What's New in Belkasoft Evidence Center 2019 Version 9.6

Belkasoft Evidence Center 2019 v.9.6 (or, in short, BEC) is an all-in-one forensic solution, combining mobile, computer, RAM, cloud and remote forensics as well as incident investigations in a single tool. Given its affordable price, it is one of the best choices among other available products on the market.

The following new functions are included in BEC v.9.6:

Updated search engine. The new engine, namely ElasticSearch, is known for its greater speed and precision. One of the benefits of having ElasticSearch is a number of third-party tools capable of working with indexed data
Updated graphical timeline. This feature gives you a possibility to glance over various events in a case, make filters with your mouse and synchronize with text timeline to narrow your search
TikTok support for Android and iPhone. This new media app is becoming extremely popular nowadays
FileVault decryption with a known password
iPhone acquisition with lockdown file authentication. One more way to get inside an Apple device!
Acquisition of jailbroken iPhones is updated to support the latest iTunes Windows 10 App
Multiple improvements in Remote Acquisition including NAT support
Many more new and updated apps

Sign up for a webinar on BEC v.9.6!

Download Free Request a quote

Download quote

Upgrading to version 9.6 is free to all customers with a non-expired Extended Software Maintenance and Support contract. Customers without a current contract can purchase it from the Customer Portal. Affordable training with optional certification is available.

New features in detail

Updated search engine

One of the biggest changes with BEC v.9.6 is completely redone indexing engine. We went away from pure Lucene engine and replaced it with ElasticSearch, one of the most powerful indexing engines existing nowadays. ElasticSearch makes indexing process much quicker and robust, allowing multi-threading access to the index and third-party tools to examine it.

Thanks to the new indexing engine, the total time to complete analysis of various data sources significantly decreased while the accuracy of various types of searches is significantly improved, including regular expression based searches.

Graphical timeline

Graphical timeline is finally back and can be found at the Timeline tab, where you can switch between Grid View and Graph View. Using the graphical timeline you can visually locate various anomalies, events density points, and simply create time-based filters using a mouse.

Hint: use Ctrl-Q/W/E to switch between different views of Graphical Timeline.

iPhone acquisition with lockdown files

According to this article, "Lockdown records, or pairing records, are files that are stored on the computer to which the iOS device syncs to. These files are created the first time the user connects their iOS device to a PC that has iTunes installed."

In v.9.6 Belkasoft Evidence Center can acquire iOS devices even if they are locked, in case there is a valid (not expired) lockdown file. In order to successfully acquire a device using this method, it is recommended to use the original Apple lightning cable.

Decryption

A number of improvements were made to the supported decryption types:

FileVault decryption with known password supported (Decryption module is required)
Encrypted iPhone backup acquired with UFED Physical Analyzer supported
Nested decryption is supported: FileVault, Bitlocker and McAfee Endpoint Security decryption is now supported inside encrypted images, for example, inside encrypted DMG files (Decryption module is required, a known password is required)

File systems

Multiple improvements to ext4 file system support
Hash set analysis can be run for any data source type including folders
More tweaks with APFS volumes with regards to hashing
SHA-256 hashing algorithm added

Remote Acquisition

Remote agent port configuration supported
Support NAT in remote acquisition
Hash values are stored next to an acquired image
SHA-256 hashing algorithm added
Stability improved for various scenarios of the remote agent or remote computer becoming irresponsive/crashed
New feature: Remote artifact extraction supported
Issues fixed:
- Сonnected iOS device is not visible through a remote agent
- RAM image is not created under some circumstances
- BEC cannot create RAM image for a remote PC when there is not enough space on the remote drive

Artifact analysis

New or updated artifacts:

iOS
- WhatsApp updated
- Apple Mail updated
- iChat (more correct time extraction)
- Telegram (time extracted correctly now; all accounts are parsed, not only primary)
- Growlr (voicemail file name is now extracted)
- Ebuddy XMS (picture name is now extracted for picture transfer)
- ICQ (call duration fixed)
- Vipole (call duration fixed, other updates)
- TextMe (call duration fixed)
- ShareIT supported
- Telegram (updated)
- TikTok supported
- SMSes (owner phone extracted)
- iMessage (updates for v.11.0)
- iOS Frequent Locations for iOS 11 and higher supported
Android
- Chaatz updated
- Telegram X updated
- ShareIT supported
- LINE (dates in chats fixed)
- TikTok supported
- SMSes (owner phone extracted)
- VKCofee (updates for v.7.91; profile owner fixes, unallocated records analyzed)
- Signal updated
Windows
- Skype (updates for v.8.36.0.52, call duration fixed)
- ShellBag (time type explicitly specified in UI)
- ShareIT supported
- Internet Explorer (cache is properly displayed in properties)
- Backups of setupapi.dev log files supported
- Viber (updates for v.10.7.0)
All platforms
- Mails with the quoted-printable encoding
- MIME mails (carving improved)
- Thunderbird (smaller issues)
- Firefox v.66.0.3 (cache is properly displayed in properties)
Cloud artifacts
- Google Timeline geolocation data parsing improved

Incident investigations

More useful filters added to the Incident Investigation window

Issues fixed

Artifacts with type 'Others' are not shown in Overview
Impossible to adjust a column list for a report from Overview -> Browsers
Empty lines are shown in SQLite Viewer when SQLite database has WAL or journal records
Thumbnails are not generated in reports with HEIC pictures
Too long loading data for Unallocated table in SQLite
Sorting by time does not work for URLs
Incorrect sorting by Last Visit Time for URLs in Case Explorer
Origin path is not saved for installed applications on macOS
Origin path is not saved for Wi-Fi configurations on macOS
Errors while analysis of Instagram pictures
Voicemail is not shown in Attachments tab inside the Overview window
Name of the owner account in Messages is duplicated
HTML part is not extracted for a carved mail
Date is not extracted for a carved MIME mail

Usability and GUI

Disk acquisition options are separated into two windows
List of properties for jumplists and file links are extended in Overview
Carving signatures window is adjusted for the German locale
VirusTotal analysis is enabled from the folders tree of the File System window

Download Free Request a quote

Download quote