What's new in BEC v.8.6

What's New in Belkasoft Evidence Center 2018 Version 8.6

Belkasoft Evidence Center 2018 v.8.6 (or, in short, BEC) is an all-on-one forensic solution, combining computer, RAM, mobile and cloud forensics in a single tool. Given its affordable price, it is one of the best choices among other available products on the market.

With version 8.6, BEC 2018 offers you even more value, staying at the same affordable price tag. Below you will find major features of the new release:

  • Downloading 30+ new cloud services including Instagram, WhatsApp, Google Timeline and all popular email clouds
  • hiberfil.sys analysis for new Windows formats including Windows 10
  • Bubble view for chats
  • WhatsApp crypt12 decryption
  • Japanese translation added, Chinese translation updated
  • A pack of new and updated computer and mobile artifacts included

Sign up for a webinar on BEC v.8.6!


Upgrading to version 8.6 is free to all customers with a non-expired Extended Software Maintenance and Support contract. File System module must be purchased separately. Customers without a current contract can purchase it from the Customer Portal. An affordable User Refresher Course is also available for those who would like to catch up on all recent improvements.

User Interface And Usability

We worked a lot on usability of BEC in v.8.6. In particular, the following improvements were made:

  • New tab added: Bookmarks. Before you could only find bookmarked items in Case Explorer, which lead to some confusion when using the product. Now it is a top-level window, easy to find and operate.
  • New tab appeared: Timeline. Likewise Bookmarks, historically Timeline was a part of Case Explorer, what became no more intuitive with the introduction of Overview window. Now Timeline is also a separate top-level window.
  • New mode for chat list introduced: bubble mode. This mode allows you to review chats as they are shown natively on a device. You can switch between standard grid mode and new bubble mode at the bottom right corner of the Chat List:
  • Note, that it is advised to filter participants to leave only two of them. Alternatively, go to Case Explorer and select Show contacts and review chats in bubble mode for a particular contact. This will give you a possibility to review chats between just two persons, otherwise it will be unclear which messages are incoming and which are outgoing.

  • A very important usability update is showing selected artifact in HexViewer. Once you selected an artifact in Item List (such as, Chat list or Picture list), its binary data are populated into HexViewer, so you do not have to manually set an offset to find raw data:

  • Here you can see raw data for Skype chat inside corresponding SQLite database

  • Browser URL list got two useful columns Browser type and Protocol type, which contain a browser name and protocols like http, https, ftp and others. You can filter these buy columns, which can come in handy if you want to exclude some browser specific links, such as "file://" - which Internet Explorer is famous for, or you can leave out all Internet Explorer links as a whole.
  • Tasks shown in Task Manager screen are now persistent. When you run BEC next time, the previous session is loaded to the Task Manager allowing you to review what you have already done with your data sources, as well as task statuses (Success or Error). This is particularly important in such situations as power cut or sudden computer reboot, when your analysis was aborted in the middle of process.
  • Bookmark creation made easier. You can press Ctrl-B anytime in an Item List what will add the item to the last used bookmark. You can also press Ctrl-Shift-B to add an item to a new bookmark, yet inexistent.
  • Plist Viewer is significantly improved.

A number of usability improvements implemented by customer request, such as:

  • When you bookmark a nested item (say it, an illicit picture, sent via chat message), parent item is also bookmarked. In the described scenario, both picture and parent message will get into a bookmark.
  • For the same reason parent object properties are now displayed in the child item properties, when you select such item in Item List.
  • When you create an XLS or Word report for documents, original files are copied to the report folder (in previous BEC it was only supported for HTML reports).
  • and many others (see "Other Enhancements" below).

Cloud Support

In this release we added a number of new clouds, which BEC is now able to download:

  • Instagram
  • WhatsApp
  • Gmail
  • Google Timeline
  • and a whole set of various webmail services, among which are:

On this screenshot, you can see the selection of various supported webmail services. Once you picked up a service, its details are populated, such as server address and port. Note, that you can opt for IMAP or POP3 protocol, but in both cases all emails are left on the server.

Mobile Acquisition And Analysis

Belkasoft is actively developing mobile forensics part of BEC 2018 and here are enhancements we have done with v.8.6:

  • Android WhatsApp crypt12 decryption is supported. Note that for this you need a physical dump of a device or a rooted device (which BEC can take a physical dump from).
  • The same decryption is available when you download WhatsApp data from the corresponding cloud. Again, the decryption key is needed, which you can take from the device.

Live RAM Analysis

As you know, Windows hibernation format significantly changed in Windows 8. Starting v.8.6 BEC supports hibernation file decompression and analysis for Windows 8 and Windows 10. Previous versions of hibernation files were supported in earlier versions of BEC.

