Belkasoft Evidence Center 2018 v.8.6 (or, in short, BEC)
is an all-on-one forensic solution, combining computer,
RAM, mobile and cloud forensics in a single tool. Given its affordable price,
it is one of the best choices among other available products on the market.
With version 8.6, BEC 2018 offers you even more value, staying at the same
affordable price tag. Below you will find major features of the new release:
- Downloading 30+ new cloud services including Instagram,
WhatsApp, Google Timeline and all popular email clouds
- hiberfil.sys analysis for new Windows formats including
- Bubble view for chats
- WhatsApp crypt12 decryption
- Japanese translation added, Chinese translation
- A pack of new and updated computer and mobile artifacts
Sign up for a webinar on BEC
Upgrading to version 8.6 is free to all customers with a non-expired Extended
Software Maintenance and Support contract. File
System module must be purchased separately. Customers without a
current contract can purchase it from the Customer
Portal. An affordable
Course is also available for those who would like to catch up on all recent
User Interface And Usability
We worked a lot on usability of BEC in v.8.6. In particular, the following
improvements were made:
- New tab added: Bookmarks. Before you could only find bookmarked
items in Case Explorer, which lead to some confusion when using the product.
Now it is a top-level window, easy to find and operate.
- New tab appeared: Timeline. Likewise Bookmarks, historically
Timeline was a part of Case Explorer, what became no more intuitive with
the introduction of Overview window. Now Timeline is also a separate top-level
- New mode for chat list introduced: bubble mode. This mode allows
you to review chats as they are shown natively on a device. You can switch
between standard grid mode and new bubble mode at the bottom right corner
of the Chat List:
Note, that it is advised to
to leave only two of them. Alternatively, go to Case Explorer and select Show contacts
and review chats in bubble mode for a particular contact. This will give
you a possibility to review chats between just two persons, otherwise it
will be unclear which messages are incoming and which are outgoing.
- A very important usability update is showing selected artifact in
HexViewer. Once you selected an artifact in Item List (such as,
Chat list or Picture list), its binary data are populated into HexViewer,
so you do not have to manually set an offset to find raw data:
Here you can see raw data for Skype chat inside corresponding
- Browser URL list got two useful columns Browser type and Protocol
type, which contain a browser name and protocols like http, https, ftp
and others. You can filter these buy columns, which can come in handy if you want to
exclude some browser specific links, such as "file://" - which Internet Explorer is famous for,
or you can leave out all Internet Explorer links as a whole.
- Tasks shown in Task Manager screen are now persistent.
When you run BEC next time, the previous session is loaded to the Task Manager
allowing you to review what you have already done with your data sources,
as well as task statuses (Success or Error). This
is particularly important in such situations as power cut or sudden computer
reboot, when your analysis was aborted in the middle of process.
- Bookmark creation made easier. You can press Ctrl-B anytime
in an Item List what will add the item to the last used bookmark. You can
also press Ctrl-Shift-B to add an item to a new bookmark, yet inexistent.
- Plist Viewer is significantly improved.
A number of usability improvements implemented by customer request, such as:
- When you bookmark a nested item (say it, an illicit picture, sent
via chat message), parent item is also bookmarked. In the described
scenario, both picture and parent message will get into a bookmark.
- For the same reason parent object properties are now displayed in the
child item properties, when you select such item in Item List.
- When you create an XLS or Word report for documents, original files
are copied to the report folder (in previous BEC it was only supported
for HTML reports).
- and many others (see "Other Enhancements" below).
In this release we added a number of new clouds, which BEC is now able to
- Google Timeline
- and a whole set of various webmail services, among which are:
On this screenshot, you can see the selection of various supported webmail services.
Once you picked a service, its details are populated, such as server address and port Note,
that you can opt for IMAP or POP3 protocol, but in both
cases all emails are left on the server.
Mobile Acquisition And Analysis
Belkasoft is actively developing mobile forensics part of BEC 2018 and here
are enhancements we have done with v.8.6:
- Android WhatsApp crypt12 decryption is supported. Note that for
this you need a physical dump of a device or a rooted device (which BEC
can take a physical dump from).
- The same decryption is available when you download WhatsApp data from
the corresponding cloud. Again, the decryption key is needed, which you
can take from the device.
Live RAM Analysis
As you know, Windows hibernation format significantly changed in Windows
8. Starting v.8.6 BEC supports hibernation file decompression and analysis for
Windows 8 and Windows 10. Previous versions of hibernation files were supported
in earlier versions of BEC.
