Belkasoft Evidence Center 2019 v.9.5 (or, in short, BEC)
is an all-on-one forensic solution, combining mobile, computer,
RAM, cloud and remote forensics in a single tool. Given its affordable price,
it is one of the best choices among other available products on the market.
Version 9.5 of BEC 2019 is one of the biggest releases with regards
to changes, over the last few years. A number of new large-scale features are
added, including the following:
- Remote acquisition of computers, mobiles and RAM
- Incident investigation
- Cross-case search
- TWRP dump mounting and analysis
- Full logical backup of jailbroken iOS devices
- ANN detection for arrow and cross signs on images
- Telegram X decryption
- Decryption of Bitlocker and McAfee Endpoint Security encrypted images
- Multi-partition APFS support
- Massive update of multi-user Team Edition module
- Numerous updates to artifact extraction
- New 3-day official training
along with optional BelkaCE (Belkasoft Certified Examiner) certification
is added
Sign up for a webinar on BEC v.9.5!
Upgrading to version 9.5 is free to all customers with a non-expired Extended
Software Maintenance and Support contract. Customers without a current contract
can purchase it from the Customer Portal.
An affordable
User Refresher Course is also available for those who would like to catch
up on all recent improvements. Training
with optional certification is available.
New features in detail
Remote acquisition
Remote acquisition is aimed to help investigators in a distributed environment.
When an organization has multiple locations and each location may receive seized
devices, it can be a challenge to conduct forensic analysis of such devices
in a timely manner. Invariably, some location will not have a trained specialist
to perform acquisitions. It may also take a while to send the device to the
central office or to send a specialist to that location. If a computer or a
laptop memory must be acquired, then the option to send the device in, ceases.
These problems can be solved with remote forensics, now available with Belkasoft.
The new version of BEC allows you to install an agent on any computer inside
your network and with a minimum of efforts acquire computer hard drive, RAM
memory or a connected mobile device. The acquired image can be then scheduled
for the upload to the central location. It can be done at the night time so
that the working hours Internet throughput does not suffer.
Using BEC you can easily deploy an agent to a remote computer, then acquire
a data source connected to this computer and then schedule uploading of the
created image back to your main computer
The new feature is helpful for LE departments having multiple offices as
well as to private companies with centralized forensic departments. For the
latter using BEC built-in remote acquisition capabilities could become a huge
cost, time and effort saver.
Remote Acquisition is available as a separate paid plug-in.
Incident investigation
Incident investigation is a brand new feature, which further expands the
usage of BEC for corporate customers. This new function is aimed in helping
private companies investigate hacking attempts of Windows-based computers. By
analyzing numerous sources such as registry, event logs and memory dumps, it
can find traces, which are typical to various tricks used by hackers to penetrate
company's infrastructure.
Belkasoft Evidence Center looks at various artifacts located inside Amcache,
ShimCache, Syscache, BAM/DAM, AppInit DLLs, Change of default file association,
scheduled tasks, remote connections (RDP, Remote Connection, TeamViewer and
others), startup tasks, browser extensions and so on; it detects suspicious
connections and scripts.
The results of analysis are then presented inside a brand new window of BEC
making it easy to separate suspicious activities from regular forensic artifacts.
New BEC pane conveniently combines various sources to inspect in a course
of an incident response case
This new feature makes BEC a complete DFIR solution, which helps customers
not just with "DF" part of the abbreviation but also with "IR".
Incident Investigation is available as a separate paid plug-in.
Cross-case search
This new feature of BEC 9.5 helps you and your fellow investigators find
intersections of the current case being investigated with archived cases.
As the product analyzes the current case, it looks into previous cases worked
on, and attempts to locate various data residing in the current case. You may
configure the tool on what data to look for, as well as which older cases to
look into.
If an email, a phone number, or a profile name found in the current case
is also found in an older case, this might mean that people in these cases are
somehow connected or have something in common. Understanding the importance
of such information, any cross-search hit triggers an alert at the BEC's status
bar, so that you can immediately notice that.
You can review the cross-search results under "Search Results" window of
the BEC's interface under the new node called "Alerts".
If the phone, email or UIN found in the current case met in earlier cases,
BEC will notify you about it using a special node inside Search Results window
This feature is especially useful with Team Edition of BEC since it will
enable you to search not only inside your local BEC cases stored on a single
machine but also go through your colleagues’ cases stored remotely.
Cross-case Search is available for free to the Team Edition license holders
and as a separate paid plug-in for customers having the single-user license.
TWRP dump mounting and analysis
With v.9.5 BEC can mount and analyze Android TWRP images.
TWRP (Team Win Recovery Project) is an open-source custom recovery image
for Android devices. With this tool, the user gets access to a substantial functionality
for device management. Using TWRP, you can create a complete logical copy of
a user's “/data” partition and then investigate it with BEC.
A list of supported devices can be found on the
TWRP project website.
This feature is available for all BEC customers having up-to-date Mobile
Device Analysis module.
