Belkasoft Evidence Center 2018 v.9.0 (or, in short, BEC)
is an all-on-one forensic solution, combining computer,
RAM, mobile and cloud forensics in a single tool. Given its affordable price,
it is one of the best choices among other available products on the market.
With version 9.0, BEC 2018 becomes even more powerful, stable, reliable
and quick. Below you will find major features of the new release:
- Reporting totally redone
- Windows' Recycle Bin analysis supported
- HEIC picture format supported
- macOS system configuration analysis supported
- NTFS compression supported
- OFB mobile images mounting and analysis supported
- User interface refreshed
- Deduplication supported by using PhotoDNA hashing as well as not
carving existing files
- x64 version now also available for fixed license
- x64 version now also available for trial version
- A pack of new and updated computer and mobile artifacts
included
Sign up for a webinar on BEC
v.9.0!
Upgrading to version 9.0 is free to all customers with a non-expired Extended
Software Maintenance and Support contract. File
System module must be purchased separately. Customers without a
current contract can purchase it from the Customer
Portal. An affordable
User Refresher
Course is also available for those who would like to catch up on all recent
improvements.
Note to fixed license owners: upgrade from 32 to 64 bit is free but you
have to re-download your license from the Customer Portal.
New reporting
The reporting component was totally redone. With
the new reporting engine we got rid of third-party libraries which were
responsible for not optimal performance and memory consumption. Now our
reports are much quicker than in v.8.6 and they do not consume so much
memory.
Note: an option to choose columns for a report is no longer available. The
report takes a set of columns from the current view of exported artifacts.
Thus, if you would like to add a column to a report, you should choose that
particular column in the user interface of a corresponding list (say it, add
Time UTC to the chat list).
New types of analysis
- Recycle Bin data extraction supported. Analysis of Recycle
Bin can restore files and folders recently deleted with means of
Windows. This option is now available under Advanced options at the
analysis screen
- HEIC picture format supported. This is a new format introduced by
iOS 11 which can be met on modern Apple devices. BEC can now find these
files, extract and present their metadata and display a preview
- Mac OS system configuration analysis supported. BEC had
similar support for Windows registries by extracting more than
100 types of forensically important registry keys
and values, now the same support added for macOS settings
- A lot of new languages now supported for OCR (text
recognition inside pictures, videos and PDF with scanned contents),
including hieroglyph-based ones. By default the product has English
support only, but by request we will provide our customers with any other
language from more than 50+ new supported ones. The complete list of
supported languages is: Azerbaijani, English, Belarusian, Bulgarian,
Czech, Chinese Simplified, Chinese Traditional, Danish, German, Greek,
Esperanto, Finnish, French, Galician, Haitian, Hindi, Croatian,
Hungarian, Indonesian, Icelandic, Italian, Javanese, Japanese, Georgian,
Kazakh, Kirghiz, Korean, Latvian, Lithuanian, Malay, Nepali, Dutch,
Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Slovenian,
Spanish, Albanian, Serbian, Swedish, Telugu, Tajik, Thai, Turkish,
Ukrainian, Uzbek, Vietnamese
File system and mounting
- Compressed NTFS files supported. This improvement is
important for bigger files which are frequently compressed by default on
NTFS volumes. A big PST mailbox is a good example of a file which is
often compressed. Since BEC now parses file systems natively without
using Windows API for that, compression was important to support (this
support was missing in v.8.6). Surprisingly, we found that many other
forensic tools still do not properly support compression. Our team
struggled a lot with parsing performance of compressed files and we are
proud to say that parsing speed is comparable to Windows
- OFB images supported. OFB is a mobile device image format,
created by a third-party software. By supporting more than 25 formats
of various vendors, BEC is becoming a tool where various images can meet
for the sake of cross-analysis. To name a few: EnCase, FTK, X-Ways,
DMG, SMART and Cellebrite formats can be ingested to BEC and
analyzed for 1000+ types of artifacts
User interface
In this release we paid a lot of attention to the user interface:
- Various icons and pictures are made more clear and modern
- Viewers such as Plist Viewer, SQLite Viewer and Registry Viewer made
more consistent and more intuitive
- Registry Viewer now looks similar to Plist Viewer and has a
handy navigation between parts of a selected branch path
- User Reference file is updated. The updated PDF is included into
the product installation (click Help -> Help (offline)) or download it from
https://belkasoft.com/help
Performance and usability
- Deduplication between carved files and files found during file
analysis added. Now, if a file is carved and we detect that it is
already processed with regular analysis of existing files, this carved
result is not added to the case to avoid duplicates. This is especially
important when you carve pictures or documents, that are around tens of
thousands items or more
- EML and MSG files grouped in a single profile. In previous
versions each EML and MSG message is represented as a single profile in Case
Explorer, that made it huge for data sources with many exported emails. Now
all such emails are grouped in a single profile thus making Case Explorer
handier
- As mentioned above, Reporting performance significantly
improved. For some cases it was made up to 100 times quicker!
- Startup performance improved. Now you will wait less for the
product startup and case loading. Especially the case loading made much
quicker for cases with multiple images inside
- Processor cores are now used in a more efficient way. For
example, at the end of the analysis, when the product analyzes remaining
pictures and carved data, this task is spread over all available cores
(with exception of one core used for the GUI). This allows to use 100%
of processing power to speedup the analysis, while in previous versions
each task could occupy not more than just a single core, even if other
cores are not busy
x64 and licensing
Two big improvements were made with regards to 64 bit version
availability:
- BEC x64 can be started without a dongle. Owners of fixed
license can now use x64. The upgrade is free, but you will have to
re-download your license from your Customer Portal account
- x64 trial version is also available
32 bit version is discontinued with exception of Portable which is still
32 bit.
There are a few points to note with regards to the updated licensing:
- The license file is now called "license.xml" so that you will not
confuse older and newer license
- For the trial and fixed license you will have to do one time online or
offline activation. If you have an Internet connection, online activation is
a bit easier and quicker, but you also have a choice to do offline
activation for disconnected computers. To do so, choose Offline activation,
when prompted and prepare a thumb drive which you can take to any connected
computer. On that computer you can run executable file from your thumb drive
prepared by BEC and return the dongle back to the first computer, where you
can now complete the activation
- Dongle-based licenses do not require activation
- Trial and fixed based license do not work under virtual machines.
You will need to obtain a dongle if you plan to use BEC inside a virtual
machine
New and updated apps
As usual, each new version of BEC supports a few dozens of new and
updated versions of various applications and formats. Here what we have
supported or updated in v.9.0:
iOS (10 artifacts):
- Facebook Messenger
- Calls
- Snapchat
- Uber
- Safari
- WeChat
- Viber
- Calendar
- SpringBoard
- Notes
Android (15 artifacts)
- Snapchat
- WiFi connections
- Viber
- Yandex.Taxi
- TextMe
- KateMobile
- Zello
- Signal
- VK coffee
- Instagram Direct
- Uber
- WeChat
- WhatsApp
- Chrome
- Calls
Windows (27 artifacts)
- Telegram
- FireFox
- Gigatribe
- Viber
- Frostwire
- IE
- Ares Galaxy
- Vuze
- Shareaza
- Maxthon
- Windows 10 Maps
- Bitcoin
- Zello
- Slack
- Chrome encrypted cookie
- Mail.Ru Agent
- Outlook
- Line
- ICQ
- Skype
- WhatsApp
- Trillian
- Qihoo 360 Secure Browser
- Baidu Browser
- Tencent QQ Browser
- Sogou Explorer
- 163 mail
You may note a special emphasis on Chinese applications such as Tencent,
Baidu browsers, and 163 email. Note also Chrome cookies decryption, which is now
available (additional user input is required).
macOS (17 artifacts):
- iChat
- Tencent QQ Browser
- Keynote
- Numbers
- Pages
- Current TimeZone data
- Network Interface Configuration
- Recent Applications
- Documents
- Network Connections
- Recent folders and searches
- Spotlight
- User's Dock Folders
- User's Dock Network Shares
- User's Dock Applications
- Contacts
- Apple Mail
Other Enhancements
- Low disk space notification added, so that your case database isn't
get corrupted due to insufficient space
- Predefined search performance and accuracy improved
- Corrupted Office documents now processed in a more flexible way with
less warnings in the analysis log
- User friendly error message shown when a case cannot be opened (such
as database incompatibility or corruption)
- Items bookmarked with their parent and child items (important when
you bookmark an attachment to a chat or an email and would like to trace
original item)
- VSC snapshots pinned to the top inside a partition tree in File
System view for easier review
- Timeline tab refreshes automatically after it is shown for the first time
Issues fixed
- Incorrect behavior of Bookmark shortcut (Ctrl+B) fixed
- Incorrect cleanup of the Temp folder fixed
- "Is Deleted" property fixed for some SQLite records extracted from
Freelist and Unallocated space
- Infinite loading of data inside some artifact list under some
circumstances fixed
- Error during analysis encrypted WhatsApp profile fixed
- Rare problem in task cancellation fixed
- Rare problem in iOS 11 backup decryption fixed
- Double saving of profile avatars fixed
- Data carved from SQLite unallocated space is not shown in item
properties fixed
- ...and about 400 smaller improvements
