What's new in Belkasoft X v.1.0

Belkasoft Evidence Center X or, for short, Belkasoft X, is a new flagship Belkasoft’s product for digital forensics and incident investigations.

On this page you can see its differences with its predecessor, Belkasoft Evidence Center 2020, a world's top-3 DFIR commercial product per Forensic 4:Cast Awards 2020.


Improvements in release 1.0.6233

Here you will find updates in v.1.0.6233, added after the original release of 1.0.6190. See below for details on 1.0.6190.

  • Processing of large APFS images improved. More artifacts are found now
  • iOS agent
    • Full file system can now be extracted for iOS 10 to 13.7
    • Keychain can now be extracted for iOS 10 to 13.7
    • Note: this functionality is not supported for iPhone models 6S and SE (first generation) running iOS 13.5-13.7 (keychain extraction is not supported for iOS 13.3.1-13.4.1), however, you may use Belkasoft's checkm8-based acquisition supported for these models, which is capable to extract both full file system and keychain
  • WhatsApp cloud downloader restored. This functionality was temporary removed due to change in WhatsApp protocols, but is available again now
  • Signal app decryption updated
  • Odnoklassniki (OK) app analysis improved
  • Pictures with explicit content blurring fixed
  • For disk acquisition chunk size 0 is not allowed
  • Product freeze on mini-timeline editing is fixed
  • Filters for private, public and crypted key columns added for Blockchain wallets
  • Global filter by deleted artifacts added
  • Unallocated node now shows size in File System
  • You can now create report for Picture subnodes (such as pictures with text, faces, etc)
  • Filter for videos with extracted keyframes added
  • Video and audio players now show warning if the file being opened is of zero size or located on dismounted data source
  • Unreadable scale for memory cash size in Settings window (in case of large memory volumes like 256Gb) fixed
  • Improvements in Search Results and File System windows

User Interface and new windows

1. The product no longer has a toolbar (buttons at the top) and status bar (line at the bottom). They were rarely used and occupied space, which is now used more efficiently. Similarly, the Main menu is removed

2. New Home top-level window introduced. Here, you can start your case: open or create case and tune settings. We deliberately separated it from the recent cases list and the Dashboard window to avoid confusion

3. There are no more Case Explorer and Overview top-level windows. We merged them into a single Artifacts window with a switch between modes Overview and Structure (an analogue of Case Explorer). This change emphasizes that both views are showing the same information from different angles

4. The Dashboard window now shows the current case. It has been reworked to present the data sources added and main actions, which can be performed on the case. Data source analysis progress is shown there and made more obvious. A link to Tasks added to get detailed information about tasks performed with the selected data source

5. The Task Manager top-level window is now called Tasks. We simplified the name to avoid confusion with Task Manager in Windows. The window is not split into two parts anymore. Instead, each task which contains subtasks, can be expanded and you can see particular subtasks progress

6. No more paging in all grids and lists: just scroll down! (The older product has page numbers for huge lists that introduced confusion: on which page is my data? What if I filter the list?)

Usability, workflow and ease of use

7. Global filters were implemented. Such filters are placed on the top right corner of the Artifacts window and are applied to all artifacts. In the previous product, you had to apply a filter to each separate view. Now, you no longer have to do so

8. Global filter showing bookmarked items only was introduced

9. There number and variety of local filters was increased. Now, even rarely met artifacts can be filtered by various criteria

10. Mini-timeline. There is one special filter, namely filter by date. This filter is separated from all other filters and is shown as a visual timeline on top of the artifact list. You can quickly specify a date range to filter out periods of interest

11. The Properties list is now shown at the right of the artifact list. Copying from Properties made simpler and does not include any delimiters as before. Properties can now be multiline. You can see both Properties and viewers (such as Hex or SQLite) at the same time because they are split now

12. All secondary windows are collapsible: property groups, entire Properties pane, Type converter part of Hex Viewer and entire Tools pane. This helps you to use your screen space more effectively

13. Checkboxes are now shown for nodes in the left part of Artifacts, Incident Investigations, Timeline, Bookmarks and other views. This property enables you to create reports for multiple items

14. Before, you needed to open another case to delete the current case. Now, you can delete the current case

15. You no longer need to rerun Belkasoft X to apply a new language or a license

16. Open to full screen button that shows SQLite Viewer, Hex Viewer, Registry Viewer, and Plist Viewer has been made larger to make it clearer

17. Dark theme appeared. Visually beautiful, this theme helps your eyes relax should you work at night, in a dark room or just prefer all your apps to use similar theme. Light theme is still your default choice otherwise

18. Bubble chat view improvements:

  1. Bubble chat made visually clearer
  2. Even on high resolution, chats are not aligned all to left (as in the older product)
  3. Bookmark icon is shown for bubble chats now (before, it was only available for the grid view)
  4. The separator line divides chats made on different dates

19. Gallery view improvements:

  1. Galleries made visually clearer
  2. Bookmark icon is shown for gallery items now (before, it was only available for the grid view)
  3. For easier sorting, three icons appeared to sort by file name, time and size, both ascending and descending
  4. Each item (whether a picture, a video or a document) has not just a name (as in the older product) but also modification time and size under the corresponding box
  5. A gallery item has a checkbox that allows selecting multiple elements for group operations

Add data source sequence

Being one of the most important windows in the product, Add a data source is massively reworked to add flexibility and new powerful options.

