What's new in BEC v.9.0

Belkasoft Evidence Center 2018 v.9.0 (or, in short, BEC) is an all-on-one forensic solution, combining computer, RAM, mobile and cloud forensics in a single tool. Given its affordable price, it is one of the best choices among other available products on the market.

With version 9.0, BEC 2018 becomes even more powerful, stable, reliable and quick. Below you will find major features of the new release:

• Reporting totally redone
• Windows' Recycle Bin analysis supported
• HEIC picture format supported
• macOS system configuration analysis supported
• NTFS compression supported
• OFB mobile images mounting and analysis supported
• User interface refreshed
• Deduplication supported by using PhotoDNA hashing as well as not carving existing files
• x64 version now also available for fixed license
• x64 version now also available for trial version
• A pack of new and updated computer and mobile artifacts included

Sign up for a webinar on BEC v.9.0!

Upgrading to version 9.0 is free to all customers with a non-expired Extended Software Maintenance and Support contract. File System module must be purchased separately. Customers without a current contract can purchase it from the Customer Portal. An affordable User Refresher Course is also available for those who would like to catch up on all recent improvements.

Note to fixed license owners: upgrade from 32 to 64 bit is free but you have to re-download your license from the Customer Portal.

New reporting

The reporting component was totally redone. With the new reporting engine we got rid of third-party libraries which were responsible for not optimal performance and memory consumption. Now our reports are much quicker than in v.8.6 and they do not consume so much memory.

Note: an option to choose columns for a report is no longer available. The report takes a set of columns from the current view of exported artifacts. Thus, if you would like to add a column to a report, you should choose that particular column in the user interface of a corresponding list (say it, add Time UTC to the chat list).

New types of analysis

• Recycle Bin data extraction supported. Analysis of Recycle Bin can restore files and folders recently deleted with means of Windows. This option is now available under Advanced options at the analysis screen
• HEIC picture format supported. This is a new format introduced by iOS 11 which can be met on modern Apple devices. BEC can now find these files, extract and present their metadata and display a preview
• Mac OS system configuration analysis supported. BEC had similar support for Windows registries by extracting more than 100 types of forensically important registry keys and values, now the same support added for macOS settings
• A lot of new languages now supported for OCR (text recognition inside pictures, videos and PDF with scanned contents), including hieroglyph-based ones. By default the product has English support only, but by request we will provide our customers with any other language from more than 50+ new supported ones. The complete list of supported languages is: Azerbaijani, English, Belarusian, Bulgarian, Czech, Chinese Simplified, Chinese Traditional, Danish, German, Greek, Esperanto, Finnish, French, Galician, Haitian, Hindi, Croatian, Hungarian, Indonesian, Icelandic, Italian, Javanese, Japanese, Georgian, Kazakh, Kirghiz, Korean, Latvian, Lithuanian, Malay, Nepali, Dutch, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Slovenian, Spanish, Albanian, Serbian, Swedish, Telugu, Tajik, Thai, Turkish, Ukrainian, Uzbek, Vietnamese

File system and mounting

• Compressed NTFS files supported. This improvement is important for bigger files which are frequently compressed by default on NTFS volumes. A big PST mailbox is a good example of a file which is often compressed. Since BEC now parses file systems natively without using Windows API for that, compression was important to support (this support was missing in v.8.6). Surprisingly, we found that many other forensic tools still do not properly support compression. Our team struggled a lot with parsing performance of compressed files and we are proud to say that parsing speed is comparable to Windows
• OFB images supported. OFB is a mobile device image format, created by a third-party software. By supporting more than 25 formats of various vendors, BEC is becoming a tool where various images can meet for the sake of cross-analysis. To name a few: EnCase, FTK, X-Ways, DMG, SMART and Cellebrite formats can be ingested to BEC and analyzed for 1000+ types of artifacts

User interface

In this release we paid a lot of attention to the user interface:

• Various icons and pictures are made more clear and modern
• Viewers such as Plist Viewer, SQLite Viewer and Registry Viewer made more consistent and more intuitive
• Registry Viewer now looks similar to Plist Viewer and has a handy navigation between parts of a selected branch path
• User Reference file is updated. The updated PDF is included into the product installation (click Help -> Help (offline)) or download it from https://belkasoft.com/help

