Belkasoft Evidence Center 2020 v.9.7 (or, in short, BEC) is an all-in-one forensic solution, combining mobile and computer forensics as well as memory, cloud and remote forensics, and incident investigations in a single tool. Given its affordable price, it is one of the best choices among other available products on the market.

In v.9.7, Belkasoft significantly expanded BEC support of various mobile data sources and improved its Remote Forensics module.

Among major features included in BEC 2020 v.9.7 there are:

• Acquisition of MTK based devices
• Acquisition via MTP/PTP protocols
• iOS 13 support
• Support for Xiaomi and Huawei backups
• F2FS file system parsing and analysis
• CarPlay analysis
• Major improvements of Remote Forensics (macOS support; WMI deployment)
• Connection Graph revamped
• Numerous improvements in Artificial Neural Network analysis of photos
• The search of Japanese texts improved
• Numerous updates to artifact extraction

Sign up for a webinar on BEC v.9.7!

Upgrading to version 9.7 is free to all customers with a non-expired Extended Software Maintenance and Support contract. Customers without a current contract can purchase it from the Customer Portal. Affordable training with optional certification is available.

New features in detail

Mobile device acquisition

In BEC 2020 v.9.7 we increased the number of acquisition methods:

• Acquisition of MTK based devices is now supported. MTK stands for MediaTek, and MediaTek is a well-known chip manufacturing company based in Taiwan. The company supplies enough semiconductors to produce 1.5 billion devices a year so it is important to have support for their devices in a digital forensic tool like Belkasoft Evidence Center.
  
  Data is extracted by using MediaTek Preloader Download Mode for corresponding Android mobile devices powered by MediaTek chip. Flash memory downloading is applied to a device turned off, so neither unlocking nor root access is required
• Acquisition via MTP/PTP protocols. One of the options suggested to a user when they connect their device to a computer is "transfer media files using MTP". MTP stands for "Media Transfer Protocol" and it is an extension to the Picture Transfer Protocol (PTP) communications protocol that allows media files to be transferred from portable devices. Whereas PTP was designed for downloading photographs from digital cameras, Media Transfer Protocol allows the transfer of music files on digital audio players and media files. Now you can use any of these two protocols to acquire media from digital devices
• iTunes backup creation supported for Apple devices running new iOS 13
• Finally, iTunes backup can now be created with forced encryption. Since unencrypted backup contains less data than encrypted one, Belkasoft Evidence Center offers a user to encrypt the backup

Support for Xiaomi and Huawei backups

• Xiaomi MIUI backups are supported. MI User Interface abbreviated MIUI is a firmware for smartphones and tablets developed by Chinese electronics manufacturer Xiaomi. The firmware is based on Google's Android operating system and in particular, has its own backup. The global market share of Xiaomi devices is estimated at 9% (compare to Apple which has 10%) but in some markets, it is even more popular. For example, in India, Xiaomi is a bestseller with a market share of 28%. That's why with BEC v.9.7 you can now ingest and analyze MIUI backups
• Huawei HiSuite backups are supported. Huawei is even more popular than Xiaomi (16% global market share), though its share decreased by the recent US ban. Huawei HiSuite is the official Android Smart Device Manager tool developed by Huawei Mobile. HiSuite works with such Huawei smartphones as Huawei P20/Plus, Honor 9N, Honor 10, Honor 9 Lite, Nova 3, Honor Note 10, and more. In particular, HiSuite has its own backup and restore mechanism. You will need to specify a password to decrypt the backup with BEC. BEC also supports analysis of a local Huawei device backup (backups which are stored internally on a device)

F2FS support

F2FS stands for "Flash-Friendly File System". This is a file system developed by Samsung with the idea of having a file system specifically for devices with flash memory. These days the F2FS file system is considered perspective. While it is not being widely used yet, it is adopted, in particular, by Google in their Pixel 3 devices.

Belkasoft now natively supports parsing and analysis of partitions formatted under F2FS: you can see their contents in File System Explorer window, review files and folders, examine their contents in HexViewer and of course, run BEC analysis for artifacts stored inside.

Remote Forensics

Remote Acquisition module, even just released, attracted huge attention of our corporate customers. Excited and encourages by such an interest, we increased our efforts on improving the initial function set.

