What's new in Belkasoft X v.1.10 Sep 20, 2021

Belkasoft Evidence Center X (Belkasoft X), is Belkasoft's new flagship product for digital forensics and incident investigations.

Version 1.10 features the following improvements: MFT and Alternate Data Streams viewers, Android screen capturing for any application, reworked mobile acquisition flow, downloading of data from Microsoft Office 365 cloud, further iOS agent-based acquisition improvements, and a number of new and updated artifacts for iOS, Android, macOS and Windows.

Upgrading from previous versions of Belkasoft X to version 1.10 is free to all customers with a non-expired Software Maintenance and Support (SMS) contract. Customers without a current contract can purchase it from the Customer Portal.

Customers with a valid Belkasoft Evidence Center (version 9.9 and below) SMS, can upgrade with discounts: please contact sales@belkasoft.com for your upgrade quote. Do not forget that BEC support expires Nov 1, 2021.

You can also purchase affordable training with an optional certification. A new on-demand training course has recently been made available.

More on new features

MFT Viewer

MFT stands for 'Master File Table' and is a feature of the NTFS file system. This file table is stored in a special file, invisible to a regular computer user, which is called $MFT and has a record on every file in a file system, including $MFT itself. You can find various useful information on these files, such as size, date and time, permissions (and even content for resident files).

For low-level forensics an investigator or an incident responder may benefit from analyzing a file's metadata directly from the MFT. For such cases the File System window of Belkasoft X now has a special tab displaying MFT information for a file selected in the file list. The tab contains info on every metadata attribute in text representation.

Alternate Data Streams Viewer

Alternate data streams is another interesting feature of NTFS. This feature allows every file to have multiple data streams besides the main one. The size of the secondary data streams can vary arbitrarily, they can be even bigger than the main stream itself. This is the place to store illicit data, when a bad guy is trying to hide it from prying eyes (see our article 'Analyzing videos with multiple video streams in digital forensics'). Unfortunately, the operating system has limited means of work with alternate data streams and similarly many forensic tools lack this feature.

Belkasoft supports a viewer for ADS in the latest version, 1.10 of Belkasoft X. Every alternate stream is represented in a separate tab on the File System window in the Tools area. Each tab contains a Hex viewer with binary data of the chosen alternate stream.

Android screen capturing for any application

In previous versions of Belkasoft X, we supported an acquisition method for Android devices, screen capturing. The benefits of this method is that it is very safe and allows an investigator to retrieve information which is not stored in the standard Android backup. The requirements to start this method are the same as for the ADB backup. There are several reasons to use the automated screen capturing method, which you can find in our article 'Android screen capturing with Belkasoft X'), and one of the most important is that following generally accepted rules, in particular the SANS 'Six steps to successful mobile validation' article, the investigator should use the least risky and least destructive methods of data extraction first. That means that, screenshots should be taken before trying to downgrade an application and of course, prior to methods like rooting and chip-off.

The previous version of Belkasoft X supported only for three applications: Signal, Telegram and WhatsApp, while in version 1.10 you can capture any application. You can select the number of scrolls to be made for a particular screen as well as point the tool in which directions the scrolling must be completed, up or down.

Reworked mobile acquisition flow

Belkasoft X made a huge jump in terms of mobile acquisition support since last year. There are many more acquisition types now and in order to make the acquisition process more convenient, we revamped the entire workflow. Now you simply select the device make and model first. Only methods which are available for the selected device are shown, which makes it impossible to confuse available methods. You can select a device by its appearance, because the product now shows you a picture of every supported device. You can even filter by a substring in a device manufacturer or a model.

The actual connection to the device is made only once, after you selected its type and desired acquisition type, which makes the entire process much more robust.

Microsoft Office 365 support

This new feature was one of our customers' favorite requests.

You can consider Office 365 as Microsoft Office in the cloud. There are many more web services than widely used Word, Excel and PowerPoint, but even these three are important enough to acquire from the cloud.

Microsoft offers as much as 1 terabyte of space for a user to store their documents, and of course, it might be useful to have the possibility to download these documents in the course of a digital forensic investigation or an incident response case. In version 1.10 Belkasoft X can download these documents from the OneDrive attached to an account. You will need an account login and password.

iOS agent-based acquisition improvements

The agent-based iOS acquisition has existed since the very first version of Belkasoft X but was massively improved in the latest release.

As a reminder, you can use it with any iPhone or iPad running iOS versions 10 to 14.3. The output of this method is the full file system image and also the keychain (up to iOS 13.7), which is really important when you are decrypting things like Signal chat app or WickrMe messenger. Though this is not a new method, it is constantly improved based on our customers' feedback. Given the variety of devices, iOS versions and subtle peculiarities of different devices met in real-world cases, it is not enough to successfully test the method on a several dozens devices in our lab. 

The Belkasoft R&D team would like to thank all of our customers who tirelessly send us their logs and bug reports. Thanks to them, the community has a much higher success rate with the iOS agent acquisition with every new release of Belkasoft X.

Artifact analysis improvements

  • Android Google Keep app is now supported
  • Original picture size in pixels is now extracted for Tinder
  • macOS system logs analysis performance was improved
  • WhatsApp contacts and chats are now parsed from hiberfil.sys
  • A caller for group calls are now extracted for iOS Facebook Messenger app
  • Recipients are now extracted for Apple Mail

Other improvements

  • Instagram cloud downloader was improved
  • Task scheduling was improved: if you experienced issues with tasks which were scheduled and did not run, please check the new version
  • VirusTotal API key validation improved
  • Ability to select block of bytes in Hex Viewer improved
  • Internet connection check improved to make WhatsApp QR code downloading more stable
  • More descriptions are added for the application recovery in the APK downgrade flow

Issues fixed

  • Fixed: Tinder data extraction from an image acquired by APK downgrade method
  • Fixed: iOS Scout extraction
  • Fixed: Analysis Linux Skype analysis
  • Fixed: Last run time is not extracted for jumplist items
  • Fixed: Bookmarking by hotkey does not work when a key pressed second time
  • Fixed: File system shows double number of items from encrypted iTunes backups
  • Fixed: WhatsApp window with QR code does not appear
  • Fixed: When a data source is detached, preview of its pictures is not shown
  • Fixed: Tasks filter window shows all statuses unchecked by default
  • Fixed: Only a half of available properties are displayed for SMS
  • Fixed: A column of ShellBag item list has incorrect name
  • Fixed: Unselected applications are acquired with APK downgrade method
  • Fixed: linkedin.apk usage fixed for APK downgrade method
  • Fixed: Two-factor authorization via code and SMS does not work for the iCloud acquisition
  • Dozens of other issues fixed