New Article: The Future of Mobile Forensics – November 2015 Follow-Up

Mobile forensics is a moving target. In our recent article, “The Future of Mobile Forensics”, we described acquisition techniques that used to be state-of-the art back then. Weeks later, some things had changed already. Three months after the publication a lot of things have changed. Our publication was published on Forensic Focus and discussed in online forums, with readers pointing to certain inaccuracies in our article. In this follow-up, we will use up-to-date information to address the issues of concern in the original article.

The paper covers the recent changes and trends in the field of mobile forensics, as well as adds some adjustments and new material to complement the ideas that we expressed earlier.

Read full article here:


Free Webinar: Enhance Digital Investigations with New Belkasoft Evidence Center

Belkasoft announces an upcoming release of their flagship all-in-one forensic product. Belkasoft Evidence Center 2016 comes with a substantial number of improvements and new features that are to bring the product to a new level of convenience and effectiveness in working with digital evidence.

In the new release, we added a lot of new supported artifacts, including a significant number of mobile apps such as browsers, payment systems, messengers, and social networking apps. At the same time, we refined the interface in such a way that it is now more convenient to work with the increased amount of artifacts. In particular, we reworked artifact selection window, and added filters that allow you to sort items by text, metadata, date, or other criteria. Besides, evidence search engine was empowered and now works faster than ever.

One of the newly added important features of the product is hashset analysis (uses NSRL hash database). These and many more other changes and enhancements of the new version will be covered during our free webinar “Enhancing digital investigations with Belkasoft Evidence Center 2016”. The webinar will be conducted by Yuri Gubanov, Belkasoft CEO & Founder and a renowned expert in digital forensics.

The webinar will feature a presentation with an overview of the most significant improvements and new features of Belkasoft Evidence Center 2016, as well as questions from the viewers, answered live.

Date: November 4, 2015
Time: 17:00 UTC / 18:00 CET/ 12:00 EST / 20:00 MSK

Sign up for the webinar now and get your guaranteed free trial version of the product:


Advanced SQLite Analytics with Belkasoft Evidence Center

Much has been said about the different tools to extract, view, and recover SQLite databases. Why is SQLite analysis so important for digital forensics? Why is SQLite not straightforward to investigate? Why use Belkasoft Evidence Center for SQLite analysis? Read along to find out!

Continue reading

Carving for Evidence: Why Choose Belkasoft Evidence Center

When looking for digital evidence, one has to look through a large number of files on the disk to discover just the few important pieces. Automating
evidence search can help locate evidence stored in files that were moved, renamed or deleted. This article offers a general overview of data carving
techniques used in today’s computer forensic tools, outlines benefits and limitations of the technology, and demonstrates how to use carving in a forensic
tool to discover evidence.

Continue reading

New Article: Countering Anti-Forensic Efforts – Part 2

In the first part of the article we talked about the most common – and also some of the simplest – ways suspects can try to cover their tracks in an attempt to slow down the investigation. This part of the article is dedicated to some of the more advanced techniques that sometimes can really be challenging to deal with. In Part 2 we take a look at some of the possible workarounds when the data we are looking for was deleted or encrypted.

Read the full article on our website:

All articles:

New Article: Countering Anti-Forensic Measures – Part 1

Computer forensic techniques allow investigators to collect evidence from various digital devices. Tools and techniques exist allowing discovery of evidence that is difficult to get, including destroyed, locked, or obfuscated data. At the same time, criminals routinely make attempts to counter forensic efforts by wiping data, deleting files, faking or clearing logs, histories and other traces of performed activities. Anti-forensic efforts are not limited to just that. In this whitepaper, we will have a brief overview of common anti-forensic techniques frequently used by suspects who are not specialists in high-tech, and ways to counter them during the investigation.

What this paper does not discuss is the suspects’ use of advanced tools dedicated to countering forensic efforts. Instead, we will talk about the most common anti-forensic techniques. In this paper, we will move from easy to moderately difficult anti-forensic techniques, explaining who might be using these methods and how to counter them.

What is anti-forensics, and how to counter it? Read in the full article:

More of our articles:

New Belkasoft Evidence Center v.7.3: More Powerful, More Convenient

Belkasoft updates Belkasoft Evidence Center, the company’s flagship digital forensic solution, to version 7.3. The new release comes with significantly improved file carving and SQLite analysis algorithms. With this update, Belkasoft Evidence Center enables investigators discover more evidence faster, while raising the bar of SQLite analysis to a whole new level. In addition, the product now supports Cellebrite Link Analysis integration, and offers numerous other enhancements.