Full logical backup of jailbroken iOS devices
With BEC v.9.5 you will now be able to do a full logical backup of iOS devices,
which are jailbroken. Full copy of Apple devices contains much more info than
a standard iTunes backup, including various chats and other applications. In
particular, with such a backup you can even restore Telegram's secret chats
after they have been deleted.
BEC supports making the full logical backup as well as analysis of acquired
files, such as the abovementioned deleted Telegram secret chats recovery.
This feature is available for all BEC customers having up-to-date Mobile
Device Analysis module.
ANN detection for arrow and cross signs on images
The new version of Belkasoft Evidence Center extends support for investigators
dealing with drug-related crimes. One of artifacts, which may prove the fact
of drug distribution, can be a specific set of pictures stored on a suspect's
device. Such pictures contain a place where a drug tab is hidden along with
a hand-drawn arrow or a cross on top of the picture.
This is a real example of an image used to mark a drug stash
Using state of art artificial neural networks, Belkasoft can find such pictures
among hundreds of thousands of other pictures from a device, thus dramatically
speeding up the investigation.
This feature is available for all BEC customers with valid SMS. The download
of a separate installer is required (available inside your Customer Portal,
make sure you download .ann version).
Android's Telegram X decryption
Belkasoft supports dozens of various applications in each release, but the
newly appeared support of Telegram X stands apart. This popular messenger uses
strong encryption, which details are not yet well documented. That is why Belkasoft
specialists had to spend significant amount of hours in an effort to understand
this format.
Belkasoft is a first digital forensic tool to support Android's Telegram
X decryption.

This feature is available for all BEC customers having up-to-date Mobile
Device Analysis module.
Multi-partition APFS support
APFS is a file system introduced in macOS High Sierra 10.13 in 2017. Belkasoft
was one of the first three digital forensic tools to support APFS last year.
We are constantly improving this support and, in this release, multi-partition
APFS images were supported.

Artifact extraction from APFS is available for all BEC customers with valid
SMS. File system view is available for customers having up-to-date File System
Explorer module.
Massive update of multi-user Team Edition module
Team Edition enables private and government organizations, having multiple
digital investigators to:
- efficiently split their work
- work on the same cases together
- store cases centrally in a high-performance Microsoft SQL Server database,
thus enabling access to the case from different computers and by different
people
- restrict user access rights to edit or view a case
- have local and remote cases in the same product interface
- use other investigator cases for cross-case searches
With v.9.5, Belkasoft significantly improves the user experience of Team
Edition, its performance and robustness. Besides, new Cross-case search
module is available for Team Edition license holders free.
With convenient User Management screen an administrator can create users
and assign roles to them
This feature is available for all BEC customers with valid Team Edition license.
Upgrades from single-user or network license are available.
Other improvements
Apart from major features introduced above, there are multiple other improvements.
Among them are:
- Artifact analysis improved/supported
- All platforms: Chrome, Facebook, Instagram, Odnoklassniki,
Safari, Skype, Skype cross-platform, Uber, Vipole, VK, WeChat, WhatsApp
- Windows: Avant and Sogou browsers, Map app
- iOS: Apple Mail, Chrome, KIK, Live me, Microsoft Edge, Opera,
Twittie, Recently deleted notes for iOS Notes
- Android: Badoo, Dolphin browser, Gmail, Google+, Grindr,
Hangout, ICQ, Imo, IM+, KateMobile, Mail.Ru agent, MeetMe, MeowChat,
Next plus, ooVoo, Pinterest, Slack, Snapchat, Swarm, Tango, Telegram,
Tinder, Twitter, Voxer, Xabber
- macOS: aMSN
- Computer forensics
- Bitlocker detection implemented
- Bitlocker decryption with a known decryption key implemented
(requires Decryption Module)
- McAfee Endpoint Security decryption with a known decryption
key implemented (requires Decryption Module)
- Video keyframe extraction updated
- Parsing of corrupted registry files improved
- MAC address extraction from LNK files fixed
- Extraction of recent files opened by various macOS applications
supported
- Mobile forensics
- Parsing of Android sms/mms backup files added
- Cloud forensics
- iCloud authentication updated
- GSuite services download updated
- GUI and Usability
- Separate nodes for Pictures with face/pornography/guns/text are
added in Overview
- SMS, Call, Conversation, Voice mail representation unified
- Separate "duration" column added where applicable for calls
- Separate "Delivery status" column added where applicable for chats
and calls
- Save selected file to database fixed
- Recent cases sorted by opening date/time on Dashboard
- 'GPU is not found' warning removed where is not applicable
- Search in Plist and Registry Viewer added
- Sorting in SQLite Viewer added
- Automatic navigation to a registry branch where the selected artifact
is stored, is implemented in Registry Viewer
- File Systems Explorer
- Long awaited filters added into File List
- Multiple improvements of Hash set analysis:
- Performance boost
- Fixed issue with not starting hash set analysis if artifact
analysis is not selected
- File system is now visible in Evidence Reader (if original BEC had
File System Explorer module)
Sign up for a
webinar on new BEC v.9.5