What's New in BEC 2018 v.8.5

Belkasoft Evidence Center 2018 v.8.5 (or, in short, BEC) is an all-on-one forensic solution, combining computer, RAM, mobile and cloud forensics in a single tool. Given its affordable price, it is one of the best choices among other available products on the market.

With version 8.5, BEC 2018 offers you even more value, staying at the same affordable price tag. Below you will find major features of the new release:

• More mobile acquisition and analysis features (e.g. support for Android 7.0 and improvements in rooted Android phones physical acquisition)
• A pack of enhancements in Live Memory analysis (Windows 10 memory dumps support, process extraction and visualization)
• Newly appeared possibility to detect malware (suspicious processes detection, checking processes with VirusTotal)
• Better support for Outlook PST and OST files, allowing to process multi-gigabyte mailboxes
• Support for a number of popular crypto currencies
• A lot of new and updated apps analyzed out of the box, which expand the list of other 800+ artifact types available for analysis in the previous release
• FTK integration: Starting version 6.3 of AccessData's Forensic Toolkit, Belkasoft module will be available
• Spanish and Chinese translations added, German translation updated

Sign up for a webinar on BEC v.8.5!

Upgrading to version 8.5 is free to all customers with a non-expired Extended Software Maintenance and Support contract. File System module must be purchased separately. Customers without a current contract can purchase it from the Customer Portal. An affordable User Refresher Course is also available for those who would like to catch up all recent improvements.

Mobile Acquisition And Analysis

Belkasoft is actively developing mobile forensics part of BEC 2018 and here are enhancements we have done with v.8.5:

• Android ADB backup creation updated to support Android 7.0
• Root rights detection improved for Android devices (helping to perform a physical acquisition, available since v.8.4)
• iCloud downloader updated to support latest Apple changes
• Analysis of iTunes backups nested into a virtual machine file or another container is now started automatically
• Chip-off and JTAG dumps mounting and analysis improved
• A number of mobile apps supported and updated (see the list below in the New/Updated Apps section)

Live RAM Analysis

• Process extraction from a Windows 10 memory dump is supported
(make sure you switched BelkaCarving option on)
• As with previous versions, you do not have to specify OS type and version number, this is done by BEC automatically
• As with previous versions, memory artifacts are extracted by BEC out of the box and shown in Overview and Case Explorer window
• Process memory can be stored to a file

Malware Detection

This is a new function in BEC 2018 and it allows you to automate some routine to detect malware inside process memory. There are two options available at this release:

• Analysis with VirusTotal. You will need to have an Internet connection for this feature. BEC will upload the selected processes memory to VirusTotal and get a result of analysis: whether it is a malware or not, malware name and confidence level. For each result, a dedicated link is provided with more details from VirusTotal, which you can then examine. Note: the entire process memory is uploaded, not a hash value, since process memory, unlike a file from a drive, is always different
• Fake system name detection. Malware like to pretend to be a system process to hide itself from a user skilled enough to review Windows TaskManager list of processes. For example, a frequent trick is to create scvhost.exe instead of svchost.exe. We collected more than thousand fake names like that and will raise a red flag once one of these names is met inside a memory dump

Huge Outlook PST/OST Support

Outlook analysis is massively improved and now works even with huge mailboxes. Nowadays it is not a surprise to meet a terabyte-sized mailbox and with 8.5 our customers will get rid of "out of memory" issues on such files.

Crypto Currencies Analysis

Crypto currencies is a hot topic now, including forensic analysis. BEC 2018 adds support for Bitcoin and Ethereum types of crypto currencies. The following artifacts are supported: Bitcoin, Armory, Jaxx. You can see transaction and wallet details for these apps.

New and Updated Apps

We continually work on updating the support for formats and apps, which are constantly releasing new versions. Here is the list of apps updated or newly supported in BEC v.8.5:

iOS:

• Any.Do (new)
• Google Maps (new)
• Evernote (new)
• Foursquare (new)
• Richnote (new)
• TextPlus (new)
• Textie (new)
• GetTaxi (new)

Android:

• GetTaxi (new)
• Any.Do attachments extraction added
• SMS (updated)
• Twitter (updated)
• Vipole (updated)
• ooVoo (updated)
• Facebook messenger  (updated)
• GMail App (updated)

Windows:

• eMule (updated)
• Vipole (updated)
• Adobe Flash (updated)
• Geolocation data extracted from all types of links
• Cookie extraction improved for Edge browser
• ICQ (updated)

A few more apps are mentioned above in the Crypto Currencies section.

AccessData Forensic Toolkit (FTK) Integration

Previously announced, Belkasoft has recently become a new AccessData Technology Partner, a definite quality seal on our products. Together, we have released a new version of AccessData's Lab Web UI, enriching it with hundreds of new apps and formats, now analyzed by AD Lab out of the box. All this is thanks to the Belkasoft engine. We continued our collaboration, and are proud to announce that the integration of the same feature with AccessData's FTK product is now finished, basing on release v.8.5 of BEC 2018.

In a few weeks, you may expect an official announcement of FTK v.6.3 from AccessData. Starting that date, Belkasoft module will be available for purchase.

Other Enhancements

Thanks to everyone who contributed to the improvement of the BEC product quality by sharing your feedback. It tremendously helps in moving the tool forward. Among the fixes, we have done for you are:

Search:

• More relevant results in Predefined Search results
• Predefined search performance improved

User Interface:

• Ability to copy files and folders with path preservation into an L01 image implemented
• Empty property panels are not shown anymore
• iTunes backup decryption implemented like the other tasks and visible in Task Manager
•  Tab navigation simplified. Now it is easy to navigate among large number of tabs.

Social Connection Graph:

• Contact overview added (a new panel at the left, where you can select one or multiple contacts)
• Graph drawing is improved and made more clear
• Filtering of selected contacts is added for easier review of large graphs
• Overall graph usability improved

Issues Fixed:

• Problem in JTAG and chip-off mounting fixed
• Evidence Reader does not continue analysis started (and not finished) in BEC anymore
• Rare problem in filesystems detection in the 64-bit version of BEC fixed
• Problem in free space carving fixed
• Document's embedded pictures extraction fixed. It also fixes often "corrupted document" error during Document analysis
• Memory issues during AD1 image analysis fixed
• Problem with not starting automatic analysis after successful iTunes backup decryption fixed
• ...and more than 200 smaller issues