Belkasoft Evidence Center

belkasoft logoBelkasoft Evidence Center is an all-in-one forensic solution for locating, extracting, and analyzing digital evidence stored inside computers and mobile devices.

What's New in v8.0

belkasoft-2017

What’s New in Version 8.0

Version 8.0 of the world’s leading digital forensic tool Belkasoft Evidence Center offers new acquisition capabilities, social communication graph analysis, in-depth Volume Shadow Copy support and a pack of new apps and formats.

Upgrading to version 8.0 is free of charge to all customers with non-expired Extended Software Maintenance and Support contracts. File System module can be purchased separately.

Major new functions of the product
  • New acquisition module. In v.8.0 of BEC the product allows you to acquire a hard or removable drive, make a logical image of Android or Apple device (including iOS 10), download iCloud and Google cloud and add all these types of acquired images to the BEC case for further analysis
  • New free acquisition tool – Belkasoft Acquisition Tool (or BelkaImager)
  • Analysis of social communications with Social Graph Builder module. New Connection Graph window visualizes entities and contacts, finds communities, shows communications for a selected link and so on
  • In-depth Volume Shadow Copy support. The new version of BEC can analyze even volumes with a massive amount of snapshots. You can select one or multiple snapshots to analyze. File System Explorer allows to browse snapshots’ directory structure and review files belonging to a selected snapshot, in Hex Viewer window
  • Alpha version of x64 build of BEC (Available for EAP users only)
  • As usual, each new BEC version comes with hundreds of new or updated artifact formats. See below for more detailed information.
Mobile App Support
  • Android Facebook extraction improved
  • ooVoo, Tinder iOS analysis updated
  • New apps: Uber for iOS, Pokemon Go iOS, Pokemon Go for Android
  • BEC can now analyze encrypted iTunes backup without a password and get installed applications
User Interface
  • Property page for iOS and Android backups shows more information on devices
  • Item lists improved: Any metadata property can be shown as a column in Picture List, Document List and other lists
  • All thumbnails are now shown in a single profile (previous version shown every thumbnail file as a separate profile)
  • Better visualization of geolocation data on Google Maps using clustering
  • “Reset to default view” menu added which returns BEC windows back to default
  • When you click inside Case Explorer, File System Explorer or Connection Graph, corresponding item list is shown at the right
  • A number of tested passwords is now shown in the ongoing decryption task status
  • Filters updated, new convenient filters added
SQLite Analysis
  • SQLite journal analysis improved, what made analysis of all SQLite-based artifacts quicker and more robust
Chat Support
  • Jabber support updated
  • Extraction of Skype message attachments made much quicker
System File Support
  • Windows 10 jumplists analysis updated
  • Network connection extraction supported for iOS and Android
  • Visualization of values in Registry Viewer fixed
  • Added support of last plug/unplug date for USB devices
Browser Support
  • Top Sites extraction supported
  • Web sessions extraction supported
  • Google Analytics extraction supported
  • Browser’s Tab extraction supported
Email Support
  • OLE attachments supported for Outlook
  • Analysis of Gmail Offline updated
Issues Fixed
  • Proper visualization of negative values in SQLite Viewer
  • Incorrect selection inside found item fixed
  • Export of Skype chatsync to XML and text fixed
  • Face detection fixed
  • Missed carved URLs in Overview fixed
  • Missed Cache tab in Item Properties fixed for browser links having cached data
  • Origin property added for some artifacts where was missing in previous version
  • $FreeSpace carving fixed
  • A number of hashset analysis issues fixed
  • About 300 other issues fixed

Overview

belkasoft-2017Belkasoft Evidence Center makes it easy for an investigator to search, analyze, store and share digital evidence found inside computer and mobile devices. The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps. Evidence Center will automatically analyze the data source and lay out the most forensically important artifacts for investigator to review, examine more closely or add to report.