Hibernation file can be added as a separate data source under "RAM Image" data source option. Once it is added, you can carve it for various RAM artifacts, such as documents, emails, browser links, chats, social network communications, SQLite databases, registry values, pictures and so on.

Malware Detection

  • In previous version of BEC we added a possibility to check memory processes with VirusTotal. Now you can check any file, not just a memory process, from File System Explorer window.

New Apps

  • Gigatribe supported
  • Yandex.Taxi app is supported for both iOS and Android
  • KateMobile Pro VK client is supported for Android
  • Telegram Desktop RAM artifacts are now supported, so that you can carve any memory dump for Telegram Desktop chats

Other Enhancements

Huge thanks to everyone who contributed to the improvement of the BEC product quality by sharing your feedback. It helps us tremendously in upgrading the product to answer your needs better. Among the fixes we have done for you are:


  • Reports for Bitcoin wallets supported
  • More data included into HTML report for Registry artifacts
  • Fixed: Report in EML format is not created
  • Fixed: Mails reporting doesn't work for mails in text format
  • Fixed: Unable to create a report from Google Maps tab
  • Fixed: EML report for emails from Overview is not created

Issues Fixed:

  • Fixed: Context menu item "Show in file system" now correctly shows corresponding file, from where selected artifact originated from
  • Fixed: Sorting by origin path shows empty artifact list
  • Fixed: Plist viewer resets column widths
  • Fixed: Elapsed column is disappeared in Task Manager during columns resizing
  • Fixed: Origin paths for pictures from an iTunes backup are incorrect
  • Fixed: Item list for hashsets does not appear
  • Fixed: Part of code is shown instead of appropriate string in Plist viewer
  • Fixed: Opening folder in list of file system does not work correct
  • Fixed: Incorrect duration shown for voicemails
  • Fixed: Messenger names duplicated in filter by type
  • Fixed: Filter is case sensitive in a filter by an email subject
  • Fixed: Error reading processes sizes in RAM images created by third-party products
  • Fixed: Incorrect profile names and nicks in Ebuddy XMS and HeyTell apps for iOS
  • Fixed: Filter is created even if a user cancels its creation
  • Fixed: Sometimes Registry artifacts properties are not displayed in Timeline
  • Fixed: iPhone Twitter is not extracted
  • Fixed: Incorrect artifact count for Bitcoin Core Wallet profiles
  • Fixed: Empty Item List for a Telegram profile from AD1 image
  • Fixed: Skype IP address and original item properties are not shown in Overview list/properties
  • Fixed: Skype chat Offset value is incorrect
  • Fixed: Search in HEX viewer sometimes doesn't work
  • Fixed: Incorrect extraction of SMS date from iPhone 3G
  • Fixed: No Origin Path for Notes application artifacts
  • Fixed: Context menu "Remove bookmark" doesn't work
  • Fixed: Incorrect owner ID and message direction in ICQ 10
  • Fixed: No origin path for an ICQ profile
  • Fixed: Error analyzing Firefox browser profile
  • Fixed: Viber calls are detected as message artifacts
  • Fixed: BEC 8.5.2286 can not open case created in BEC 8.4.2163
  • Fixed: Participants are determined incorrectly for Swarm chats
  • Fixed: Too many MIME false positives in carved emails
  • Fixed: Analysis Skype is finished with errors
  • Fixed: Not full origin path for Outlook express artifacts
  • Fixed: Uber profile is shown empty
  • Fixed: Time for Bitcoin Wallets is not marked as UTC or Local
  • Fixed: No Origin path for contacts extracted from WhatsApp profile
  • Fixed: Properties for keyframes are not displayed, including Origin Paths
  • Fixed: SQLite Viewer does not show artifacts from WAL under some circumstances
  • Improved: File System Explorer: Select folder in directory tree on double click on a folder in the File List
  • Improved: Allow giving a custom name for created L01 image
  • Fixed: Bookmarks for Blockchain payments data type doesn't work
  • Improved: MSG OLE analyzer improved
  • Improved: Change context menu for RAM processes from "Copy file to folder" to "Save process memory"
  • Improved: Improve artifact extraction for updated Android Snapchat app
  • Improved: Call extraction from Viber app supported
  • Fixed: Copy key combination (Ctrl+C) does not work inside Acquisition Log window
  • Improved: Zello app contacts extraction improved
  • Improved: Proper tag is displayed for Journal or WAL items in SQLite Viewer ("journal" or "wal", previously it always was "journal")
  • Improved: Nickname of a profile owner now extracted from Facebook app
  • Improved: Origin path for logical images now does not contain superfluous "vol_0" part
  • Improved: Extracted profile avatars are copied into the Case Data folder
  • ...and about 300 smaller improvements