Performance and usability

• Deduplication between carved files and files found during file analysis added. Now, if a file is carved and we detect that it is already processed with regular analysis of existing files, this carved result is not added to the case to avoid duplicates. This is especially important when you carve pictures or documents, that are around tens of thousands items or more
• EML and MSG files grouped in a single profile. In previous versions each EML and MSG message is represented as a single profile in Case Explorer, that made it huge for data sources with many exported emails. Now all such emails are grouped in a single profile thus making Case Explorer handier
• As mentioned above, Reporting performance significantly improved. For some cases it was made up to 100 times quicker!
• Startup performance improved. Now you will wait less for the product startup and case loading. Especially the case loading made much quicker for cases with multiple images inside
• Processor cores are now used in a more efficient way. For example, at the end of the analysis, when the product analyzes remaining pictures and carved data, this task is spread over all available cores (with exception of one core used for the GUI). This allows to use 100% of processing power to speedup the analysis, while in previous versions each task could occupy not more than just a single core, even if other cores are not busy

x64 and licensing

Two big improvements were made with regards to 64 bit version availability:

• BEC x64 can be started without a dongle. Owners of fixed license can now use x64. The upgrade is free, but you will have to re-download your license from your Customer Portal account
• x64 trial version is also available

32 bit version is discontinued with exception of Portable which is still 32 bit.

There are a few points to note with regards to the updated licensing:

• The license file is now called "license.xml" so that you will not confuse older and newer license
• For the trial and fixed license you will have to do one time online or offline activation. If you have an Internet connection, online activation is a bit easier and quicker, but you also have a choice to do offline activation for disconnected computers. To do so, choose Offline activation, when prompted and prepare a thumb drive which you can take to any connected computer. On that computer you can run executable file from your thumb drive prepared by BEC and return the dongle back to the first computer, where you can now complete the activation
• Dongle-based licenses do not require activation
• Trial and fixed based license do not work under virtual machines. You will need to obtain a dongle if you plan to use BEC inside a virtual machine

New and updated apps

As usual, each new version of BEC supports a few dozens of new and updated versions of various applications and formats. Here what we have supported or updated in v.9.0:

iOS (10 artifacts):

• Facebook Messenger
• Calls
• Snapchat
• Uber
• Safari
• WeChat
• Viber
• Calendar
• SpringBoard
• Notes

Android (15 artifacts)

• Snapchat
• WiFi connections
• Viber
• Yandex.Taxi
• TextMe
• KateMobile
• Zello
• Signal
• VK coffee
• Instagram Direct
• Uber
• WeChat
• WhatsApp
• Chrome
• Calls

Windows (27 artifacts)

• Telegram
• FireFox
• Gigatribe
• Viber
• Frostwire
• IE
• Ares Galaxy
• Vuze
• Shareaza
• Maxthon
• Windows 10 Maps
• Bitcoin
• Zello
• Slack
• Chrome encrypted cookie
• Mail.Ru Agent
• Outlook
• Line
• ICQ
• Skype
• WhatsApp
• Trillian
• Qihoo 360 Secure Browser
• Baidu Browser
• Tencent QQ Browser
• Sogou Explorer
• 163 mail

You may note a special emphasis on Chinese applications such as Tencent, Baidu browsers, and 163 email. Note also Chrome cookies decryption, which is now available (additional user input is required).

macOS (17 artifacts):

• iChat
• Tencent QQ Browser
• Keynote
• Numbers
• Pages
• Current TimeZone data
• Network Interface Configuration
• Recent Applications
• Documents
• Network Connections
• Recent folders and searches
• Spotlight
• User's Dock Folders
• User's Dock Network Shares
• User's Dock Applications
• Contacts
• Apple Mail

Other Enhancements

• Low disk space notification added, so that your case database isn't get corrupted due to insufficient space
• Predefined search performance and accuracy improved
• Corrupted Office documents now processed in a more flexible way with less warnings in the analysis log
• User friendly error message shown when a case cannot be opened (such as database incompatibility or corruption)
• Items bookmarked with their parent and child items (important when you bookmark an attachment to a chat or an email and would like to trace original item)
• VSC snapshots pinned to the top inside a partition tree in File System view for easier review
• Timeline tab refreshes automatically after it is shown for the first time

Issues fixed

• Incorrect behavior of Bookmark shortcut (Ctrl+B) fixed
• Incorrect cleanup of the Temp folder fixed
• "Is Deleted" property fixed for some SQLite records extracted from Freelist and Unallocated space
• Infinite loading of data inside some artifact list under some circumstances fixed
• Error during analysis encrypted WhatsApp profile fixed
• Rare problem in task cancellation fixed
• Rare problem in iOS 11 backup decryption fixed
• Double saving of profile avatars fixed
• Data carved from SQLite unallocated space is not shown in item properties fixed
• ...and about 400 smaller improvements