  • Comprehensive examination
    Discovers more than 700 types of artifacts, including over 100 mobile applications, all major document formats, browsers, email clients, dozens of picture and video formats, instant messengers, social networks, system and registry files, P2P and file transfer tools, etc. Extracts data from all major operating systems, both computer and mobile: Windows, Linux, MacOS X, iOS, Android, Windows Phone, Blackberry.
  • Less missed evidence
    Looks for hidden and encrypted information, searches in unusual places, carves deleted and damaged data and examines files in little-known formats to discover more evidence than ever. The search includes unallocated and slack space, $MFT, $Log, Volume Shadow Copy and other special and little known areas of operating systems.
  • Blazing fast operation
    The product allows you to perform evidence search faster than most tools as it does not index every single file found on the data source, instead searching for the most forensically significant types of artifacts. Efficient usage of СPU adds to speediness of processing, as does the code written by our team of highly qualified specialists in data analysis.
  • Fair price
    Belkasoft Evidence Center offers the broadest set of tools and features for its price compared to other forensic software. All major analytical capabilities are present even in the most affordable versions of the product. Upgrades to your license can be purchased separately with no extra charges.
  • Flexible licensing. Usable in the field
    The most affordable license is designed to run just on one computer. Floating license is the definition of “value for money” – one license that comes with a USB dongle and allows to run the product on multiple machines. Portable edition can be plugged into any PC, laptop or desktop, with no installation or configuration required.

Benefits

belkasoft-2017

What are the advantages of using Belkasoft Evidence Center?
  • It’s Comprehensive.
    Belkasoft Evidence Center can find and analyze over 700 types of the most forensically important artifacts from all major computer and mobile operating systems. The tool supports analysis of hard drives and drive images, virtual machines, memory dumps, mobile device backups, UFED images, JTAG and chip-off dumps.
  • It Saves Your Time & Effort.
    Unlike many other forensic products, Belkasoft Evidence Center does not require your constant presence and attention. Most of the routine is automated, allowing multi-tasking and freeing up some of your valuable time.
  • It’s Powerful.
    The product finds, analyzes, and lays out to you on a platter about 90-95% of the data from the device being examined completely automatically, but it does not stop there. You can use one of product’s powerful analytical features for low-level examinations: SQLite Viewer, Hex Viewer, Registry Viewer – to locate hard-to-access, damaged, and deleted information.
  • It’s Forensically Sound.
    Evidence Center is designed to meet the demands of forensic experts and investigators. Workflow is simple and quick, and results are easy to convert into a report. Reports are adjustable, comprehensive, and most importantly, absolutely valid to present in a court as proven by years of experience of our users. One of the real life examples was a big case of child abuse in Croatia solved using Belkasoft Evidence Center.
  • It’s Flexible.
    The product has different licensing options to answers any of your needs. For individual users, the most affordable fixed license is available. For use in a small or medium-size company, you can buy a floating license that comes with a USB dongle, which allows to run Evidence Center on multiple PC’s; whereas portable version is perfectly suited for work in the field, as it runs from a USB drive and requires no installation.

Features

belkasoft-2017

What are the feature of Belkasoft Evidence Center?
  • Mobile and Computer device examination.
    Supporting all major desktop and mobile operating systems, Belkasoft Evidence Center is suitable for mobile and computer forensics. It can parse real and logical drives and drive images, virtual machines, mobile device backups, UFED images, JTAG and chip-off dumps.
  • Smart and Comprehensive Analysis.
    The product looks everywhere on the device completely automatically and can successfully identify over 700 types of digital artifacts. Convenient Evidence Search feature helps to narrow down the findings using filters, pre-defined search, or other options.
  • Powerful Carving.
    Data carving allows to locate evidence that was deleted, destroyed, or never stored on the hard drive at all (page file, hibernation file, RAM contents). Besides, advanced carving mode called BelkaCarving™ is available, making it possible to reconstruct fragmented chunks into contiguous pieces of information that would otherwise not be accessible at all.
  • Native SQLite Parsing.
    Recovers corrupted and incomplete SQLite databases, restores deleted records and cleared history files. Prosesses freelists, write-ahead logs and journal files, and SQLite unallocated space.
  • Live RAM Analysis.
    Evidence Center can extract potentially crucial information from volatile memory, such as: in-private browsing and cleared browser histories, online chats and social networks, cloud service usage history, and much more. Belkasoft Live RAM Capturer is a powerful tool for creating memory dumps, and it is complimentary.
  • Handy Built-in Tools.
    PList, Registry, and SQLite viewers allow you to work more thoroughly with particular types of data and find even more evidence than automatic search was able to discover.
  • Low-level Investigations.
    Equipped with File System Explorer, Hex Viewer, and Type Converter, Belkasoft Evidence Center will allow you to perform deep examination of the contents of files and folders on the device.
  • Extendable with BelkaScript.
    Free scripting module allows user to write their own custom scripts in order to automate some of the routine and further extend the product’s functionality.

