Category Archives: Uncategorized

Working with Encrypted iTunes Backups

iTunes backups are an invaluable source of digital evidence, however, they are protected with encryption. How to crack an encrypted backup and analyze its contents? Our new tutorial video will help you do that using Belkasoft Evidence Center! Watch on our YouTube channel in 720p (subtitles available):


Webinar: Investigating Computer And Mobile Artifacts With New Belkasoft Evidence Center

We finished year 2015 on a good note with the release of Belkasoft Evidence Center 2016. The new version of Evidence Center features massive updates and improvements in performance and usability, new features, and numerous other enhancements that made work with the product faster, smoother and more convenient than ever before.

To present renewed Evidence Center to our customers as well as to those who are not familiar with tthe product, we recorded a webinar. The webinar contains an introductory presentation about the product with a brief overview of its capabilities and a live demonstration of the product and its features, both pre-existing ones and those introduced in the latest release.

The webinar is available to watch free on Forensic Focus: Investigating Computer And Mobile Artifacts With New Belkasoft Evidence Center.

Try Belkasoft Evidence Center free! Download a full trial version at

New Article: The Future of Mobile Forensics – November 2015 Follow-Up

Mobile forensics is a moving target. In our recent article, “The Future of Mobile Forensics”, we described acquisition techniques that used to be state-of-the art back then. Weeks later, some things had changed already. Three months after the publication a lot of things have changed. Our publication was published on Forensic Focus and discussed in online forums, with readers pointing to certain inaccuracies in our article. In this follow-up, we will use up-to-date information to address the issues of concern in the original article.

The paper covers the recent changes and trends in the field of mobile forensics, as well as adds some adjustments and new material to complement the ideas that we expressed earlier.

Read full article here:

New Article: Countering Anti-Forensic Efforts – Part 2

In the first part of the article we talked about the most common – and also some of the simplest – ways suspects can try to cover their tracks in an attempt to slow down the investigation. This part of the article is dedicated to some of the more advanced techniques that sometimes can really be challenging to deal with. In Part 2 we take a look at some of the possible workarounds when the data we are looking for was deleted or encrypted.

Read the full article on our website:

All articles:

New Belkasoft Evidence Center v.7.3: More Powerful, More Convenient

Belkasoft updates Belkasoft Evidence Center, the company’s flagship digital forensic solution, to version 7.3. The new release comes with significantly improved file carving and SQLite analysis algorithms. With this update, Belkasoft Evidence Center enables investigators discover more evidence faster, while raising the bar of SQLite analysis to a whole new level. In addition, the product now supports Cellebrite Link Analysis integration, and offers numerous other enhancements.

Try the new version FREE:

Enhanced Data Carving

Carving hard drives or binary disk images helps investigators locate evidence that was hidden or destroyed by a suspect, such as deleted photos, cleared browsing history, internet chats and so on. Belkasoft Evidence Center has been known for its advanced carving algorithms, enabling the discovery of several hundred types of data in both allocated and unallocated areas of the storage device.

In version 7.3, Belkasoft Evidence Center brings major improvements to the carving algorithms, significantly reducing the time required to carve the disk in many scenarios. Added to Belkasoft Evidence Center 7.3 is the new carving mode that analyzes just the free space of allocated areas of the disk. This type of analysis specifically targets deleted files, locating destroyed evidence much faster than ever before.

New Carving Mode

New Carving Mode

Improved SQLite Analysis

Many forensic experts referred to SQLite analysis algorithms used in Belkasoft Evidence Center as the best in class. In version 7.3, SQLite Viewer was empowered notably, offering massively improved performance and making it possible to process huge databases in a matter of seconds. Selected column values can now be converted to multiple data types such as date and time, integer and floating values, string types and so on. Specified column types are stored throughout the investigation, and show up in reports that can now be directly generated from the SQLite Viewer.

Evidence Search Improvements

Searching for, locating and analyzing evidence is a major function of Belkasoft Evidence Center. The search engine has also received a tune up in version 7.3: with major improvements to search performance, greatly decreased search index and reworked Search Results, searching for, viewing and analyzing evidence has become even more robust and convenient.

Reworked Search Results Window

Reworked Search Results Window

Pricing and Availability

Belkasoft Evidence Center 7.3 is available immediately. Prospective customers are welcome to request a quote at or download the evaluation version at

Existing customers with non-expired Extended Software Maintenance and Support contracts can update to version 7.3 free of charge. File System and RAM Process Explorer modules can be purchased separately.

The complete list of additions and enhancements in version 7.3 is available at

Acquiring Windows PCs

In our previous article, we talked about acquiring tablets running Windows 8 and 8.1. In this publication, we will talk about the acquisition of Windows computers – desktops and laptops. This class of devices has their own share of surprises when it comes to acquisition.

The obvious path of acquiring a Windows PC has always been “pull the plug, take the disk out, connect to an imaging device and collect evidence”. Sounds familiar? Well, in today’s connected world things do not work quite like that.

Acquiring Windows computers is more complex than simply pulling the plug and taking the disk out. Even if the computer is not protected by Windows security features such as BitLocker, acquiring data from a turned-off machine means missing evidence from Live RAM, where we are extremely likely to find some forensically important artifacts.

To learn more, read the full article on our site: Acquiring Windows PCs.

Capturing RAM Dumps and Imaging eMMC Storage on Windows Tablets

While Windows desktops and laptops are relatively easy to acquire, the same cannot be said about portable Windows devices such as tablets and convertibles (devices with detachable keyboards). Having no FireWire ports and supplied with a limited set of external ports, these devices make attaching acquisition media more complicated in comparison to their full-size counterparts. Equipped with soldered, non-removable eMMC storage, Windows tablets are extremely difficult to image while following the required forensic routine. Finally, the obscure Windows RT does not allow running unsigned desktop applications at all while restricting the ability to boot into a different OS, making forensic acquisition iffy at best.

In this article, we will have a look at how Windows-based portable electronic devices are different from traditional laptops and desktops, review new security measures and energy saving modes presented by Windows tablets and discuss hardware, methods and tools we can use to acquire the content of their RAM and persistent storage. This is where Belkasoft Evidence Center and Live RAM Capturer should come in handy.

Read full article:

Belkasoft Helps Find a Missing Girl

We are continuing publishing stories on how Belkasoft Evidence Center helps the law enforcement in their work. Today’s story is about a teenage girl who went missing from her parents’ home.

Continue reading

What Our Customers Are Saying

One of our customers has a great write-up (in Spanish) about Belkasoft products. Do check it out!

We asked Javier for a brief summary of his post in English, and he kindly provided us with one. His main points are:

Executive summary

I say it is powerful and worth it’s price, especially if you are doing forensic reports with large data sources. Compared to EnCase, it is four times cheaper, but EnCase is more popular and support EnScript. EnCase could be a better purchase for a lab where there are several technicians working.

Detecting Forged (Altered) Images

Are digital images submitted as court evidence genuine or have the pictures been altered or modified? We developed a range of algorithms performing automated authenticity analysis of JPEG images, and implemented them into a commercially available forensic tool. The tool produces a concise estimate of the image’s authenticity, and clearly displays the probability of the image being forged. This paper discusses methods, tools and approaches used to detect the various signs of manipulation with digital images.

How many kittens are sitting on the street? If you thought “four”, read along to find out!

The full article is available at Belkasoft Web site. Read the full article