What's new in BEC 2016

What's New in Version 7.4

Version 7.4 is a revolutionary update of world's leading digital forensic tool Belkasoft Evidence Center. Multiple major analytical functions are accompanied by a pack of usability and user interface improvements. Performance and UI responsiveness is better than ever.

Upgrading to version 7.4 is free of charge to all customers with non-expired Extended Software Maintenance and Support contracts. File System module can be purchased separately.

Customers without the contract can purchase it from the Customer Portal. Affordable User Refresher Course is available for those who would like to catch up all recent improvements.

Below you can find major changes in the new version.

Major new functions of the product

• Overview
  • This new window of the product complements Case Explorer window, but unlike Case Explorer, all artifacts are grouped by artifact type only. There is no grouping by data source, profile or contact: all information is shown in a plain list, thus making access to all evidence of a particular kind quick and easy.
  • For example, all emails from all mailboxes are shown under "Mails" node, whether existing or carved, from Outlook or Windows Mail, etc. All passwords from all browsers are grouped under Browsers -> Passwords node; and so on.
• Filters
  • All lists got filters at the right. You can filter them by different criteria, depending on an artifact type.
  • For example, documents can be filtered by three types of file times, various metadata, and substring of a file path. Pictures can be filtered by the same criteria, as well as the following ones: whether GPS was stored or not, whether skin, face or text was detected inside or not, picture dimensions, and file size. This is especially handy in the newly appeared Overview window, which naturally has a lot of data in artifact lists.
  • Filters can be found in Overview artifact lists, Case Explorer lists, Timeline and Search Results.
• Redesigned "Artifact selection" window
  • The renewed window allows you to select artifacts easier. First, it allows you to select artifact type at the left part of the window (such as Browsers or Emails) and then refine your selection by selecting either operating system from a list at the right or particular application/format. Artifacts belonging to the same app/format are now merged (e.g. there is no more IE existing, IE carved, IE from RAM – all these items are now grouped in Internet Explorer application type).
  • You can easily switch carving on or off, select partitions to analyze, or freespace to carve.
  • The window makes BEC mobile support more explicit. New artifact types are shown in "Standard mobile apps" and "Other mobile types", which combine some mobile applications that do not fall under Chats, Browsers or Emails artifact types. Example of Standard mobile app is Calls or Calendar, while example of Other mobile app is Tinder or Swarm.
• Hashset analysis
  • Customers that have File System module can enjoy new Hashset analysis function. This function allows searching for files with hash value, matching one from a given NSRL hashset database. MD5 and SHA1 hashes are supported. You can also add hashes to search by pointing to a folder with previously known files. The product will calculate their hash values and add to a custom hash database used to search for matches.
• Lots of new analysis types for mobile applications, Outlook 2013, P2P apps, Windows 10, jumplists, registry artifacts etc.
  • As usual, each new BEC version comes with hundreds of new or updated artifact formats. See below for more detailed information.

Setup

• Installation package is redesigned and got a new visual design.

Browser support

• Windows 10 is supported.
  • Edge browser analysis: new Favorites, Web Notes and Downloaded files supported (all other types of artifacts are supported similarly to Internet Explorer).
  • Internet Explorer 10 and 11 support updated: RefererUrl field for downloaded files added.
• Typed URLs are extracted for latest versions of Opera browser.
• Base64 characters in browser links are shown accordingly (national symbols shown instead of base64, say it https://ru.wikipedia.org/wiki/Корнишон instead or https://ru.wikipedia.org/wiki/%D0%9A%D0%BE%D1%80%D0%BD%D0%B8%D1%88%D0%BE%D0%BD).

Chat support

• FireChat extraction updated.
• Skype chatsync analysis updated, more chats are extracted, chat direction determination improved.
• WhatsApp support updated, better message direction determination, call extraction added.
• Mail.Ru Agent contacts extraction improved.
• False-positives in CommFort chat extraction eliminated.

System file support

• Application names for Jumplists updated, a number of additional GUIDs recognized.
• Registry support: A number of login attempts shown for a Windows account.

Email support

• Outlook 2013 support implemented.
• Previous versions of Outlook improved, particularly, Deleted items can now be recovered, Lost&Found items and so on.