In the new version of BEC, you will find the following improvements of Remote Acquisition module:

• Agents can now run on macOS and acquire logical images. In the previous version, agents could only run on Windows; now macOS remote acquisition is also supported. You can acquire DMG images of all attached devices with an exception of Macintosh HD; while for the main drive you can acquire any folder
• Multiple improvements made to the remote acquisition of Android and iOS devices
• We expanded the set of configuration options to enable you to cover wider set of various setups of your local network
• Only one agent can be run at the same time at the same machine to avoid conflicts
• Better processing of errors on a remote PC such as lack of disk space
• A remote agent can now be deployed via WMI (Windows Management Instrumentation). Apart from GPO and local deployment, supported in previous versions, you can now also use WMI to push agents inside your Windows LAN

Agent WMI deployment settings

Artificial Intelligence-based photo analysis

We have significantly improved photo analysis based on Artificial Neural Networks (ANNs):

• Detection of pornography and guns now works much quicker
• The number of false positives for crosses and arrows detection on drug-related images is significantly decreased
• Text detection and OCR for Cyrillic-based languages is improved
• Face detection improved
• No more need for installing CAFFE library and Python

Artifact analysis

As usual, a few dozens of new and updated artifacts are included in the new BEC version:

• iOS
  • CarPlay. In some cars, you can connect your iPhone to the car computer. You will be able to see your iPhone screen projected on the car computer, accept calls, read messages, listen to music. With the latest version of BEC, you can extract some of the artifacts, stored behind the communication of an iPhone with a car, such as a start and an end time of the CarPlay session as well as last Siri request (in text). You need to have a full file system copy of an iPhone since this data is not stored in iTunes backup. You may do such a copy with Belkasoft Evidence Center for jailbroken backups
  • iMessage
  • Instagram Direct
  • Hot or Not
  • MeetMe
  • Pinterest
  • Snapchat
  • Telegram
  • WeChat
  • Whisper
  • Yubo
  • Zello
• Android
  • Calls
  • Ctrip (including map, transportation and location)
  • Facebook
  • Hot or Not
  • Instagram Direct
  • Kakao Talk
  • Kik
  • MeetMe
  • MMS
  • ooVoo
  • Pinterest (geolocation data supported)
  • Skout
  • Snapchat
  • Tango (call duration extracted)
  • Telegram X
  • TextMe
  • VK (added extraction of geolocation, photo and video)
  • WhatsApp (performance significantly improved)
  • Whisper
  • Zalo
• macOS
  • aMSN (owner name is now extracted)
• Windows
  • Chrome (unallocated carving improved)
  • Chromium passwords (creation date is now extracted)
  • Mail app
  • LNK carving supported
  • Shareaza
  • Telegram Desktop
  • Yandex.Browser (password modification date is extracted)

Reporting

• Option to exclude embedded files from a report added
• Column for embedded files added
• Report creation supported for Connection Graph
• User sorting now works in reports

User Interface

• More filters for system events shown in Timeline
• Better Syscache representation
• File System better representation of deleted folders (a folder is not marked as deleted if only part of files are deleted)
• UTC time shown in the list of results
• SQLite Viewer now shows selected item in corresponding table
• Carved System event log item is now shown in HexViewer
• Picture preview is now shown after disconnecting and then re-connecting a data source
• Italian localization added
• Fixed issue with not showing contents of Bitlocker and FileVault encrypted image after decryption in File System Explorer

Connection Graph

Connection Graph was temporarily removed for v.9.6 and is now back with a number of improvements, including clearer look and feel:

Other improvements

• Search of Japanese improved. Basing on the feedback from our Japanese customers, we tuned our new search engine built on ElasticSearch, to better search hieroglyphic terms.
• Application names in registry data are decoded per ROT13
• Better JPG carving
• Support for EML messages carving
• Search of words from file fails (issue fixed)
• Dates are not extracted from PDF documents (issue fixed)
• JBIG2 decoding supported for pictures embedded into PDF documents
• DMG images analysis improved
• Correct time extraction (UTC/Local) for MIME emails
• Incorrectly detected recipient/sender at device with two SIM-cards (issue fixed)
• and about 180 other improvements made

Sign up for a webinar on new BEC v.9.7