Try the new version FREE:

Enhanced Data Carving

Carving hard drives or binary disk images helps investigators locate evidence that was hidden or destroyed by a suspect, such as deleted photos, cleared browsing history, internet chats and so on. Belkasoft Evidence Center has been known for its advanced carving algorithms, enabling the discovery of several hundred types of data in both allocated and unallocated areas of the storage device.

In version 7.3, Belkasoft Evidence Center brings major improvements to the carving algorithms, significantly reducing the time required to carve the disk in many scenarios. Added to Belkasoft Evidence Center 7.3 is the new carving mode that analyzes just the free space of allocated areas of the disk. This type of analysis specifically targets deleted files, locating destroyed evidence much faster than ever before.

New Carving Mode

New Carving Mode

Improved SQLite Analysis

Many forensic experts referred to SQLite analysis algorithms used in Belkasoft Evidence Center as the best in class. In version 7.3, SQLite Viewer was empowered notably, offering massively improved performance and making it possible to process huge databases in a matter of seconds. Selected column values can now be converted to multiple data types such as date and time, integer and floating values, string types and so on. Specified column types are stored throughout the investigation, and show up in reports that can now be directly generated from the SQLite Viewer.

Evidence Search Improvements

Searching for, locating and analyzing evidence is a major function of Belkasoft Evidence Center. The search engine has also received a tune up in version 7.3: with major improvements to search performance, greatly decreased search index and reworked Search Results, searching for, viewing and analyzing evidence has become even more robust and convenient.

Reworked Search Results Window

Reworked Search Results Window

Pricing and Availability

Belkasoft Evidence Center 7.3 is available immediately. Prospective customers are welcome to request a quote at or download the evaluation version at

Existing customers with non-expired Extended Software Maintenance and Support contracts can update to version 7.3 free of charge. File System and RAM Process Explorer modules can be purchased separately.

The complete list of additions and enhancements in version 7.3 is available at

New Article: The Future of Mobile Forensics

Most would agree that the golden age of mobile forensics is over. There is no longer an easy way to get through the passcode in new iOS devices running the latest version of iOS. Chip-off acquisition is dead for iOS devices due to full-disk encryption, while physical acquisition of Apple hardware is dead since the introduction of 64-bit devices and versions of iOS 8 that cannot be jailbroken. Blackberries were highly resistant to chip-off acquisition from the beginning, and Android is getting there quickly. In this whitepaper, we will look into the current state of mobile forensics for the different platforms and devices, analyze current trends and attempt to predict how mobile forensics will look in the years ahead.

To gather these predictions, Belkasoft analyzed state-of-the-art tools, methods and hardware offered by leading manufacturers, and interviewed experts working for manufacturers of digital forensic products. Since manufacturers often specialize in specific areas (e.g. producing equipment for breaking iPhone passcodes), we questioned multiple representatives to be able to see the whole picture. Today, we are ready to share our findings.

Read the full article:

Acquiring Windows PCs

In our previous article, we talked about acquiring tablets running Windows 8 and 8.1. In this publication, we will talk about the acquisition of Windows computers – desktops and laptops. This class of devices has their own share of surprises when it comes to acquisition.

The obvious path of acquiring a Windows PC has always been “pull the plug, take the disk out, connect to an imaging device and collect evidence”. Sounds familiar? Well, in today’s connected world things do not work quite like that.

Acquiring Windows computers is more complex than simply pulling the plug and taking the disk out. Even if the computer is not protected by Windows security features such as BitLocker, acquiring data from a turned-off machine means missing evidence from Live RAM, where we are extremely likely to find some forensically important artifacts.

To learn more, read the full article on our site: Acquiring Windows PCs.

Capturing RAM Dumps and Imaging eMMC Storage on Windows Tablets

While Windows desktops and laptops are relatively easy to acquire, the same cannot be said about portable Windows devices such as tablets and convertibles (devices with detachable keyboards). Having no FireWire ports and supplied with a limited set of external ports, these devices make attaching acquisition media more complicated in comparison to their full-size counterparts. Equipped with soldered, non-removable eMMC storage, Windows tablets are extremely difficult to image while following the required forensic routine. Finally, the obscure Windows RT does not allow running unsigned desktop applications at all while restricting the ability to boot into a different OS, making forensic acquisition iffy at best.

In this article, we will have a look at how Windows-based portable electronic devices are different from traditional laptops and desktops, review new security measures and energy saving modes presented by Windows tablets and discuss hardware, methods and tools we can use to acquire the content of their RAM and persistent storage. This is where Belkasoft Evidence Center and Live RAM Capturer should come in handy.

Read full article: