Evidence Center 5.4 is out

We finally released this long-awaited update. We spent a lot of time developing, testing and improving this release. Well, it’s here now! Version 5.4 offers a host of new features, functionality and usability improvements, easily becoming the best Evidence Center so far. We’ve added faked image detection, recovery of destroyed SQLite evidence, Timeline view and much more!

What’s New in Belkasoft Evidence Center 5.4

Version 5.4 is an important major release, adding a wide range of new features. At a glance:

  • Forgery Detection plugin automatically identifies images that’ve been altered or modified since they left the camera;
  • Analysis of fragmented memory sets improves Live RAM analysis. It decomposes and reassembles memory snapshots to extract recently viewed JPEG images even if they are scattered around the memory dump;
  • Timeline adds a convenient aggregated view of user activities and system events;
  • Native SQLite database parsing with freelist support helps recover destroyed evidence such as cleared Skype histories;
  • Windows Registry support automatically locates and parses registry hives, extracting many types of valuable evidence.

Forgery Detection

The newly added Forgery Detection plugin enables automatic detection of digital photos that have been altered. The tool automates the authenticity analysis of JPEG images, producing a concise estimate of the image’s authenticity on a scale of 1-100. The tool is based on a scientific research; more information about algorithms used in Belkasoft Forgery Detection Plugin is available here.

Improved Live RAM analysis: memory dump defragmentation

Live RAM analysis in Evidence Center 5.4 is greatly improved thanks to the ability to defragment memory sets. In real life, Windows rarely stores volatile data in contiguous fashion. Instead, reasonably large images and other types of data are split into chunks that are scattered along the entire memory content. This is called memory fragmentation. Traditional RAM analysis algorithms have little success analyzing fragmented memory sets. The new BelkaCarving algorithm is based on a scientific research enabling Evidence Center to carefully reconstruct fragmented chunks into contiguous pieces of information, allowing the tool to extract broken pieces such as recently viewed images that no other tool can access. At this time, support is based on memory dumps captured on 32-bit and 64-bit Windows 7 systems. Support for other operating systems is being actively developed.

Timeline: aggregated view of user activities and system events

We received a lot of inquiries from customers asking us to add an aggregated view of all discovered events. This feature is finally here. The Timeline greatly improves Evidence Center usability, providing the ability to display all detected user activities and system events in a single aggregated view. By using the Timeline, investigators can quickly glance at user activities over a certain time period or scrutinize a particular period of time with ease.

The Timeline view allows convenient filtering, allowing to search for certain types of events of include only selected types of data. Case-sensitive full-text content filtering is supported. Timeline filters are stackable, allowing investigators specify a number of conditions that an event must meet in order to make it to the Timeline view.

Native SQLite parsing with freelist support helps recover destroyed evidence

The newest release gets rid of third-party SQLite libraries, enabling fully native SQLite parsing. This new feature allows Evidence Center users to parse even badly damaged, fragmented and incomplete databases such as those resulting from a carving attempt. The benefit for the user is enormous: native SQLite parsing allows recovering evidence from deleted and partially wiped databases, helping, for example, to recover much more information from destroyed Skype logs.

Built-in SQLite viewer allows viewing SQLite databases.

SQLite freelist processing enables access to deleted records in SQLite databases. Information deleted from SQLite databases is not wiped immediately. Instead, it is transferred into a so-called freelist. Freelists are not accessible with standard SQLite parsing tools. The newest release of Belkasoft Evidence Center enables the recovery of deleted information stored in SQLite freelists.

Windows Registry support

The newly added support for Windows Registry artifacts automatically locates and parses registry hives, extracting many types of valuable evidence such as MRU of various applications (e.g. MS Office, Acrobat Reader etc.), UserAssists, program startup data, list of connected USB devices, network cards, wireless profiles and many other types of artifacts. This feature is available in Professional and Ultimate editions.

Microsoft Office 2007-2013 and Adobe PDF carving

In addition to Office 97-2003 files, Evidence Center 5.4 can now carve documents in Office 2007-2013 formats. Adobe PDF files are now also supported.

Detailed information about what’s been added to the latest edition is available at What’s new in Evidence Center 5.4

Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: