What's new in BEC v.9.6

What's New in Belkasoft Evidence Center 2019 Version 9.6

Belkasoft Evidence Center 2019 v.9.6 (or, in short, BEC) is an all-in-one forensic solution, combining mobile, computer, RAM, cloud and remote forensics as well as incident investigations in a single tool. Given its affordable price, it is one of the best choices among other available products on the market.

The following new functions are included in BEC v.9.6:

  • Updated search engine. The new engine, namely ElasticSearch, is known for its greater speed and precision. One of the benefits of having ElasticSearch is a number of third-party tools capable of working with indexed data
  • Updated graphical timeline. This feature gives you a possibility to glance over various events in a case, make filters with your mouse and synchronize with text timeline to narrow your search
  • TikTok support for Android and iPhone. This new media app is becoming extremely popular nowadays
  • FileVault decryption with a known password
  • iPhone acquisition with lockdown file authentication. One more way to get inside an Apple device!
  • Acquisition of jailbroken iPhones is updated to support the latest iTunes Windows 10 App
  • Multiple improvements in Remote Acquisition including NAT support
  • Many more new and updated apps

Sign up for a webinar on BEC v.9.6!


Upgrading to version 9.6 is free to all customers with a non-expired Extended Software Maintenance and Support contract. Customers without a current contract can purchase it from the Customer Portal. Affordable training with optional certification is available.

New features in detail

Updated search engine

One of the biggest changes with BEC v.9.6 is completely redone indexing engine. We went away from pure Lucene engine and replaced it with ElasticSearch, one of the most powerful indexing engines existing nowadays. ElasticSearch makes indexing process much quicker and robust, allowing multi-threading access to the index and third-party tools to examine it.

Thanks to the new indexing engine, the total time to complete analysis of various data sources significantly decreased while the accuracy of various types of searches is significantly improved, including regular expression based searches.

Graphical timeline

Graphical timeline is finally back and can be found at the Timeline tab, where you can switch between Grid View and Graph View. Using the graphical timeline you can visually locate various anomalies, events density points, and simply create time-based filters using a mouse.

Hint: use Ctrl-Q/W/E to switch between different views of Graphical Timeline.

iPhone acquisition with lockdown files

According to this article, "Lockdown records, or pairing records, are files that are stored on the computer to which the iOS device syncs to. These files are created the first time the user connects their iOS device to a PC that has iTunes installed."

In v.9.6 Belkasoft Evidence Center can acquire iOS devices even if they are locked, in case there is a valid (not expired) lockdown file. In order to successfully acquire a device using this method, it is recommended to use the original Apple lightning cable.


A number of improvements were made to the supported decryption types:

  • FileVault decryption with known password supported (Decryption module is required)
  • Encrypted iPhone backup acquired with UFED Physical Analyzer supported
  • Nested decryption is supported: FileVault, Bitlocker and McAfee Endpoint Security decryption is now supported inside encrypted images, for example, inside encrypted DMG files (Decryption module is required, a known password is required)

File systems

  • Multiple improvements to ext4 file system support

  • Hash set analysis can be run for any data source type including folders

  • More tweaks with APFS volumes with regards to hashing
  • SHA-256 hashing algorithm added

Remote Acquisition

  • Remote agent port configuration supported
  • Support NAT in remote acquisition
  • Hash values are stored next to an acquired image
  • SHA-256 hashing algorithm added
  • Stability improved for various scenarios of the remote agent or remote computer becoming irresponsive/crashed
  • New feature: Remote artifact extraction supported
  • Issues fixed:
    • Сonnected iOS device is not visible through a remote agent
    • RAM image is not created under some circumstances
    • BEC cannot create RAM image for a remote PC when there is not enough space on the remote drive

Artifact analysis

New or updated artifacts:

  • iOS
    • WhatsApp updated
    • Apple Mail updated
    • iChat (more correct time extraction)
    • Telegram (time extracted correctly now; all accounts are parsed, not only primary)
    • Growlr (voicemail file name is now extracted)
    • Ebuddy XMS (picture name is now extracted for picture transfer)
    • ICQ (call duration fixed)
    • Vipole (call duration fixed, other updates)
    • TextMe (call duration fixed)
    • ShareIT supported
    • Telegram (updated)
    • TikTok supported
    • SMSes (owner phone extracted)
    • iMessage (updates for v.11.0)
    • iOS Frequent Locations for iOS 11 and higher supported
  • Android
    • Chaatz updated
    • Telegram X updated
    • ShareIT supported
    • LINE (dates in chats fixed)
    • TikTok supported
    • SMSes (owner phone extracted)
    • VKCofee (updates for v.7.91; profile owner fixes, unallocated records analyzed)
    • Signal updated
  • Windows
    • Skype (updates for v., call duration fixed)
    • ShellBag (time type explicitly specified in UI)
    • ShareIT supported
    • Internet Explorer (cache is properly displayed in properties)
    • Backups of setupapi.dev log files supported
    • Viber (updates for v.10.7.0)
  • All platforms
    • Mails with the quoted-printable encoding
    • MIME mails (carving improved)
    • Thunderbird (smaller issues)
    • Firefox v.66.0.3 (cache is properly displayed in properties)
  • Cloud artifacts
    • Google Timeline geolocation data parsing improved

Incident investigations

  • More useful filters added to the Incident Investigation window

Issues fixed

  • Artifacts with type 'Others' are not shown in Overview
  • Impossible to adjust a column list for a report from Overview -> Browsers
  • Empty lines are shown in SQLite Viewer when SQLite database has WAL or journal records
  • Thumbnails are not generated in reports with HEIC pictures
  • Too long loading data for Unallocated table in SQLite
  • Sorting by time does not work for URLs
  • Incorrect sorting by Last Visit Time for URLs in Case Explorer
  • Origin path is not saved for installed applications on macOS
  • Origin path is not saved for Wi-Fi configurations on macOS
  • Errors while analysis of Instagram pictures
  • Voicemail is not shown in Attachments tab inside the Overview window
  • Name of the owner account in Messages is duplicated
  • HTML part is not extracted for a carved mail
  • Date is not extracted for a carved MIME mail

Usability and GUI

  • Disk acquisition options are separated into two windows
  • List of properties for jumplists and file links are extended in Overview
  • Carving signatures window is adjusted for the German locale
  • VirusTotal analysis is enabled from the folders tree of the File System window

Sign up for a webinar on new BEC v.9.6