Technical Specifications

belkasoft-2017

Belkasoft Evidence Center runs on any Windows OS, starting Windows XP to Windows 10, both 32- and 64-bit versions.

The following types of data sources are supported:
Computer
  • Operating systems: Windows (all versions, including Windows 10), Mac OS X, Unix-based systems (Linux, FreeBSD, etc.)
  • Storage devices: hard drives and removable media
  • Disk images: EnCase, L01/Lx01, FTK, DD, SMART, X-Ways, Atola, DMG
  • Virtual machines: VMWare, Virtual PC, VirtualBox, XenServer.
  • Memory: RAM dumps, Hibernation files, Page files
  • File systems: FAT, exFAT, NTFS, HFS, HFS+, ext2, ext3, ext4, YAFFS, YAFFS2
Mobile
  • Operating systems: iOS (iPhone/iPad), Android, Windows Phone 8/8.1, Blackberry
  • Data sources: Mobile backups, UFED dumps, chip-off dumps, JTAG dumps

The following types of artifacts can be extracted and analyzed:
Pictures and Videos
  • Supported picture formats:3FR, ARW, BAY, BMP, BMQ, CAP, CINE, CR2, CRW, CS1, CUT, DC2, DCR, DDS, DIB, DNG, DRF, DSC, EMF, ERF, EXIF, EXR, FAX, FFF, G3, GIF, HDR, IA, ICO, IFF, IIQ, J2K, JFIF, JNG, JP2, JPE, JPEG, JPG, K25, KC2, KDC, KOA, LBM, MDC, MEF, MNG, MOS, MRV, NEF, NRW, ORF, PBM, PCD, PCX, PEF, PFM, PGM, PICT, PNG, PNM, PPM, PSD, PTX, PXN, QTK, RAF, RAS, RAW, RDC, RLE, RPBM, RPGM, RPPM, RW2, RWZ, SGI, SR2, SRF, STI, TGA, TIF, TIFF, WBMP, WMF, XBM, XPM.
  • Picture analysis allows detection of texts, faces, and skin tone. Detection of photo manipulation (forgery) is available with Forgery Detection plugin (extra module)
  • The following formats can be carved: GIF, JPEG/JPG, PNG, BMP, WMF
  • Supported video formats: 3GP, 3G2, AVI, FLV, IFO, MP4, MKV, MPEG, MPG, TS, WMV, MOV
  • Key frame analysis available for 3GP, 3G2, AVI, MP4, MPEG, MPG, WMV, MOV videos
  • Outlook 2013, 2010, 2007 and older, Outlook Express
  • Apple Mail
  • Gmail
  • Hotmail
  • Yahoo Mail
  • Windows Live Mail
  • Mozilla Thunderbird
  • The Bat
  • MIME Emails.
Major Browsers
  • Edge
  • Google Chrome
  • Internet Explorer
  • Mozilla Firefox
  • Opera
  • Safari
Mobile Applications
  • Android:

    Standard Apps

    • Calendar
    • Calls
    • Contacts
    • Installed Applications
    • SMS

    Browsers

    • Baidu
    • Chrome
    • Default Browser App
    • Dolphin
    • Firefox
    • Maxthon
    • Mercury
    • Opera

    Messengers

    • AIM
    • Badoo
    • Brosix
    • BBM
    • ChatOn
    • CommFort
    • eBuddy XMS
    • Facebook Messenger
    • FireChat
    • Fring
    • Google+
    • Grindr
    • Growlr
    • Hangouts
    • ICQ
    • Im+
    • KakaoTalk
    • Kik
    • Line
    • Mail.ru Agent
    • MeetMe
    • Meow Chat
    • NextPlus
    • Odnoklassniki
    • ooVoo
    • Skype
    • Snapchat
    • Tango
    • Telegram
    • Text Plus
    • Textie
    • TextMe
    • Touch
    • Tumblr
    • Twitter
    • Viber
    • Vipole
    • Vkontakte
    • Voxer
    • Wamba
    • WeChat
    • WhatsApp
    • Xabber
    • Yahoo Messenger

