What's new in BEC v.8.3

• Improved Usability
• Task Manager
• New Handy Dashboard Screen
• 64-bit Version
• Origin Paths
• Predefined Searches
• New and Updated Apps
• Customer Requests Addressed

Sign up for a webinar on BEC 2017!

Upgrading to version 8.3 is free of charge to all customers with non-expired Extended Software Maintenance and Support contracts. File System module can be purchased separately. Customers without the contract can purchase it from the Customer Portal. Affordable User Refresher Course is available for those who would like to catch up all recent improvements.

Improved Usability

The product got a completely reworked screen layout. Now, such screens as Task Manager, Search Results, Hex Viewer, SQLite Viewer, Plist Viewer and Registry Viewer are "top level", that is, occupy the entire space below toolbar. For convenience, we left viewers as a part of Item Properties window, but you can always inspect a selected item in a full-size viewer, what makes maximum use of the screen space.

The new layout also helps to make navigation more intuitive and quick. You can select an item in Case Explorer and navigate to a file, from which that item was extracted, to review it in File System, Hex Viewer or SQLite Viewer (if this was a SQLite database).

The Add Data Source screen was reworked, now it allows you to not only add existing datasource, but also to acquire a new one, including hard drive, mobile device and cloud acquisition. Right after acquisition, analysis will start, so you can leave software to work on acquisition without having to wait its completion to schedule the analysis of results (as was with v.8.2).

New Add Data Source screen combines adding existing data source with acquisition of a device.

Task Manager

Task Manager screen is also completely reworked. Previously, for a huge case it could contain thousands of tasks impossible to work with. Now, the Task Manager screen is divided by two: the upper part contains only top-level tasks, while the lower shows subtasks of a selected top-level task. Top level task is any task, run by user, such as "Analyze hard drive", "Search a keyword" or "Run a report". Top level tasks also include analysis tasks occurred as a result of finding a nested data source (for example, a mobile backup found inside hard drive being analyzed).

Tasks such as "searching for instant messengers" or "extracting info from a particular application database" are now shown as a subtask and do not burden the overview of work progress.

Apart from that Task Manager was made a "top-level" window, occupying almost entire screen, what helps to review ongoing tasks easier.

The list at the top contains tasks run by user. The list at the bottom contains subtasks for individual analysis of particular profiles.

The best news, however, is that you in most cases just do not need Task Manager screen anymore. The handy progress in the right side of status bar shows you the overall progress and number of tasks being executed:

Even with Task Manager hidden, you can see the progress by using the status bar message. If you click at the link "Tasks running", BEC will navigate you to the Task Manager screen for further details.

New Handy Dashboard Screen

Version 8.3 of BEC 2017 sports a new handy window called Dashboard. This new window replaces Open or Create Case window. Apart from helping you to create or open a case, it also shows useful statistics on every case (even without opening it!). Basing on this statistics you can quickly find a needed case without lengthy process of opening cases one by one. Besides, statistics gives you a great overview of what data sources and artifacts are stored in the case. Below you can see a screenshot of what Dashboard looks like:

Dashboard allows you to create or open case, review cases and their contents, such as data sources analyzed and artifacts extracted.

Pie chart in Dashboard shows how many artifacts of different types are extracted in the selected case. You can click on an artifact type and see all artifacts of this type in the Overview window.

You can review top contacts in a case. A limited amount of most important contacts having biggest amount of communications (such as chats, mails, smses, phone calls etc.) will be shown on the Dashboard screen. You can click to a contact and see it in the Overview window.

64-bit Version

BEC 8.3 comes along with 64-bit version. This version solves a lot of issues, occurring whilst analyzing huge cases, caused by lack of memory to process big chunks of data. It is naturally also a bit quicker since less memory is swapped to a disk during the analysis.

The x64 version at this moment works only with a dongle. If you have a dongle, you can request a free upgrade of your existing license to x64 version. If you currently in possession of a fixed license, you can request a discounted upgrade to the floating license (which includes dongle) what will enable you to run x64 version.

Interested? Just write us and ask for the upgrade.

Origin Paths

Origin Path is a property of each and every artifact, extracted by BEC out of the box. Using such path you can easily understand from where an artifact was extracted.

Here is an example of an Origin Path:

image.e01//C:\Users\Smith\AppData\Roaming\Skype\smith48\main.db//Messages\Freelist

You can see that this chat originated from an image "image.e01", the path to a profile was "C:\Users\Smith\AppData\Roaming\Skype\smith48\" and finally, it was extracted from a freelist area for Messages table inside the SQLite database "main.db" (main Skype database file). Next to the Origin Path you will also see an offset inside the file (for artifacts recovered in a file) or an offset from the beginning of a partition (for carved artifacts).

Having such information, you will be able to accurately explain how this and that artifact originated, and also check the correctness of the product output manually.

Predefined Searches

The new layout of Belkasoft Evidence Center windows allows you to quickly examine various interesting searches, running out of the box. For example, you can review all emails, SSN numbers, credit cards and so on. These artifacts are located at the time of extraction of data and are grouped at the renewed Search Results window:

Right after case processing is completed, you can inspect various things like credit cards, video links (such as YouTube or social network videos), IP and email addresses etc.

This window also helps you to run your own searches and review the history of previous searches.

New and Updated Apps

As a part of continuous improvement, Belkasoft constantly supports new applications and formats as well as updates those which changed the way they store information. In 8.3 we supported the following apps

Instant Messengers:

• IMO messenger
• Android HeyTell
• Paltalk

Browsers for iOS:

• Dolphin
• Firefox
• Maxthon
• Mercury
• Opera

System files:

• Prefetch files
• Thumbnails for ACDSee, Picasa, PhotoScape and Lightroom photo editors

Some apps were updated:

• Pokemon Go
• VK
• ICQ
• Safari
• Uber
• QIP
• Skype
• AIM
• Brosix
• Gmail Offline
• Swarm
• Vipole
• Telegram
• IE10
• Pidgin

Carving from unallocated improved for:

• Smses
• Calls
• Viber
• WhatsApp
• Skype

Customer Requests Addressed

Several dozens of customer requests were implemented, such as

• "Filter" buttons in artifact lists, which are added to a list's column headers
• relative paths in HTML and PDF reports (to allow moving reports)
• support for MBOX analysis
• and many more.