What's New in Version 7.4
Version 7.4 is a revolutionary update of world's leading digital forensic tool
Belkasoft Evidence Center. Multiple major analytical functions are accompanied by
a pack of usability and user interface improvements. Performance and UI responsiveness
is better than ever.
Upgrading to version 7.4 is free of charge to all customers with non-expired
Extended Software Maintenance and Support contracts.
File System
module can be purchased separately.
Customers without the contract can purchase it from the
Customer Portal.
Affordable User Refresher Course is available for those who would like to catch
up all recent improvements.
Below you can find major changes in the new version.
Major new functions of the product
- Overview
- This new window of the product complements Case Explorer window, but
unlike Case Explorer, all artifacts are grouped by artifact type only. There
is no grouping by data source, profile or contact: all information is shown
in a plain list, thus making access to all evidence of a particular kind
quick and easy.
- For example, all emails from all mailboxes are shown under "Mails" node,
whether existing or carved, from Outlook or Windows Mail, etc. All passwords
from all browsers are grouped under Browsers -> Passwords node; and so on.
- Filters
- All lists got filters at the right. You can filter them by different
criteria, depending on an artifact type.
- For example, documents can be filtered by three types of file times,
various metadata, and substring of a file path. Pictures can be filtered
by the same criteria, as well as the following ones: whether GPS was stored
or not, whether skin, face or text was detected inside or not, picture dimensions,
and file size. This is especially handy in the newly appeared Overview window,
which naturally has a lot of data in artifact lists.
- Filters can be found in Overview artifact lists, Case Explorer lists,
Timeline and Search Results.
- Redesigned "Artifact selection" window
- The renewed window allows you to select artifacts easier. First, it
allows you to select artifact type at the left part of the window (such
as Browsers or Emails) and then refine your selection by selecting either
operating system from a list at the right or particular application/format.
Artifacts belonging to the same app/format are now merged (e.g. there is
no more IE existing, IE carved, IE from RAM – all these items are now grouped
in Internet Explorer application type).
- You can easily switch carving on or off, select partitions to analyze,
or freespace to carve.
- The window makes BEC mobile support more explicit. New artifact types
are shown in "Standard mobile apps" and "Other mobile types", which combine
some mobile applications that do not fall under Chats, Browsers or Emails
artifact types. Example of Standard mobile app is Calls or Calendar, while
example of Other mobile app is Tinder or Swarm.
- Hashset analysis
- Customers that have File System module can enjoy new Hashset analysis
function. This function allows searching for files with hash value, matching
one from a given NSRL hashset database. MD5 and SHA1 hashes are supported.
You can also add hashes to search by pointing to a folder with previously
known files. The product will calculate their hash values and add to a custom
hash database used to search for matches.
- Lots of new analysis types for mobile applications, Outlook 2013, P2P
apps, Windows 10, jumplists, registry artifacts etc.
- As usual, each new BEC version comes with hundreds of new or updated artifact
formats. See below for more detailed information.
Setup
- Installation package is redesigned and got a new visual design.
Browser support
Chat support
- FireChat extraction updated.
- Skype chatsync analysis updated, more chats are extracted, chat direction
determination improved.
- WhatsApp support updated, better message direction determination, call extraction
added.
- Mail.Ru Agent contacts extraction improved.
- False-positives in CommFort chat extraction eliminated.
System file support
- Application names for Jumplists updated, a number of additional GUIDs recognized.
- Registry support: A number of login attempts shown for a Windows account.
Email support
- Outlook 2013 support implemented.
- Previous versions of Outlook improved, particularly, Deleted items can now
be recovered, Lost&Found items and so on.
Mobile app support
- Android applications:
- Instagram app supported.
- Next Plus messenger supported.
- Twitter app status extraction improved.
- WeChat messenger supported (IMEI and UIN knowledge is required).
- iPhone support for WeChat was already there in the previous version.
- iPhone/iPad applications:
- Next Plus supported.
- Safari extraction improved (from iPhone backup).
- Installed mobile apps shown.
User interface and usability
- New windows appeared: Overview and Filters (see above).
- Artifact selection window is reworked (see above).