    Other Apps

    • Any.do
    • Evernote
    • Foursquare
    • Instagram
    • LinkedIn
    • Pinterest
    • Sina Weibo
    • Swarm
    • Tinder
    • Whisper
    • Zello

    Payment Systems

    • Qiwi Wallet
  • iOS:

    Standard Apps

    • Calendar
    • Calls
    • Contacts
    • SMS
    • Tasks

    Browsers

    • Chrome
    • Safari

    Messengers

    • Brosix
    • ChatOn
    • eBuddy XMS
    • Fring
    • Grindr
    • Heytell
    • ICQ
    • Im+
    • KakaoTalk
    • Kik
    • Line
    • MeetMe
    • Meow Chat
    • NextPlus
    • Odnoklassniki
    • ooVoo
    • Paltalk
    • Skype
    • Tango
    • TextMe
    • Touch
    • Viber
    • WeChat
    • WhatsApp
    • Yahoo Messenger

    Other Apps

    • Tinder
    • Whisper
    • Zello
  • Blackberry:

    Standard Apps

    • Calendar
    • Calls
    • Contacts
    • Notes
    • SMS
    • Voice Mail

Instant Messengers

  • &RQ
  • Adium
  • AIM
  • AIM Express
  • aMSN
  • Badoo
  • Brosix
  • BBM
  • ChatOn
  • Chatzilla
  • CommFort
  • Digbsy
  • eBuddy XMS
  • eM Client
  • Emesene
  • Empathy
  • Facebook Messenger
  • Fire
  • FireChat
  • Fring
  • Gadu-Gadu
  • Gajim
  • Google+
  • Google Hello
  • Google Talk
  • Grindr
  • Growlr
  • Hangouts
  • Hey Tell
  • Hotmail
  • iChat
  • ICQ
  • Im+
  • InstantBird
  • Ircle
  • Jclaim
  • Jitsi
  • Kadu
  • KakaoTalk
  • Kik
  • KMess
  • Kopete
  • Line
  • Mail.ru Agent
  • Meebo
  • MeetMe
  • MeowChat
  • Mercury
  • MessageMe
  • Messenger Plus!
  • Miranda IM
  • mIRC
  • MSN/Live Messenger
  • MySpace IM
  • Nate ON
  • NextPlus
  • Nimbuzz
  • Odnoklassniki
  • ooVoo
  • Paltalk
  • Pidgin
  • Psi
  • QIP
  • QIP Infinum
  • QQ
  • qutIM
  • SIM
  • Skype
  • Snak
  • Snapchat
  • Tango
  • TeamViewer
  • Telegram
  • Text Plus
  • Textie
  • TextMe
  • Touch
  • Trillian
  • Tumblr
  • Twitter
  • Viber
  • Vipole
  • Vkontakte
  • Voxer
  • Wamba
  • WeChat
  • WhatsApp
  • Xabber
  • XCHat Acqua
  • Yahoo Messenger
  • Ya-Online
  • Zello
  • Office Documents

 

  • Microsoft Office: Excel (.xls, .xlsx), Word (.doc, .docx), PowerPoint (.ppt, .pptx)
  • Open Office: Documents (.odt), Spreadsheets (.ods), Presentations (.odp)
  • PDF
  • RTF

Peer-to-peer Software

  • eMule
  • Frostwire
  • Gigatribe
  • Torrent

Social Networks and Cloud Services

  • Social Networks: Bebo, Facebook, Google+, Odnoklassniki, Orkut, Twitter, VKontakte
  • Cloud Services: Dropbox, Flickr, Google Drive, SkyDive, Yandex Disk

Windows Registry Files<

  • Accounts (user name, last login time, last failed login time, last password changed time, user RID, LM-hash, NT-hash)
  • Autorun (USBs, CDs, DVDs)
  • Common file dialogs
  • Computer name
  • Event log location
  • Internet Explorer
  • List of USB devices ever connected to the system
  • List of mounted devices
  • MS Paint
  • Network cards
  • Operating system version and installation date
  • Prefetch files
  • Program startup
  • Recently opened and saved documents for MS Office Word, Excel, PowerPoint
  • Search Assistant
  • Shellbags
  • System shutdown time
  • Timezone
  • Trillian
  • UserAssists
  • User name and SID
  • Windows Explorer
  • Windows Media Player
  • Wireless profiles