20. The Add data source window sequence can now be started inside a new case creation. The process is now one-step and less confusing

21. You gain more control over tasks you can perform on a data source:

  1. You can select parts of a data source to analyze it (for example, particular partitions only)
  2. You can extract memory processes and run malware detection without a need to carve a memory dump
  3. You can specify whether Belkasoft should process nested (internal) data sources or not
  4. You can enter passwords for encrypted partitions and volumes as well as iTunes backups, when you are adding a data source. If the entered password matches, the data source structure is expanded and you get a possibility to select parts of image
  5. You can opt to analyze only specified folder contents without going through all subfolders
  6. You can ask the product to only search application profiles without extracting data from them. This property enables you to do triage and create triage profiles
  7. Media analysis options appear: In previous versions, you could run detections of things like faces after the initial analysis. And now, you can specify media analysis options at the moment of adding a data source
  8. Search for encrypted files and volumes made clearer: this is now a separate tab with a dedicated checkbox, not an artifact type, like in the older product

22. The notion of a ‘profile’ appears. A profile combines the following sets of analysis options: what applications to analyze, whether to extract data, how to analyze hash sets and media files, whether to search for encrypted files and volumes. You can create profiles and reuse them in further cases; you can also use (and edit) predefined profiles such as Windows, Android,iOS, Internet-related, Corporate Investigation and others


This kind of analysis is very important and requested by many Belkasoft customers. Imagine, that you have just one hour to examine a computer having multiple documents, chat apps, browser histories and a huge 50Gb Outlook PST file. Just extraction of the mailbox is going to take a few dozen hours, that you cannot afford. This is where the triage analysis comes in handy. During this kind of analysis, Belkasoft will not extract any data (e.g. mails and mail folders from the PST file, chats from a WhatsApp profile, URLs from a browser), however it will show all profiles along with main details such as path, size, dates and times. You then to decide if to extract data from the most important profiles found or to continue with another data source in the queue.

23. Triage button added to Add a data source sequence

24. Checkbox Do not extract history, only perform profile search added. Using this checkbox you can create your own triage profiles (or use built-in Belkasoft’s one) or perform one-time triage analysis

25. After your data source is analyzed, you can select any profile and extract data from it

Acquisition sequence

If you do not have an image or a dump yet, you can acquire a hard or removable disk, a mobile device, or a cloud.

26. Acquire data source wizard is also completely redone and made visually and logically more consistent

27. Pay attention to our powerful iOS acquisition options (see iOS forensics below, too)

iOS forensics

The new Belkasoft product is one of the best choices on the market to perform iOS acquisition and analysis. It fully supports checkm8 and agent-based acquisition, extracts full file system images and keychain. There are many new features added comparing to the older product:

28. iOS agent: keychain extraction up to iOS 13.3! To remind, agent-based full file system acquisition is supported for iOS 10 to iOS 13.4.1

29. iOS 14-14.2 support

  1. iTunes backups supported
  2. checkm8 supported for 6S, 6S+, SE 1st gen, 7, 7+ and corresponding iPad models (first DFIR tool in the world to support this range of devices on iOS 14.2!)
  3. To remind, on older iOS versions 12.0-13.7, checkm8 is available for iPhone 5S to iPhone X and corresponding iPads

30. checkm8 support added for Network licenses

31. Keychain extraction from iTunes backups and decryption supported

32. Wickr decryption, based on keychain, added

See also: new and updated iOS artifacts below

Computer forensics

33. AFF4 images mounting and analysis added

34. Dynamic drives supported (no RAID)

35. Built-in WDE and FVE decryption supported:

  1. APFS
  2. Bitlocker
  3. DriveCrypt
  4. FileVault
  5. McAfee Endpoint Security
  6. PGP and Symantec PGP
  7. TrueCrypt
  8. VeraCrypt

36. $MFT files are now shown on the File System window


37. Bookmarks can now be of different categories, that are indicated by different colors. A new column appeared, which shows the bookmark color (and even two for items added to several bookmarks).

