- Improved Usability
- Task Manager
- New Handy Dashboard Screen
- 64-bit Version
- Origin Paths
- Predefined Searches
- New and Updated Apps
- Customer Requests Addressed
Sign up for a webinar on BEC 2017!
Upgrading to version 8.3 is free of charge to all customers with non-expired
Extended Software Maintenance and Support contracts.
File System module can be purchased
separately. Customers without the contract can purchase it from the
Customer Portal. Affordable User Refresher
Course is available for those who would like to catch up all recent improvements.
Improved Usability
The product got a completely reworked screen layout. Now, such screens as
Task Manager, Search Results, Hex Viewer, SQLite Viewer, Plist Viewer and Registry
Viewer are "top level", that is, occupy the entire space below toolbar. For
convenience, we left viewers as a part of Item Properties window, but you can
always inspect a selected item in a full-size viewer, what makes maximum use
of the screen space.
The new layout also helps to make navigation more intuitive and quick. You
can select an item in Case Explorer and navigate to a file, from which that
item was extracted, to review it in File System, Hex Viewer or SQLite Viewer
(if this was a SQLite database).
The Add Data Source screen was reworked, now it allows you to not only add
existing datasource, but also to acquire a new one, including hard drive, mobile
device and cloud acquisition. Right after acquisition, analysis will start,
so you can leave software to work on acquisition without having to wait its
completion to schedule the analysis of results (as was with v.8.2).
New Add Data Source screen combines adding existing data source with acquisition
of a device.
Task Manager
Task Manager screen is also completely reworked. Previously, for a huge case
it could contain thousands of tasks impossible to work with. Now, the Task Manager
screen is divided by two: the upper part contains only top-level tasks, while
the lower shows subtasks of a selected top-level task. Top level task is any
task, run by user, such as "Analyze hard drive", "Search a keyword" or "Run
a report". Top level tasks also include analysis tasks occurred as a result
of finding a nested data source (for example, a mobile backup found inside hard
drive being analyzed).
Tasks such as "searching for instant messengers" or "extracting info from
a particular application database" are now shown as a subtask and do not burden
the overview of work progress.
Apart from that Task Manager was made a "top-level" window, occupying almost
entire screen, what helps to review ongoing tasks easier.
The list at the top contains tasks run by user. The list at the bottom contains
subtasks for individual analysis of particular profiles.
The best news, however, is that you in most cases just do not need Task Manager
screen anymore. The handy progress in the right side of status bar shows you
the overall progress and number of tasks being executed:
Even with Task Manager hidden, you can see the progress by using the status
bar message. If you click at the link "Tasks running", BEC will navigate you
to the Task Manager screen for further details.
New Handy Dashboard Screen
Version 8.3 of BEC 2017 sports a new handy window called Dashboard. This
new window replaces Open or Create Case window. Apart from helping you to create
or open a case, it also shows useful statistics on every case (even without
opening it!). Basing on this statistics you can quickly find a needed case without
lengthy process of opening cases one by one. Besides, statistics gives you a
great overview of what data sources and artifacts are stored in the case. Below
you can see a screenshot of what Dashboard looks like:
Dashboard allows you to create or open case, review cases and their contents,
such as data sources analyzed and artifacts extracted.
Pie chart in Dashboard shows how many artifacts of different types are extracted
in the selected case. You can click on an artifact type and see all artifacts
of this type in the Overview window.
You can review top contacts in a case. A limited amount of most important
contacts having biggest amount of communications (such as chats, mails, smses,
phone calls etc.) will be shown on the Dashboard screen. You can click to a
contact and see it in the Overview window.
64-bit Version
BEC 8.3 comes along with 64-bit version. This version solves a lot of issues,
occurring whilst analyzing huge cases, caused by lack of memory to process big
chunks of data. It is naturally also a bit quicker since less memory is swapped
to a disk during the analysis.
The x64 version at this moment works only with a dongle. If you have a dongle,
you can request a free upgrade of your existing license to x64 version. If you
currently in possession of a fixed license, you can request a discounted upgrade
to the floating license (which includes dongle) what will enable you to run
x64 version.
Interested? Just write us and ask for the upgrade.
Origin Paths
Origin Path is a property of each and every artifact, extracted by BEC out
of the box. Using such path you can easily understand from where an artifact
was extracted.
Here is an example of an Origin Path:
image.e01//C:\Users\Smith\AppData\Roaming\Skype\smith48\main.db//Messages\Freelist
You can see that this chat originated from an image "image.e01", the path
to a profile was "C:\Users\Smith\AppData\Roaming\Skype\smith48\" and finally, it
was extracted from a freelist area for Messages table inside the SQLite database
"main.db" (main Skype database file). Next to the Origin Path you will also
see an offset inside the file (for artifacts recovered in a file) or an offset
from the beginning of a partition (for carved artifacts).
Having such information, you will be able to accurately explain how this
and that artifact originated, and also check the correctness of the product
output manually.
Predefined Searches
The new layout of Belkasoft Evidence Center windows allows you to quickly
examine various interesting searches, running out of the box. For example, you
can review all emails, SSN numbers, credit cards and so on. These artifacts
are located at the time of extraction of data and are grouped at the renewed
Search Results window:
Right after case processing is completed, you can inspect various things
like credit cards, video links (such as YouTube or social network videos), IP
and email addresses etc.
This window also helps you to run your own searches and review the history
of previous searches.
New and Updated Apps
As a part of continuous improvement, Belkasoft constantly supports new applications
and formats as well as updates those which changed the way they store information.
In 8.3 we supported the following apps
Instant Messengers:
- IMO messenger
- Android HeyTell
- Paltalk
Browsers for iOS:
- Dolphin
- Firefox
- Maxthon
- Mercury
- Opera
System files:
- Prefetch files
- Thumbnails for ACDSee, Picasa, PhotoScape and Lightroom photo editors
Some apps were updated:
- Pokemon Go
- VK
- ICQ
- Safari
- Uber
- QIP
- Skype
- AIM
- Brosix
- Gmail Offline
- Swarm
- Vipole
- Telegram
- IE10
- Pidgin
Carving from unallocated improved for:
- Smses
- Calls
- Viber
- WhatsApp
- Skype
Customer Requests Addressed
Several dozens of customer requests were implemented, such as
- "Filter" buttons in artifact lists, which are added to
a list's column headers
- relative paths in HTML and PDF reports (to allow moving reports)
- support for MBOX analysis
- and many more.
