Belkasoft Evidence Center 2020 v.9.7 (or, in short, BEC)
is an all-in-one forensic solution, combining mobile and computer forensics as well as
memory, cloud and remote forensics, and incident investigations in a
single tool. Given its affordable price, it is one of the best choices among
other available products on the market.
In v.9.7, Belkasoft significantly expanded BEC support of various mobile data
sources and improved its Remote Forensics module.
Among major features included in BEC 2020 v.9.7 there are:
- Acquisition of MTK based devices
- Acquisition via MTP/PTP protocols
- iOS 13 support
- Support for Xiaomi and Huawei backups
- F2FS file system parsing and analysis
- CarPlay analysis
- Major improvements of Remote Forensics (macOS support;
WMI deployment)
- Connection Graph revamped
- Numerous improvements in Artificial Neural Network analysis of
photos
- The search of Japanese texts improved
- Numerous updates to artifact extraction
Sign up for a webinar
on BEC v.9.7!
Upgrading to version 9.7 is free to all customers with a non-expired Extended
Software Maintenance and Support contract. Customers without a current contract
can purchase it from the Customer Portal.
Affordable training with optional certification is available.
New features in detail
Mobile device acquisition
In BEC 2020 v.9.7 we increased the number of acquisition methods:
- Acquisition of MTK based devices is now supported. MTK stands
for MediaTek, and MediaTek is a
well-known chip manufacturing company based in Taiwan. The company supplies
enough semiconductors to produce 1.5 billion devices a year so it is important
to have support for their devices in a digital forensic tool like Belkasoft
Evidence Center.
Data is extracted by using MediaTek Preloader Download Mode for corresponding
Android mobile devices powered by MediaTek chip. Flash memory downloading
is applied to a device turned off, so neither unlocking nor root access
is required
- Acquisition via MTP/PTP protocols. One of the options suggested
to a user when they connect their device to a computer is "transfer media
files using MTP". MTP stands for "Media Transfer Protocol" and it is an
extension to the Picture Transfer Protocol (PTP) communications protocol
that allows media files to be transferred from portable devices. Whereas
PTP was designed for downloading photographs from digital cameras, Media
Transfer Protocol allows the transfer of music files on digital audio players
and media files. Now you can use any of these two protocols to acquire media
from digital devices
- iTunes backup creation supported for Apple devices running new iOS
13
- Finally, iTunes backup can now be created with forced encryption.
Since unencrypted backup contains less data than encrypted one, Belkasoft
Evidence Center offers a user to encrypt the backup
Support for Xiaomi and Huawei backups
- Xiaomi MIUI backups are supported. MI User Interface abbreviated
MIUI is a firmware for smartphones and tablets developed by Chinese electronics
manufacturer Xiaomi. The firmware is based on Google's Android operating
system and in particular, has its own backup. The global market share of
Xiaomi devices is estimated at 9% (compare to Apple which has 10%) but in
some markets, it is even more popular. For example, in India, Xiaomi is
a bestseller with a market share of 28%. That's why with BEC v.9.7 you can
now ingest and analyze MIUI backups
- Huawei HiSuite backups are supported. Huawei is even more popular
than Xiaomi (16% global market share), though its share decreased by the
recent US ban. Huawei HiSuite is the official Android Smart Device Manager
tool developed by Huawei Mobile. HiSuite works with such Huawei smartphones
as Huawei P20/Plus, Honor 9N, Honor 10, Honor 9 Lite, Nova 3, Honor Note
10, and more. In particular, HiSuite has its own backup and restore mechanism.
You will need to specify a password to decrypt the backup with BEC.
BEC also supports analysis of a local Huawei
device backup (backups which are stored internally on a device)
F2FS support
F2FS stands for "Flash-Friendly File System". This is a file system developed
by Samsung with the idea of having a file system specifically for devices with
flash memory. These days the F2FS file system is considered perspective. While
it is not being widely used yet, it is adopted, in particular, by Google in
their Pixel 3 devices.
Belkasoft now natively supports parsing and analysis of partitions formatted
under F2FS: you can see their contents in File System Explorer window, review
files and folders, examine their contents in HexViewer and of course, run BEC
analysis for artifacts stored inside.
Remote Forensics
Remote Acquisition module, even just released, attracted huge attention of
our corporate customers. Excited and encourages by such an interest, we increased
our efforts on improving the initial function set.
In the new version of BEC, you will find the following improvements of Remote
Acquisition module:
- Agents can now run on macOS and acquire logical images. In the
previous version, agents could only run on Windows; now macOS remote acquisition
is also supported. You can acquire DMG images of all attached devices with
an exception of Macintosh HD; while for the main drive you can acquire any
folder
- Multiple improvements made to the remote acquisition of Android and
iOS devices
- We expanded the set of configuration options to enable you to cover
wider set of various setups of your local network
- Only one agent can be run at the same time at the same machine to avoid
conflicts
- Better processing of errors on a remote PC such as lack of disk space
- A remote agent can now be deployed via WMI (Windows Management
Instrumentation). Apart from GPO and local deployment, supported in previous
versions, you can now also use WMI to push agents inside your Windows LAN

Agent WMI deployment settings
Artificial Intelligence-based photo analysis
We have significantly improved photo analysis based on Artificial Neural
Networks (ANNs):
- Detection of pornography and guns now works much
quicker
- The number of false positives for crosses and arrows detection on drug-related
images is significantly decreased
- Text detection and OCR for Cyrillic-based languages is improved
- Face detection improved
- No more need for installing CAFFE library and Python
Artifact analysis
As usual, a few dozens of new and updated artifacts are included in the new
BEC version:
- iOS
- CarPlay. In some cars, you can
connect your iPhone
to the car computer. You will be able to see your iPhone screen projected on
the car computer, accept calls, read messages, listen to music. With the latest
version of BEC, you can extract some of the artifacts, stored behind the communication
of an iPhone with a car, such as a start and an end time of the CarPlay session
as well as last Siri request (in text). You need to have a full file system
copy of an iPhone since this data is not stored in iTunes backup. You may do
such a copy with Belkasoft Evidence Center for jailbroken backups
- iMessage
- Instagram Direct
- Hot or Not
- MeetMe
- Pinterest
- Snapchat
- Telegram
- WeChat
- Whisper
- Yubo
- Zello
- Android
- Calls
- Ctrip (including map, transportation and location)
- Facebook
- Hot or Not
- Instagram Direct
- Kakao Talk
- Kik
- MeetMe
- MMS
- ooVoo
- Pinterest (geolocation data supported)
- Skout
- Snapchat
- Tango (call duration extracted)
- Telegram X
- TextMe
- VK (added extraction of geolocation, photo and video)
- WhatsApp (performance significantly improved)
- Whisper
- Zalo
- macOS
- aMSN (owner name is now extracted)
- Windows
- Chrome (unallocated carving improved)
- Chromium passwords (creation date is now extracted)
- Mail app
- LNK carving supported
- Shareaza
- Telegram Desktop
- Yandex.Browser (password modification date is extracted)
Reporting
- Option to exclude embedded files from a report added
- Column for embedded files added
- Report creation supported for Connection Graph
- User sorting now works in reports
User Interface
- More filters for system events shown in Timeline
- Better Syscache representation
- File System better representation of deleted folders (a folder is not
marked as deleted if only part of files are deleted)
- UTC time shown in the list of results
- SQLite Viewer now shows selected item in corresponding table
- Carved System event log item is now shown in HexViewer
- Picture preview is now shown after disconnecting and then re-connecting
a data source
- Italian localization added
- Fixed issue with not showing contents of Bitlocker and FileVault encrypted
image after decryption in File System Explorer
Connection Graph
Connection Graph was temporarily removed for v.9.6 and is now back with a
number of improvements, including clearer look and feel:

Other improvements
- Search of Japanese improved. Basing on the feedback from our Japanese customers,
we tuned our new search engine built on ElasticSearch, to better search hieroglyphic
terms.
- Application names in registry data are decoded per ROT13
- Better JPG carving
- Support for EML messages carving
- Search of words from file fails (issue fixed)
- Dates are not extracted from PDF documents (issue fixed)
- JBIG2 decoding supported for pictures embedded into PDF documents
- DMG images analysis improved
- Correct time extraction (UTC/Local) for MIME emails
- Incorrectly detected recipient/sender at device with two SIM-cards
(issue fixed)
- and about 180 other improvements made
Sign up for a webinar on
new BEC v.9.7