What's new in Belkasoft X v.1.11 Dec 14, 2021

Belkasoft Evidence Center X (Belkasoft X), is Belkasoft's flagship product for digital forensics and incident investigations.

Version 1.11 features the following major improvements:

  • iCloud backup downloads are supported, including 2FA support
  • Cloud support massively updated, including Google clouds, Gmail, WhatsApp, and Office 365, 2FA supported where it was not previously
  • Volume Shadow Copy analysis massively improved
  • Facebook secret chats decryption supported
  • Further improvements in Android and iOS acquisition
  • A number of issues fixed for various types of mobile acquisitions
  • Wickr, Signal, and other iOS apps: support for decryption with keychain extracted with a third-party tool
  • New and updated artifacts: several new system artifacts added for Linux, the latest version of ICQ for Windows supported, PC's Wi-Fi password can now be decrypted, etc

Upgrading from previous versions of Belkasoft X to version 1.11 is free to all customers with a non-expired Software Maintenance and Support (SMS) contract. Customers without a current contract can purchase it from the Customer Portal.

You can also purchase affordable training with an optional certification. An on-demand training course is available.

More on new features

Cloud Forensics

iCloud backup acquisition

Belkasoft supported downloading data from iCloud for a while, however, before the product was able to download artifacts such as photos, mail, notes, iCloud drive, and so on.

In this release, Belkasoft X supports the download of iOS device backups stored in iCloud. Given the phone can be not available for acquisition or is locked at the moment of investigation, this feature is absolutely necessary for an investigator. Moreover, since iCloud allows for the storage of up to four of the most recent user backups, there is even a chance to recover something not stored on the phone.

An interesting and vital feature is that you can download all backups of all devices bound to an account, not just for one device.

Two-factor authorization is supported. Range of iOS supported: iOS 9.0—15.1.1.

Other cloud forensics improvements

  • WhatsApp cloud acquisition updated
  • Office 365 acquisition updated
  • Google clouds acquisition updated
    • 2FA authentication supported for all Google clouds
    • Google Timeline acquisition updated
    • Gmail acquisition updated
  • Live photo acquisition from iCloud supported

Mobile forensics

A number of important improvements were made in our mobile acquisition methods that are built-in to Belkasoft X. See also, why Belkasoft X should be your tool of choice for mobile forensics.

  • Android Screen Capturing
    • Pictures are now enlarged (by clicking on them in chats)
    • Most recent Signal user interface supported to prevent calling instead of screen scrolling
    • Issue with capturing just one screen on Galaxy S8+ fixed
  • Android Application Downgrade (APK Downgrade)
    • Facebook, Instagram, OneDrive, Skype, and Tumblr acquisition fixed for Samsung S8+
    • 'Unexpected USB-operation error, code 433' fixed for Galaxy S8+
    • Hangouts acquisition issues fixed
  • Android Advanced ADB Acquisition
    • Unhandled error if a user does not press 'Install' for an application, fixed
    • Samsung S8+ advanced ADB acquisition fixed
  • Android Physical and Logical Dump Acquisition
    • 'Select all' checkbox added for physical acquisition (helps, when a device has too many partitions)
    • Physical, logical, and MTK Agent methods improved to prevent data corruption during dump transferring from the phone to a computer
    • Incorrect partitions size and zero results for a physical dump acquisition fixed for Alcatel 5033D
  • Android MTP Acquisition
    • MTP acquisition fixed for Huawei P Smart
  • iOS Agent-Based Acquisition
    • Keychain extraction fixed for iPhone 6 with iOS 12.4.9
    • Agent acquisition improved on iOS 13.2
    • Failure to install the agent in some circumstances fixed
    • Acquisition progress visualization improved (more accurate numbers shown)
    • A number of stability issues fixed and user-requested improvements made
  • iOS Checkm8-Based Acquisition
    • Passwords are not extracted from keychain for Signal and Wickr, fixed
    • A number of stability issues fixed and user-requested improvements made
  • iOS Crash Log Acquisition
    • Crash log acquisition issues fixed for iPhone XR 13.5.1 and iPhone 6 12.4.4
  • iOS iTunes Acquisition
    • iOS 15.1.1 supported

Media file forensics

  • Built-in Picture Viewer has been massively updated
    • You can now navigate between pictures, video keyframes, document pages, thumbnails etc
    • Keyboard and mouse navigation supported
    • Picture viewer respects selection, filters, and sorting applied in a correspondent artifact list
    • A bookmark can be created right in the viewer without having to return to the artifact list

  • Video parent properties are now shown for a video file originated from a container such as an email or a document
  • Video keyframe extraction improved for situations when multiple videos are analyzed at the same time