Mobile app support

• Android applications:
  • Instagram app supported.
  • Next Plus messenger supported.
  • Twitter app status extraction improved.
  • WeChat messenger supported (IMEI and UIN knowledge is required).
    • iPhone support for WeChat was already there in the previous version.
• iPhone/iPad applications:
  • Next Plus supported.
  • Safari extraction improved (from iPhone backup).
• Installed mobile apps shown.

User interface and usability

• New windows appeared: Overview and Filters (see above).
• Artifact selection window is reworked (see above).
• A lot of new artifact types added or made more explicit in the GUI:
  • Calendar – new node in Overview.
  • Calls (including mobile calls and Skype calls) – new node in Overview.
  • Cloud files – new node in Overview.
  • Contacts – new node in Overview.
  • File transfers – new node in Overview.
  • Geolocation data (GPS-enabled photos, geo-URLs, mobile maps data etc.) – new node in Overview and Case Explorer.
  • Installed mobile applications – new node in Overview and Case Explorer.
  • Notes – new node in Overview.
  • P2P – new node in Overview.
  • Payment systems – new node in Overview.
  • Sms – new node in Overview.
  • Voice mails – new node in Overview.
• All lists now have checkboxes to add multiple items to a report. Pressing space button checks selected item (including multiple selected items).
• Huge artifact lists are broken into pages of 10000 items what helps to load such lists quickly.
• Each list got a Column chooser allowing you to show or hide available columns.
• Search window is reworked: similarly to artifact analysis selection, you can now select data source to search inside, artifact type at the left and then, if needed, particular profiles at the right.
• A new column "Search term" is populated for each search engine URL (including Favorites, Typed URLs and regular history). You can sort by a search term or filter URLs to see just Google or Bing results.
• URLs, Favorites and Downloads can be classified as "Adult site", "Dating site", "Search engine", "Social network" and so on. You can filter links by a single or multiple categories.
• New option introduced: Temp folder path, which now can be configured to any folder on any available drive.
  • Temp folder is automatically cleaned up on exit; You can manually clean up this folder at Open Case window to avoid running out of disk space while huge case analysis.
• Evidence Reader now opens default case automatically when you run it (previously you had to manually browse for the case).
• Graphical timeline is temporarily removed for redesign.
• Each carved file can be viewed in the HexViewer.
• After adding of a data source to analyze the product asks whether you want to immediately add another source. This helps you to add multiple sources at a time.
  • The possibility to analyze multiple sources at a time was present in previous versions of the product, however, it was overlooked by some customers, so we decided to help them not to miss this feature.
• New samples added to standard BEC's Samples folder for testing new artifact types such as mobile apps, P2P, geolocation data, hashset database, WeChat profile, Outlook 2013 mailbox, android backup, thumbnails in both Windows formats.

Integration

• Passware engine updated – now BEC supports decryption of found encrypted files using the latest version of one of the world's best decryption software Passware Kit Forensic (must have both BEC and PKF license to enjoy the integration).

Other important improvements

• Payment system analysis added (two types of artifacts extracted from QIWI app).
• P2P: Emule analysis supported, Torrent file carving added.
• Incorrect behavior on some Ex01 drive images fixed.
• Fixed bug with not saving Evidence Reader file upon exit (BEC configuration without Case Management).
• Occasional Case Explorer node duplication fixed.
• Carving: less false-positives and duplicates.

Performance improvements

• Table-view timeline performance improved.
• TaskManager shows tasks quicker, the window made much more responsive.
• Search Results window made quicker and much more responsive.
• Search window opens much quicker.

See also:

Belkasoft Evidence Center 7.3
Belkasoft Evidence Center 7.2
Belkasoft Evidence Center 7.1
Belkasoft Evidence Center 7.0
Belkasoft Evidence Center 6.3.1
Belkasoft Evidence Center 6.3
Belkasoft Evidence Center 6.2
Belkasoft Evidence Center 6.1
Belkasoft Evidence Center 6.0
Belkasoft Evidence Center 5.4
Belkasoft Evidence Center 5.3
Belkasoft Evidence Center 5.2
Belkasoft Evidence Center 5.1
Belkasoft Evidence Center 5.0
Belkasoft Evidence Center 4.2
Belkasoft Evidence Center 4.1
Belkasoft Evidence Center 4.0
Belkasoft Evidence Center 3.9
Belkasoft Evidence Center 3.8
Belkasoft Evidence Center 3.7
Belkasoft Evidence Center 3.6
Belkasoft Evidence Center 3.5
Belkasoft Evidence Center 3.0
Belkasoft Evidence Center 2.0