Hibernation file can be added as a separate data source under "RAM Image"
data source option. Once it is added, you can carve it for various RAM artifacts,
such as documents, emails, browser links, chats, social network communications, SQLite databases, registry values, pictures and so on.
- In previous version of BEC we added a possibility to check memory processes
with VirusTotal. Now you can check any file, not just a memory process,
from File System Explorer window.
- Gigatribe supported
- Yandex.Taxi app is supported for both iOS and Android
- KateMobile Pro VK client is supported for Android
- Telegram Desktop RAM artifacts are now supported, so that you can
carve any memory dump for Telegram Desktop chats
Huge thanks to everyone who contributed to the improvement of the BEC product
quality by sharing your feedback. It helps us tremendously in upgrading the product to answer your needs better.
Among the fixes we have done for you are:
- Reports for Bitcoin wallets supported
- More data included into HTML report for Registry artifacts
- Fixed: Report in EML format is not created
- Fixed: Mails reporting doesn't work for mails in text format
- Fixed: Unable to create a report from Google Maps tab
- Fixed: EML report for emails from Overview is not created
- Fixed: Context menu item "Show in file system" now correctly shows
corresponding file, from where selected artifact originated from
- Fixed: Sorting by origin path shows empty artifact list
- Fixed: Plist viewer resets column widths
- Fixed: Elapsed column is disappeared in Task Manager during columns resizing
- Fixed: Origin paths for pictures from an iTunes backup are incorrect
- Fixed: Item list for hashsets does not appear
- Fixed: Part of code is shown instead of appropriate string in Plist viewer
- Fixed: Opening folder in list of file system does not work correct
- Fixed: Incorrect duration shown for voicemails
- Fixed: Messenger names duplicated in filter by type
- Fixed: Filter is case sensitive in a filter by an email subject
- Fixed: Error reading processes sizes in RAM images created by third-party
- Fixed: Incorrect profile names and nicks in Ebuddy XMS and HeyTell apps for iOS
- Fixed: Filter is created even if a user cancels its creation
- Fixed: Sometimes Registry artifacts properties are not displayed in
- Fixed: iPhone Twitter is not extracted
- Fixed: Incorrect artifact count for Bitcoin Core Wallet profiles
- Fixed: Empty Item List for a Telegram profile from AD1 image
- Fixed: Skype IP address and original item properties are not shown in Overview
- Fixed: Skype chat Offset value is incorrect
- Fixed: Search in HEX viewer sometimes doesn't work
- Fixed: Incorrect extraction of SMS date from iPhone 3G
- Fixed: No Origin Path for Notes application artifacts
- Fixed: Context menu "Remove bookmark" doesn't work
- Fixed: Incorrect owner ID and message direction in ICQ 10
- Fixed: No origin path for an ICQ profile
- Fixed: Error analyzing Firefox browser profile
- Fixed: Viber calls are detected as message artifacts
- Fixed: BEC 8.5.2286 can not open case created in BEC 8.4.2163
- Fixed: Participants are determined incorrectly for Swarm chats
- Fixed: Too many MIME false positives in carved emails
- Fixed: Analysis Skype is finished with errors
- Fixed: Not full origin path for Outlook express artifacts
- Fixed: Uber profile is shown empty
- Fixed: Time for Bitcoin Wallets is not marked as UTC or Local
- Fixed: No Origin path for contacts extracted from WhatsApp profile
- Fixed: Properties for keyframes are not displayed, including Origin Paths
- Fixed: SQLite Viewer does not show artifacts from WAL under some
- Improved: File System Explorer: Select folder in directory tree on double click
on a folder in the File List
- Improved: Allow giving a custom name for created L01 image
- Fixed: Bookmarks for Blockchain payments data type doesn't work
- Improved: MSG OLE analyzer improved
- Improved: Change context menu for RAM processes from "Copy file to folder" to "Save
- Improved: Improve artifact extraction for updated Android Snapchat app
- Improved: Call extraction from Viber app supported
- Fixed: Copy key combination (Ctrl+C) does not work inside Acquisition Log
- Improved: Zello app contacts extraction improved
- Improved: Proper tag is displayed for Journal or WAL items in SQLite Viewer
("journal" or "wal", previously it always was "journal")
- Improved: Nickname of a profile owner now extracted from Facebook app
- Improved: Origin path for logical images now does not contain superfluous "vol_0"
- Improved: Extracted profile avatars are copied into the Case Data folder
- ...and about 300 smaller improvements