PTP protocols; iTunes backups supported for iOS 13
Support for Xiaomi and Huawei backups
F2FS file system parsing and analysis
CarPlay analysis
Major improvements of Remote Forensics (macOS and Linux support; WMI deployment)
Support of AFF4 images
Connection Graph revamped
Numerous improvements in Artificial Neural Network analysis of photos
The search of Japanese texts improved
Numerous updates to artifact extraction

Mobile device acquisition

In BEC 2020 v.9.7 we increased the number of acquisition methods:

Acquisition of MTK based devices is now supported. MTK stands for MediaTek, and MediaTek is a well-known chip manufacturing company based in Taiwan. The company supplies enough semiconductors to produce 1.5 billion devices a year so it is important to have support for their devices in a digital forensic tool like Belkasoft Evidence Center.

Data is extracted by using MediaTek Preloader Download Mode for corresponding Android mobile devices powered by MediaTek chip. Flash memory downloading is applied to a device turned off, so neither unlocking nor root access is required
Acquisition via MTP/PTP protocols. One of the options suggested to a user when they connect their device to a computer is "transfer media files using MTP". MTP stands for "Media Transfer Protocol" and it is an extension to the Picture Transfer Protocol (PTP) communications protocol that allows media files to be transferred from portable devices. Whereas PTP was designed for downloading photographs from digital cameras, Media Transfer Protocol allows the transfer of music files on digital audio players and media files. Now you can use any of these two protocols to acquire media from digital devices
iTunes backup creation supported for Apple devices running new iOS 13
Finally, iTunes backup can now be created with forced encryption. Since unencrypted backup contains less data than encrypted one, Belkasoft Evidence Center offers a user to encrypt the backup

Support for Xiaomi and Huawei backups

Xiaomi MIUI backups are supported. MI User Interface abbreviated MIUI is a firmware for smartphones and tablets developed by Chinese electronics manufacturer Xiaomi. The firmware is based on Google's Android operating system and in particular, has its own backup. The global market share of Xiaomi devices is estimated at 9% (compare to Apple which has 10%) but in some markets, it is even more popular. For example, in India, Xiaomi is a bestseller with a market share of 28%. That's why with BEC v.9.7 you can now ingest and analyze MIUI backups
Huawei HiSuite backups are supported. Huawei is even more popular than Xiaomi (16% global market share), though its share decreased by the recent US ban. Huawei HiSuite is the official Android Smart Device Manager tool developed by Huawei Mobile. HiSuite works with such Huawei smartphones as Huawei P20/Plus, Honor 9N, Honor 10, Honor 9 Lite, Nova 3, Honor Note 10, and more. In particular, HiSuite has its own backup and restore mechanism. Backups can be created both encrypted and unencrypted, Belkasoft Evidence Center allows you to work with both types of HiSuite backups (password is required for encrypted backup). BEC also supports analysis of a local Huawei device backup (backups which are stored internally on a device)

F2FS support

F2FS stands for "Flash-Friendly File System". This is a file system developed by Samsung with the idea of having a file system specifically for devices with flash memory. These days the F2FS file system is considered perspective. While it is not being widely used yet, it is adopted, in particular, by Google in their Pixel 3 devices.

Belkasoft now natively supports parsing and analysis of partitions formatted under F2FS: you can see their contents in File System Explorer window, review files and folders, examine their contents in HexViewer and of course, run BEC analysis for artifacts stored inside.

Remote Forensics

Remote Acquisition module, even just released, attracted huge attention of our corporate customers. Excited and encourages by such an interest, we increased our efforts on improving the initial function set.

In the new version of BEC, you will find the following improvements of Remote Acquisition module:

Agents can now run on macOS and acquire logical images. In the previous version, agents could only run on Windows; now macOS remote acquisition is also supported. You can acquire DMG images of all attached devices with an exception of Macintosh HD; while for the main drive you can acquire any folder
Agents can now run on Linux and acquire logical images. Linux is very widespread in the corporate environment so many of our customers requested us to enable our agent to work on this operating system
Multiple improvements made to the remote acquisition of Android and iOS devices
We expanded the set of configuration options to enable you to cover wider set of various setups of your local network
A remote agent can now be deployed via WMI (Windows Management Instrumentation). Apart from GPO and local deployment, supported in previous versions, you can now also use WMI to push agents inside your Windows LAN

Agent WMI deployment settings

Other improvements

CarPlay forensics. In some cars, you can connect your iPhone to the car computer. You will be able to see your iPhone screen projected on the car computer, accept calls, read messages, listen to music. With the latest version of BEC, you can extract some of the artifacts, stored behind the communication of an iPhone with a car, such as a start and an end time of the CarPlay session as well as last Siri request (in text). You need to have a full file system copy of an iPhone since this data is not stored in iTunes backup. You may do such a copy with Belkasoft Evidence Center for jailbroken backups.

AFF4 images support. AFF4 is an open-source format used for the storage of digital evidence and data. This format has a number of advantages to other forensic formats (including built-in cryptography support and support for having multiple evidence in the same image). That's why it is now added to BEC.

Connection Graph revamped. Connection Graph was temporarily removed for v.9.6 and is now back with a number of improvements, including better look and feel.

Artificial Neural Network based photo analysis. We have significantly improved photo analysis based on ANNs. In particular, the detection of pornography and guns now works much quicker. We significantly reduced the number of false positives for crosses and arrows detection on drug-related images. Finally, there is no more need for installing CAFFE library.

Search of Japanese. Basing on the feedback from our Japanese customers, we tuned our new search engine built on ElasticSearch, to better search hieroglyphic terms.

Numerous updates to artifact extraction. As usual, a few dozens of new and updated artifacts are included in the new BEC version.