What's new in Belkasoft X v.2.1

Belkasoft Evidence Center X (Belkasoft X) is Belkasoft's flagship product for digital forensics, cyber incident response, and eDiscovery.

The latest update, Belkasoft X v.2.1 introduces Car Forensics through integration with Berla.

The other major updates in v.2.1 include:

• More versions of iOS covered by the agent-based acquisition method, spanning the entire range from 10.3.3 to 16.1.2 (addressing previous gaps)
• Support for iOS 17
• New iCloud acquisition method: iCloud keychain
• iOS Biome support
• New Android acquisition method: agent-based acquisition via an agent copied to an SD card
• SIM card and Screen capturer acquisition updates for Android
• Cloud forensics enhancements including Google clouds, Office 365, Instagram, and two WhatsApp downloading methods
• Built-in product tutorials
• Various improvements in third-party integrations, such as Volatility, Clam AV, and Passware
• UFDR import
• Chat threads
• Massive updates for iOS and Android artifacts

Upgrading from previous versions of Belkasoft X to v.2.1 is free for all customers with an active Software Maintenance and Support (SMS) contract. Customers with expired or expiring SMS contracts may review and renew them through the Customer Portal.

Affordable training with optional certification is also available, including on-demand options.

New Features Details

Introducing Car Forensics with Belkasoft!

Exciting update: Berla car images import is now supported! With this new image type, Belkasoft empowers investigators to delve into a wider range of digital evidence sources. Analyze computers and laptops, mobile and tablets, RAM and cloud data, drones and now cars—all within a single user interface. Review events from different types of devices on the timeline to get an entire picture of an incident!

Mobile Forensics

iOS

• Agent acquisition for iOS 15-15.1.1 on arm64 devices is supported
• Agent acquisition for iOS 14.4-14.8.1 is supported
• Agent acquisition is improved for iPhone XR model
• Agent acquisition is improved for iOS 13.3-13.7
• iTunes acquisition updated for iOS 17
• iOS 16 Biome artifacts analysis is supported
• Screen Capturer for iOS up to 16.6.1 is supported
• Fixed: iTunes backup fails after clicking on the 'Yes' option in the 'Backup encryption' window

Please also note our Belkasoft X Brute-Force product, which unlocks iOS devices.

Android

• New method is supported: agent-based acquisition via an SD card
• SIM card acquisition through an Android Device: COM ports detection is improved
• SIM card acquisition through a SIM Reader: Received SMS messages acquisition is improved
• Screen capturer: WhatsApp capturing is improved

Other:

• UFDR import is supported
• 80 new mobile device types are added to the 'Acquire mobile device' window

User Interface

• Built-in product tutorials are added
• Bubble view for chats are improved for long names (if not fit, truncated and shown inside a tooltip)
• Chat threads: group chat visualization supported for Facebook, Telegram, and WhatsApp
• Performance improved for showing document previews in the Gallery View of the Artifacts window
• Hashset column added to the Hashsets node in Overview. This allows to filter matches by different hash databases

Reports

• Bubble chat report is massively redesigned, including visuals:

• For keyframes, it is now possible to add parent video properties to the report

Third-Party Integrations

• Volatility integration: Malware finder, Loaded Kernel Modules, and Loaded DLL list are improved
• Cisco Clam AV: Check file/process is improved for large drive analysis
• Berla car images are now supported
• Whole Disk Encryption: TrueCrypt, VeraCrypt, FileVault, McAfee, and PGP decryption are updated to the recent Passware Kit Forensic version

Cloud Forensics

• New iCloud acquisition method: iCloud keychain
• Google Clouds are updated; particularly, account authorization via a browser emulator is supported, you can use any 2FA method offered
• Instagram: 2FA via Authenticator is supported
• Microsoft 365 is updated
• WhatsApp and WhatsApp QR support is updated

New and Updated Artifacts

iOS

• CoverMe (updated)
• Evernote 10.1.0.1 (updated)
• Gmail 6.0.230417 (updated)
• Instagram Threads 293.0.0.18 (new)
• KakaoTalk 9.5.0 (updated)
• Line 13.6.1 (updated)
• Safari (updated)
• Signal 6.37 (updated)
• System: Apple account information (new)
• System: Calls (updated)
• System: Contacts (updated)
• System: Hardware information (new)
• System: Mail (updated)
• System: Notifications (new)
• System: Software and SIM card information (new)
• System: Timezone and last backup date/time (new)
• Telegram 5.6.3 (updated)
• Telegram group chats (updated)
• Viber 20.7.0 (updated)
• WhatsApp (updated)
• WickrMe (updated)
• Yubo 4.14.4 (updated)

Android

• Fitbit (updated)
• ICQ (updated)
• Telegram (updated)
• Viber 19.7.2.0 (updated)
• WhatsApp v. 2.22.16 (updated)
• Wi-Fi networks (updated)
• Yandex Browser (updated)

Other Improvements

• DJI drone analysis: tracks and videos extraction are improved
• Local/UTC confusion is fixed in a few apps
• Fixed: Problem of cross-database export (Postgre to SQLite) to Evidence Reader
• Fixed: 'Save media files' option does not work when exporting to Evidence Reader
• Fixed: NULL instead of converted time to Apple Cocoa time (Modified and Creation time is empty)
• Fixed: Date time conversion in the SQLite Viewer for Cocoa time and some other timestamps
• Fixed: Carving using custom signatures
• Fixed: Incorrect origin path for video keyframes
• Fixed: Filter by path inside the Pictures/Faces node in the Overview window
• Fixed: Not all filters are available for chat artifacts when exactly one contact is selected
• Fixed: Incorrect selection behavior in the SQLite Viewer
• Fixed: Time filter does not work in Artifacts
• Fixed: 'Syntax error at or near >' in HTML report generated from the Dashboard
• Fixed: Occasionally not all contacts shown in the Connection Graph
• Fixed: Occasionally properties tab is empty in the Connection Graph
• Fixed: 'Hashset database' column shows incorrect value in the File System
• Fixed: Occasionally, hashset and YARA analysis are not working from the context menu
• Fixed: SQLite navigation for Android ICQ
• Fixed: Occasionally, key frames from a wrong video are displayed in the Keyframes tab
• Fixed: File properties are not displayed, if the file network path exceeds 255 symbols
• Fixed: Archive processing for files created with 7zip versions 19.0 and above
• Fixed: Occasionally, analysis task freezes at 92% with no way to cancel
• Fixed: RAM processes are not displayed in the File System window