38. Bookmarked items are shown not just in grids, but also in the bubble chat view and gallery view

39. NumPad keys allow for the instant adding of a selected item to bookmark of corresponding category. Key combinations Ctrl-B and Ctrl-Shift-B keep working the same way as in the older product

40. You can show bookmarked items only in the Artifact list

41. Creation of a report from multiple bookmarks is now available on the Bookmarks window

Viewers and previews

42. Audio player is added

43. Video thumbnail is now shown for each video in the Gallery view

44. Video player is added with the functionality of jumping forward and backward and creating of a snapshot of the current frame

45. Microsoft Word, Excel and PowerPoint preview added to the Gallery view

46. For Office documents, all pages, sheets and slides previews are shown on the Tools pane

Media files forensics

47. Audio files analysis added: you can find audio files and extract their metadata, filter and search them

48. Keyframe extraction are supported for additional formats such as mp4 and mkv video formats

49. Detection and analysis of secondary video streams added:

  1. Number of video streams is shown for each video
  2. Filter by more than one video stream added
  3. Key frames extraction supported even for secondary video streams
  4. You can run analysis such as face or pornography detection inside keyframes extracted even from secondary video streams

50. Face detection algorithms are updated to the newest and most accurate neural networks

New and updated artifacts

51. Android artifacts:

  1. WhatsApp (updated)
  2. Line (updated)
  3. Fitbit (updated)
  4. MiFit (updated)
  5. Uber (updated)
  6. Firefox (updated)
  7. Likee (new)
  8. Zangi (new)
  9. TamTam (new)

52. iOS artifacts, please pay attention to pack of artifacts supported for system files:

  1. Health (new)
  2. Uber (updated)
  3. Likee (new)
  4. TamTam (new)
  5. Confide (new)
  6. Facebook Messenger (updated)
  7. Yandex Mail.ru (new)
  8. iOS system files (new):
    1. User notifications
    2. Cellular configurations
    3. Accounts
    4. Device info
    5. Usage statistics: ADDataStore, DataUsage, knowledgeC
  9. Wickr (new)

53. Windows and macOS artifacts:

  1. Facebook Messenger App for Windows
  2. Facebook Messenger App for macOS
  3. Facebook Desktop for macOS
  4. setupapi.dev.log parsing improved

Smaller improvements

54. Android and Cloud acquisition refreshed, numerous issues fixed

55. You can now ask the product to check for updates on each start. As before, if you do not have an Internet connection on your forensic workstation, the product will work perfectly as it fully supports disconnected examinations

56. Change of language is now performed on-the-fly without re-starting the product

57. Search by a list of regular expressions supported: you can browse a file and instruct the product to treat it as a file with regular expressions

58. Reworked License activation screen makes it easier to troubleshoot license issues

59. Tooltips are shown for geolocation points along with information of the geolocation item origins (including showing multiple origins for clusters)

60. Prepare all case logs feature facilitates troubleshooting: with a single button click you can zip all relevant log files and send a single file to Belkasoft if an issue arises

61. Tutorial videos are shown right at the home screen

62. Cross-case analysis is run automatically on all archived cases without asking you which cases to process

63. Scroll bar usability: being visually nice and narrow, they expand with you hover over them for easier operation

64. Connection graph reworked: made visually clearer; the Communication threshold slider introduced helping to eliminate people on the graph having too few communications

65. Samples are updated and available as E01. A user may opt not to install them (previously there were complaints and misunderstandings like ‘why do I see Belkasoft chats on my hard drive?’). The updated image contains most updated apps, there are no more year 2010 communications inside

66. Emojis are shown in artifact lists, both grid and bubble chat views, Properties window and even SQLite Viewer

67. Save carved data to database and then to Evidence Reader supported

68. Password boxes introduced to avoid sharing sensitive info. All passwords are masked by default, but you can opt to show your input with the eye icon

69. The product can now be run without admin rights. The same for Evidence Reader

70. Hashet analysis:

  1. Importing Project Vic json files of versions 1.3 and 2.0 is supported
  2. Importing of plain hash lists supported. Put one hash value per line, whether MD5, SHA1 or SHA256 (the list can contain even mixture of different types of hashes) and use for hash match detection
  3. You can export your hash sets

71. Public API appeared. Are you looking to OEM Belkasoft powerful functions? You can do this now!

72. Special academic version appeared for the University and College use

Sales model improvements

The pricing and configuration are changed. New configurations appear:

1. X Computer: starter edition for those having tight budget and only analyzing computers

2. X Mobile: starter edition for customers with limited budgets, analyzing mobile devices only and not looking at checkm8 acquisition feature

3. X Forensic: recommended edition for LE customers, which combines computer and mobile forensics and adds cloud acquisition, WDE/FVE decryption (e.g. Bitlocker and APFS) and checkm8-based iOS acquisition

4. X Corporate: created specifically for corporate customers and combines all features of X Forensic with Incident Investigations module and Cross-Case Analysis

Previously paid options like SQLite Forensics and File System Explorer, are included into the base version of the product and the overall price is DECREASED! X Forensic is discounted even more: with the price same as checkm8-enabled Evidence Center, it adds WDE decryption for free!

See more at https://belkasoft.com/x#belkasoft-x-editions

A word of ‘Thanks’ from the team

Having put a lot of effort into improving the interface and usability of the new Belkasoft X product, we sincerely hope that you like the new changes, even though some of them might appear unusual at the beginning—especially if you are used to older BEC versions.

We say thanks to everyone who contributed to the improvements that we made. Please continue sending us your wishes and feedback on Belkasoft X features and its usability. A praise won’t hurt, either.