Belkasoft Evidence Center 2019 v.9.6 (or, in short, BEC)
is an all-in-one forensic solution, combining mobile, computer,
RAM, cloud and remote forensics as well as incident investigations in a
single tool. Given its affordable price, it is one of the best choices among
other available products on the market.
The following new functions are included in BEC v.9.6:
- Updated search engine. The new engine, namely ElasticSearch,
is known for its greater speed and precision. One of the benefits of having
ElasticSearch is a number of third-party tools capable of working with indexed
data
- Updated graphical timeline. This feature gives you a possibility
to glance over various events in a case, make filters with your mouse and
synchronize with text timeline to narrow your search
- TikTok support for Android and iPhone. This new media app is
becoming extremely popular nowadays
- FileVault decryption with a known password
- iPhone acquisition with lockdown file authentication. One more
way to get inside an Apple device!
- Acquisition of jailbroken iPhones is updated to support the latest iTunes
Windows 10 App
- Multiple improvements in Remote Acquisition including NAT
support
- Many more new and updated apps
Sign up for a webinar on BEC v.9.6!
Upgrading to version 9.6 is free to all customers with a non-expired Extended
Software Maintenance and Support contract. Customers without a current contract
can purchase it from the Customer Portal.
Affordable training with optional certification is
available.
New features in detail
Updated search engine
One of the biggest changes with BEC v.9.6 is completely redone indexing engine.
We went away from pure Lucene engine and replaced it with ElasticSearch, one
of the most powerful indexing engines existing nowadays. ElasticSearch makes
indexing process much quicker and robust, allowing multi-threading access to
the index and third-party tools to examine it.
Thanks to the new indexing engine, the total time to complete analysis of
various data sources significantly decreased while the accuracy of various types
of searches is significantly improved, including regular expression based searches.
Graphical timeline
Graphical timeline is finally back and can be found at the Timeline tab,
where you can switch between Grid View and Graph View. Using the graphical timeline
you can visually locate various anomalies, events density points, and simply
create time-based filters using a mouse.
Hint: use Ctrl-Q/W/E to switch between different views of Graphical
Timeline.
iPhone acquisition with lockdown files
According to
this article, "Lockdown records, or pairing records, are files that are stored on the computer
to which the iOS device syncs to. These files are created the first time the
user connects their iOS device to a PC that has iTunes installed."
In v.9.6 Belkasoft Evidence Center can acquire iOS devices even if they
are locked, in case there is a valid (not expired) lockdown file. In order to
successfully acquire a device using this method, it is recommended to use the
original Apple lightning cable.
Decryption
A number of improvements were made to the supported decryption types:
- FileVault decryption with known password supported (Decryption
module is required)
- Encrypted iPhone backup acquired with UFED Physical Analyzer supported
- Nested decryption is supported: FileVault, Bitlocker and McAfee Endpoint Security decryption
is now supported
inside encrypted images, for example, inside encrypted DMG files
(Decryption module is required, a known password is required)
File systems
- Multiple improvements to ext4 file system support
- Hash set analysis can be run for any data source type including folders
- More tweaks with APFS volumes with regards to hashing
- SHA-256 hashing algorithm added
Remote Acquisition
- Remote agent port configuration supported
- Support NAT in remote acquisition
- Hash values are stored next to an acquired image
- SHA-256 hashing algorithm added
- Stability improved for various scenarios of the remote agent or remote computer
becoming irresponsive/crashed
- New feature: Remote artifact extraction supported
- Issues fixed:
- Сonnected iOS device is not visible through a remote agent
- RAM image is not created under some circumstances
- BEC cannot create RAM image for a remote PC when there is not enough
space on the remote drive
Artifact analysis
New or updated artifacts:
- iOS
- WhatsApp updated
- Apple Mail updated
- iChat (more correct time extraction)
- Telegram (time extracted correctly now; all accounts are parsed,
not only primary)
- Growlr (voicemail file name is now extracted)
- Ebuddy XMS (picture name is now extracted for picture transfer)
- ICQ (call duration fixed)
- Vipole (call duration fixed, other updates)
- TextMe (call duration fixed)
- ShareIT supported
- Telegram (updated)
- TikTok supported
- SMSes (owner phone extracted)
- iMessage (updates for v.11.0)
- iOS Frequent Locations for iOS 11 and higher supported
Android
- Chaatz updated
- Telegram X updated
- ShareIT supported
- LINE (dates in chats fixed)
- TikTok supported
- SMSes (owner phone extracted)
- VKCofee (updates for v.7.91; profile owner fixes, unallocated records
analyzed)
- Signal updated
Windows
- Skype (updates for v.8.36.0.52, call duration fixed)
- ShellBag (time type explicitly specified in UI)
- ShareIT supported
- Internet Explorer (cache is properly displayed in properties)
- Backups of setupapi.dev log files supported
- Viber (updates for v.10.7.0)
All platforms
- Mails with the quoted-printable encoding
- MIME mails (carving improved)
- Thunderbird (smaller issues)
- Firefox v.66.0.3 (cache is properly displayed in properties)
Cloud artifacts
- Google Timeline geolocation data parsing improved
Incident investigations
- More useful filters added to the Incident Investigation window
Issues fixed
- Artifacts with type 'Others' are not shown in Overview
- Impossible to adjust a column list for a report from Overview -> Browsers
- Empty lines are shown in SQLite Viewer when SQLite database has WAL or journal
records
- Thumbnails are not generated in reports with HEIC pictures
- Too long loading data for Unallocated table in SQLite
- Sorting by time does not work for URLs
- Incorrect sorting by Last Visit Time for URLs in Case Explorer
- Origin path is not saved for installed applications on macOS
- Origin path is not saved for Wi-Fi configurations on macOS
- Errors while analysis of Instagram pictures
- Voicemail is not shown in Attachments tab inside the Overview window
- Name of the owner account in Messages is duplicated
- HTML part is not extracted for a carved mail
- Date is not extracted for a carved MIME mail
Usability and GUI
- Disk acquisition options are separated into two windows
- List of properties for jumplists and file links are extended in Overview
- Carving signatures window is adjusted for the German locale
- VirusTotal analysis is enabled from the folders tree of the File System
window
Sign up for a webinar on
new BEC v.9.6