- A lot of new artifact types added or made more explicit in the GUI:
- Calendar – new node in Overview.
- Calls (including mobile calls and Skype calls) – new node in Overview.
- Cloud files – new node in Overview.
- Contacts – new node in Overview.
- File transfers – new node in Overview.
- Geolocation data (GPS-enabled photos, geo-URLs, mobile maps data etc.)
– new node in Overview and Case Explorer.
- Installed mobile applications – new node in Overview and Case Explorer.
- Notes – new node in Overview.
- P2P – new node in Overview.
- Payment systems – new node in Overview.
- Sms – new node in Overview.
- Voice mails – new node in Overview.
- All lists now have checkboxes to add multiple items to a report. Pressing
space button checks selected item (including multiple selected items).
- Huge artifact lists are broken into pages of 10000 items what helps to load
such lists quickly.
- Each list got a Column chooser allowing you to show or hide available columns.
- Search window is reworked: similarly to artifact analysis selection, you
can now select data source to search inside, artifact type at the left and then,
if needed, particular profiles at the right.
- A new column "Search term" is populated for each search engine URL (including
Favorites, Typed URLs and regular history). You can sort by a search term or
filter URLs to see just Google or Bing results.
- URLs, Favorites and Downloads can be classified as "Adult site", "Dating
site", "Search engine", "Social network" and so on. You can filter links by
a single or multiple categories.
- New option introduced: Temp folder path, which now can be configured to
any folder on any available drive.
- Temp folder is automatically cleaned up on exit; You can manually clean
up this folder at Open Case window to avoid running out of disk space while
huge case analysis.
- Evidence Reader now opens default case automatically when you run it (previously
you had to manually browse for the case).
- Graphical timeline is temporarily removed for redesign.
- Each carved file can be viewed in the HexViewer.
- After adding of a data source to analyze the product asks whether you want
to immediately add another source. This helps you to add multiple sources at
a time.
- The possibility to analyze multiple sources at a time was present
in previous versions of the product, however, it was overlooked by some
customers, so we decided to help them not to miss this feature.
- New samples added to standard BEC's Samples folder for testing new artifact
types such as mobile apps, P2P, geolocation data, hashset database, WeChat profile,
Outlook 2013 mailbox, android backup, thumbnails in both Windows formats.
Integration
- Passware engine updated – now BEC supports decryption of found encrypted
files using the latest version of one of the world's best decryption software
Passware Kit Forensic (must have both BEC and PKF license to enjoy the integration).
Other important improvements
- Payment system analysis added (two types of artifacts extracted from QIWI
app).
- P2P: Emule analysis supported, Torrent file carving added.
- Incorrect behavior on some Ex01 drive images fixed.
- Fixed bug with not saving Evidence Reader file upon exit (BEC configuration
without Case Management).
- Occasional Case Explorer node duplication fixed.
- Carving: less false-positives and duplicates.
Performance improvements
- Table-view timeline performance improved.
- TaskManager shows tasks quicker, the window made much more responsive.
- Search Results window made quicker and much more responsive.
- Search window opens much quicker.
See also:
Belkasoft Evidence Center 7.3
Belkasoft Evidence Center 7.2
Belkasoft Evidence Center 7.1
Belkasoft Evidence Center 7.0
Belkasoft Evidence Center 6.3.1
Belkasoft Evidence Center 6.3
Belkasoft Evidence Center 6.2
Belkasoft Evidence Center 6.1
Belkasoft Evidence Center 6.0
Belkasoft Evidence Center 5.4
Belkasoft Evidence Center 5.3
Belkasoft Evidence Center 5.2
Belkasoft Evidence Center 5.1
Belkasoft Evidence Center 5.0
Belkasoft Evidence Center 4.2
Belkasoft Evidence Center 4.1
Belkasoft Evidence Center 4.0
Belkasoft Evidence Center 3.9
Belkasoft Evidence Center 3.8
Belkasoft Evidence Center 3.7
Belkasoft Evidence Center 3.6
Belkasoft Evidence Center 3.5
Belkasoft Evidence Center 3.0
Belkasoft Evidence Center 2.0