Belkasoft Evidence Center 2020 v.9.8 (or, in short, BEC) is an all-in-one forensic solution, combining mobile and computer forensics as well as memory, cloud and remote forensics, and incident investigations in a single tool. Given its affordable price, it is one of the best choices among other available products on the market.

In v.9.8, Belkasoft added two extremely important features of iOS device acquisition. Among major features included in BEC 2020 v.9.8 there are:

• Acquisition of iOS devices with checkra1n jailbreak
• Full file system copy of some iOS devices without jailbreak
• Decryption of TrueCrypt, VeraCrypt, PGP and other types of encryption is added
• Massive improvements in Remote Forensics and Incident Investigation modules
• Support for mounting and analysis of many new archive file types
• Numerous updates to artifact extraction

Sign up for a webinar on BEC v.9.8!

Upgrading to version 9.8 is free to all customers with a non-expired Extended Software Maintenance and Support contract. Customers without a current contract can purchase it from the Customer Portal. Affordable training with optional certification is available.

The complete list of new features

Mobile device acquisition

• Acquisition of iOS devices with checkra1n jailbreak supported
• Acquisition of some iOS devices without jailbreak supported (IMPORTANT! You need to switch off antivirus otherwise it will delete the agent since it works like an exploit. Besides, you must have an Internet connection, otherwise agent will not install)
• MTK processor type autodetection supported

Computer forensics

• File filtering by selected hashset database (white/black listing) supported
• DriveCrypt, PGP, Symantec, TrueCrypt, VeraCrypt decryption with known password or recovery key supported
• More raw images added to supported image types
• Many archive types supported for image mounting and subsequent analysis: 7z, rar, gz, etc

Incident Investigation

• Evidence of execution: ShimCache analysis improved
• Specific fields from PowerShell journal extracted
• Specific fields from Microsoft-Windows-Windows Defender/Operational journal and Event ID 1116 extracted
• Better layout of artifacts

Remote acquisition

The entire module is massively updated. Stability and robustness are improved, error handling is brushed up and enhanced.

New and updated applications

• Windows
  • Carbonite app supported
  • Google Drive updated
  • Limewire P2P app supported
  • LNK analysis massively improved (see also our article on LNK forensics)
  • OneDrive app updated
  • Puffin browser supported
• Android
  • Ctrip application updated
  • Facebook updated
  • Google Calendar supported
  • Puffin browser supported
  • SharePoint app supported
  • Telegram updated
  • Telegram X updated
  • Zalo updated
• iOS
  • Apple Mail updated
  • CarPlay updated
  • Evernote updated
  • Facebook updated
  • Puffin browser supported
  • Telegram updated

Bugfixes and smaller improvements

• Raw data is not shown for The Bat profiles in Hex Viewer—fixed
• Hex Viewer navigation does not work for Mail.ru profiles for Android and iOS apps, Mail 163 and Yahoo apps—fixed
• Analysis Facebook profile is failed to complete—fixed
• Hex Viewer tab is empty for Apple mail—fixed
• Message transferred events are picked up in Unknown Events instead of Chat events—fixed
• Less artifacts carved from Unallocated space for Skype—fixed
• After selecting the ODIN mode there is no possibility to switch to ADB—fixed
• Android Telegram: Geolocation data is incorrectly displayed in Open Street maps; Attachment extraction improved—fixed
• iOS Telegram: There is no ID / phone number / nickname for the account owner and nickname for contacts—fixed
• Android Telegram X: Time (UTC)/Time (Local) is not extracted—fixed
• Android Zalo: Calls not retrieved—fixed
• Report in PDF format for Document does not show embedded files list—fixed
• Filter by time does not work for Heart rate data type (fitness tracker profiles)—fixed
• Search in Evidence Reader does not work under some circumstances—fixed
• Incorrect phone number detected at profile name for dual SIM-card SMS/call profiles—fixed
• Error creating a report from Task Manager—fixed
• Error analyzing an animated gif for pornography—fixed
• Descriptions and units for focus counter values added

Sign up for a webinar on new BEC v.9.8