Low level forensics

  • NTFS Volume Shadow Copy support massively improved:
    • VSC snapshot analysis reimplemented, analysis speed and stability improved
    • Separate snapshots can be selected for analysis when adding a data source (in previous versions, the choice was only all or nothing)
    • Snapshots can be selected separately from its parent partition (you can select a snapshot to be analyzed without having to analyze the parent partition)
  • 'Show in File System' feature improved for a number of artifact types (e.g. taxi applications)
  • Full path of a currently selected folder is now shown on the bottom of the File System tab, and is clickable
  • 'Open large' view for alternative data stream (ADS) attribute is added
  • SQLite data recovery improved when both journal and WAL files exist for the main database file
  • A number of date time formats added for conversion in SQLite Viewer (column type selection) and Hex Viewer (Type Converter tab), including Apple Cocoa time

Updated Artifacts

  • iOS
    • Encrypted artifact decryption: if you have keychain extracted with a third-party tool, Belkasoft X can still decrypt data. A prompt to enter a keychain value is shown for the keychain-based decryption tasks such as Wickr, Signal, etc
    • Facebook secret chats decryption (supported)
    • Instagram (updated)
    • NextPlus (updated)
    • Odnoklassniki (updated)
    • Signal (updated: decryption improved). See also: Signal decryption with Belkasoft X
    • Snapchat (updated)
    • Tumblr (updated)
    • Viber (updated)
  • Android
    • Evernote (updated)
    • Facebook secret chats decryption (supported)
    • Line app (updated)
    • Odnoklassniki (updated)
    • Telegram (updated)
    • Twitter (updated)
    • Voxer (updated)
    • WeChat (updated)
  • Linux (all artifacts are new)
    • Bash history
    • Brosix
    • Device identifier information
    • Installed packages extraction
    • Network interfaces
    • OS information
    • USB device list
    • User accounts
  • Windows
    • Thunderbird attachments are converted to EML properly during report generation
    • Wi-Fi passwords for PC (decryption supported)
    • ICQ (updated to v.10)
  • macOS
    • Dropbox (supported)
  • Cloud
    • iCloud Apple Mail (updated)

Updated User interface

  • Automatic refresh of artifact list. Previously, a user had to switch between nodes to refresh a list in the case it was changed due to ongoing analysis (e.g. face detection, password brute-force, completion of partially extracted profile, malware detection, etc). Now, every such operation automatically refreshes an affected list of artifacts. Note: if you select a profile which is still being extracted, new items will appear on the bottom of artifact list, disregarding currently applied sorting. To restore proper order, switch nodes
  • Case creation date added to the Dashboard window
  • Nested (internal) data source names, shown on the Dashboard window, changed to '[Parent data source] >> [Nested data source]' for easier distinguishing
  • Ctrl + '+/-' added as a shortcut to change font size on-the-fly. No need to open Settings to pick up the size you need!
  • 'Enter the DFU mode' window improved, particularly for small fonts. See also: iPhone's DFU practical guide
  • Japanese localization updated

Licensing and trial

  • Activation of the trial version improved—try it again if online activation did not work for you in v.1.10. Do not forget that there is also a choice of an offline activation
  • Network licensing updated (including an academic version of Belkasoft X)
    • You can now have more than 100 licenses on the same network dongle!
  • Export to Evidence Reader in the trial version shows a proper warning that it is not included
  • Android Screen Capturing method enabled for the trial and academic versions of Belkasoft X—Enjoy!

Other improvements

  • Default bookmark name improved. Previously, the name was 'New bookmark from <date>', now its name is derived from the bookmark category
  • Font selection to be used in a report restored

Issues fixed

  • Fixed: A number of cases with the product user interface freezes
    • On 'Enter missing data' in the Tasks window
    • On canceling physical or logical acquisition with a connected non-rooted device
    • In general, user interface is made much more responsive and less prone to freezing
  • Fixed: WeChat decryption unsuccessful for specific Temp folder location. See also: WeChat Forensics webinar
  • Fixed: A number of issues in keyframe extraction for videos from mobile applications
  • Fixed: If a video format is unsupported or a video is corrupted/not existing, a message is shown when attempting to open it in the Media viewer
  • Fixed: Incorrect File System file list when 'Is deleted' filter applied
  • Fixed: Hex Viewer is not displayed for malware processes
  • Fixed: Graphical Timeline window is not updated after applying a filter by date
  • Fixed: Offline browser cache viewer improved
  • Fixed: Saving documents, pictures, and thumbnails to a TAR archive
  • Fixed: Incorrect count of checked items in the Tasks window
  • Fixed: A number of visual issues in the user interface, caused by a screen DPI change. Particularly, when Belkasoft X is used via Remote Connection
  • Fixed: Folder structure representation for .belkaml images (cloud images acquired by Belkasoft X)
  • Fixed: Ctrl+B adds an artifact to the first created bookmark instead of the last one
  • Fixed: Pressing Ctrl+B for the second time does not remove an artifact from a bookmark
  • Fixed: Wrong progress shown during VirusTotal analysis of a folder
  • Fixed: Connection graph selection does not work properly
  • Fixed: Search results tab is not opened automatically upon search completion
  • Fixed: Items counter in File System 'recursive view' sometimes gives an incorrect number
  • Fixed: Detecting and grouping similar faces not starting for an MTP image