Belkasoft X Help Contents

X Computer

X Computer edition is a cost-effective solution developed specifically for investigators in local police departments, experts in small to medium consulting companies providing digital forensic and incident response services, and individual customers such as private investigators or digital forensic consultants. Customers who typically deal with only a few computer-related cases per year and/or have a limited budget will enjoy the very affordable price of X Computer edition.

Key features of X Computer edition:

  • Extracts data from hard drives, mount and analyze hard drives, disk images, virtual machines, and RAM.
  • Mounts third-party tools images (EnCase, FTK, X-Ways, etc.), L01/Lx01, DD images, archive files (such as .tar, .zip, and others).
  • Examines and analyzes hundreds of artifacts: chats, browsers, mailboxes, documents, pictures and videos, and system files.
  • Uses analytical features, such as Connection Graph, Timeline, advanced picture analysis.
  • Performs in-depth examinations into the contents of files and folders on the device with File System Explorer. Find even more evidence with Registry and SQLite Viewers.
  • Powerful file and data Carving features help to locate evidence that was deleted or hidden.

Belkasoft X Computer supports these data types:

  • Audio
    • Belkasoft X supports dozens of formats, including ape, flac, m4a, mp3, ogg, wav, and others.
  • Browsers
    • Belkasoft X supports all major web browsers—Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, Baidu, Dolphin, Maxthon, Mercury, QQ Browser, 360 Browser, and others.
  • Cloud applications
    • Belkasoft X supports popular cloud apps—Dropbox (with decryption), Google Drive, One Drive, Yandex.Disk, Flickr. Regards apps that lack installable clients, Belkasoft X analyzes RAM artifacts for their contents.
  • Cryptocurrencies
    • Belkasoft X supports analysis tasks for Bitcoin, Bitcoin Core, and Ethereum (and the Jaxx app).
  • Email
    • Belkasoft X supports all major email clients—Outlook, Outlook Express, Gmail offline, Mozilla Thunderbird, Windows Live Mail, The Bat, Apple Mail, and others.
  • Encrypted files and volumes (detection only)
    • Belkasoft X supports over 280 encryption types, such as Bitlocker (used in Windows), Microsoft Office documents, archives (7z, RAR, and others), encrypted iTunes backups, and others.
  • OLE containers and yEnc files
  • Instant messengers
    • Belkasoft X supports all popular instant messenger apps and services, such as WhatsApp, Telegram, Facebook Messenger, Skype, WeChat, SnapChat, and more.
  • Geolocation data
    • Belkasoft X can extract geolocation information from images (with GPS tags in their EXIF metadata), Google Maps browser queries, geolocation details shared in chats, fitness trackers location data, and others.
  • MMORPG
    • Belkasoft X can extract data for MMORPG games—Karos, Lineage, World of Warcraft, —from RAM dumps.
  • Peer-to-peer (P2P) clients
    • Belkasoft X can analyze popular Windows P2P clients, such as Ares Galaxy, Emule, Frostwire, Gigatribe, Limewite, Shareaza, SHAREit, and Torrent.
  • Payment systems
    • Qiwi wallets can be analyzed (also see above for Crypto currencies support).
  • Pictures
    • Belkasoft X scans pictures and videos for EXIF data, pornography, skin, faces, scanned text, and guns.
    • Belkasoft X supports more than 90 image formats, ranging from RAW camera formats to JPG, PNG, TIFF, HEIC and other widely used formats.
  • Social network communications
    • From RAM dumps, Belkasoft X analyzes Bebo, Facebook, Facebook Messenger, OK (Odnoklassniki), OrKut, Twitter, and Vkontakte (VK).
    • Mobile apps support.
    • Extraction from browser cache.
  • System files Belkasoft X supports:
    • Windows: Windows Event Log, thumbnails and thumb cache, registry files, jump lists, TOAST notifications, LNK files, Prefetch, Windows 10 timeline, and others.
    • macOS: System configuration, installed applications, Bluetooth configuration, WiFi connections, and others.
    • Native support for Windows registry files—Belkasoft X recovers badly damaged and partially overwritten registries.
    • Built-in Registry Viewer for viewing Windows registries (without third party applications).
    • Built-in Plist Viewer for viewing macOS system files (without the use of third party applications).
  • Thumbnails
    • Belkasoft X can analyze thumbnail files for Android, iOS.
  • Videos
    • Belkasoft X can find videos in over 30 formats, such as AVI, MOV, MTS, WMV, and others.
    • Belkasoft X supports keyframe extraction for supported video files. An appropriate codec must be installed on the machine.
  • Webmail
    • Belkasoft X can detect webmail traces—for Gmail, Yahoo mail, and others— through Live RAM analysis.

Note: As additional artifacts become supported in new Belkasoft X releases, the contents of the list above may change depending on the Belkasoft X version.

Supported acquisition types

Belkasoft X supports several local acquisition methods for devices.

  • Active Windows machine RAM (volatile memory)—through the Live RAM Capturer tool bundled with Belkasoft X installation package.
  • Hard and removable drive acquisition to raw or E01 format.
  • Cloud acquisition for many cloud, social networking, and webmail services
    • Belkasoft X currently supports these services: Google Drive, Google Timeline, Gmail, Instagram, and over 30 webmail providers (Yahoo, Hotmail, QQ, and others).

Note: To learn more about the different acquisition types—especially their pros and cons, when they are suitable for use, and other variables—you can sign up for a course at Belkasoft forensic training.

Supported extraction types

Belkasoft X extracts and recovers artifacts using different techniques:

  • Analyzing existing files.
  • Carving (signature-based analysis) deleted or hidden data—unallocated or slack space or free space—on a hard drive or an image.
  • Carving RAM dump; Analyzing live memory to extract social network remnants (Facebook, Twitter, and others), web-based mails (Gmail, Hotmail, and others), cloud application data (Dropbox, Flickr, and others).
  • Extract processes.
  • Carving using custom signatures.
  • Analyzing Volume Shadow Copy snapshots.
  • Analyzing virtual machine files (without switching on the virtual machine).

Supported analysis types

Full-text search through all forms of evidence collected

  • Timeline—to filter and present all user activities and system events at given dates on a single screen.
  • Pictures analysis—to detect skin, guns, pornography, scanned texts, and faces.
  • Geolocation data presentation on the Open Street View window or Google Earth third-party app.
  • Connection Graph and its features—communication visualization and community detection—to show links between individuals and detect tightly connected groups.

Other functions

These functions are also included in Belkasoft X Computer configuration:

  • Report creation in numerous formats, such as text (file), HTML, XML, CSV, PDF, RTF, Excel, Word, EML, KML, and JSON.
  • Project Vic support.
  • Sharing of findings—through Belkasoft Evidence Reader—with colleagues and people, who may not have Belkasoft Evidence Center X installed on their computers.
  • Export to LACE (pictures and videos only).

SQLite support:

  • Native support for SQL databases for recovery of critically damaged and partially overwritten databases.
  • Proprietary SQLite Viewer for viewing SQLite databases without the need for third-party applications. With Belkasoft X, you can inspect database schema, view existing and deleted data, run time, and string column conversations.
  • Belkasoft X SQLite Viewer for opening damaged SQLite files, which standard SQLite Viewer struggle to deal with perfectly.
  • SQLite freelist, WAL, journal file, SQL unallocated analysis functions for extracting destroyed evidence and viewing deleted information, such as iPhone SMS messages and Skype chats that were deleted.

Office documents support:

  • Microsoft Office: DOC, DOCX, XLS, XLSX, PPT, PPTX
  • OpenOffice: ODT, ODS, ODP
  • PDF
  • RTF
  • Text files (TXT and LOG files)
  • macOS: KEY, KEYNOTE, NUMBERS and PAGES
  • For the supported file types files plain text as well as metadata is extracted and indexed
  • Embedded files can be extracted and shown
  • Document preview is shown for PDF files

File System support:

  • APFS (including encrypted)
  • F2FS
  • FAT
  • exFAT
  • NTFS
  • HFS
  • HFS+
  • ext2
  • ext3
  • ext4
  • YAFFS
  • YAFFS2

File System Explorer allows you to perform a thorough low-level forensics analysis. You are able to view and navigate through all folders and file from a data source (added to case) and examine hidden, deleted, and special system files and folders, such as $OrphanFiles or $Extends.

Belkasoft X extracts memory processes from RAM dumps.

You can browse through mobile or computer file systems and memory dumps acquired through Belkasoft or any third-party app.

On the Hex Viewer window, you can view the contents of a selected file or process binary conveniently. You can use the hashset analysis function. A NSRL hashset database or folder with previously known files is also available for use.

File System Explorer also allows you to check memory processes and files for malware through different techniques—for example, detection of fake system processes using VirusTotal.