Encrypted Files and Volumes

  • Acrobat 3.0, 4.0, 5.0, 6.0, 7.0, 8.0, 9.0
  • eBook document
  • Symantec ACT! 2.0, 3.0, 4.0, 2000
  • ACT! by Sage 2005, 2006, 2007, Sage 2008, 2009
  • Apple iTunes PLIST
  • BestCrypt 6.0, 7.0, 8.0
  • FileMaker Pro 3.0, 4.0, 5.0, 6.0, 7.0, 8.x, 9.0, 10.0, 11.0
  • ICQ 2000 – 2003 (.dat), 99a (.dat)
  • ICQ Lite (.fb)
  • Lotus 1-2-3 1.1+
  • Lotus Notes 4.x, 6.x, 7.0, 8.0
  • Lotus Notes Client
  • Lotus Organizer 1.0, 2.0, 3.0, 4.0, 5.0, 6.0
  • Lotus WordPro
  • Mac OS Keychain
  • MS Access 2.0
  • MS Access 2.0 System Database
  • MS Access 95, 97, 2000, 2002, 2003, 2007, 2010, 2013
  • MS Access 97 System Database, 2000 System Database, 2003 System Database, 2007 System Database, 2010 System Database
  • MS Backup
  • MS Excel 4.0, 5.0, 95, 97, 2000, 2002, 2003, 2007, 2010, 2013
  • MS Pocket Excel
  • MS Mail
  • Money 99 or earlier, 2000 – 2007
  • MS OneNote 2003 Section, 2007 Section, 2010 Section
  • MS Outlook 2000 Personal Storage, 2003 Personal Storage, 2007 Personal Storage, 2010 Personal Storage
  • MS Outlook 2000 Form Template, 2003 Form Template, 2007 Form Template, 2010 Form Template
  • MS PowerPoint 2002, 2003, 2007, 2010, 2013
  • MS Project 95, 98, 2000, 2002, 2003, 2007
  • MS Schedule Schedule+ 1.0, 7.x
  • MS SQL 2000, 2005, 2008
  • MS Word 1.0, 2.0, 3.0, 4.0, 5.0, 6.0, 95, 97, 2000, 2002, 2003, 2007, 2010, 2013
  • MYOB earlier than 2004, 2004-2009
  • Norton Backup
  • Paradox Database
  • Peachtree 2002 – 2006, 2007
  • PGP Desktop Zip
  • PGP Desktop Private Keyring
  • PGP Desktop Virtual Disk
  • PGP Desktop Self-Decrypting Archive
  • Quattro Pro 5 – 6, 7 – 8, 9 – 12, X3, X4
  • QuickBooks 3.x – 4.x, 5.x, 6.x – 8.x, 99, 2000-2012
  • Quicken 95/6.0, 98, 99, 2000, 2001, 2002, 2003, 2007-2012
  • RAR Archives
  • Remote Desktop Connection Document
  • Visual Basic for Applications Projects
  • WordPerfect 5.x, 6.0, 6.1, 7 – 12, X3, X4
  • Zip Archives
  • 7-Zip Archives

Why BEC?

belkasoft-2017
SIMPLE – Belkasoft Evidence Center is designed to be easy to use with its straighforward and convenient interface. Most of the routine is automated, and commands can be given using compact toolbar or context menu. No special training is required in order to be able to work with the product, and our support specialists will be glad to help if you face any issues.

FAST – The tool skips indexing every single file and folder in the file system, instead searching specifically for the most significant types of digital evidence that forensic investigators most often look for. Advanced algorythms allow for fast and comprehensive evidence search and analysis, helping to speed up the investigation and save your time.

POWERFUL – Belkasoft Evidence Center can analyze mobile and computer devices, device back-ups and disk images, virtual machines, and memory dumps. The product identifies and analyzes hundreds of artifact types completely automatically, while it is also equipped with a variety of analytical tools that help to ensure wholeness and high quality of investigation process.

FAIR PRICE – Compared to other similar tools on the market, Evidence Center offers the most for its price. Besides, knowing how challenging it can be to receive funding, we use very flexible pricing scheme where customers can choose the combination of features that fits the budget.