Tag Archives: article

Comprehensive Skype chat analysis with Belkasoft Evidence Center

Call logs, SMSes, emails, social networks communications and, of course, chats in instant messengers can give you a lot of important information in a course of a forensic investigation. Let’s see how one single chat product can be examined from different aspects, each of which gives one more – unique! – part of puzzle.

In our case, the suspect had Skype installed on his laptop and mobile device which were seized and investigated with Belkasoft Evidence Center 2017.

Read more: https://belkasoft.com/chat-forensics-2016

Fighting “I have been hacked” defense

This article was inspired by an active discussion in one of the forensic listservs. Original post was asking on how to fight with an argument “This is not me, this is a malware”. The suspect was allegedly downloading and viewing illicit child photos and was denying that, explaining the fact of these photos’ presence by malicious software they presumably had. So how can you figure out whether or not the suspect’s computer has actually been subject to unauthorized activities?

Read entire article

SSD 2016: Part 3 now out!

The thrird and final part of our SSD Forensics article is published! Interesting user cases and analytical overview, as well as some practical tips – read it here: belkasoft.com/ssd-2016-part3

If you missed the previous parts, you can find them on our website a long with a number of other publications: belkasoft.com/articles

SSD Forensics Article – Part 2 published!

Second part of our latest article about SSD forensics is now out!

Part 2 talks about external SSDs and eMMC storages, and covers trimming of eMMC.

Read full article here: belkasoft.com/ssd-2016-part2

New Article: Countering Anti-Forensic Measures – Part 1

Computer forensic techniques allow investigators to collect evidence from various digital devices. Tools and techniques exist allowing discovery of evidence that is difficult to get, including destroyed, locked, or obfuscated data. At the same time, criminals routinely make attempts to counter forensic efforts by wiping data, deleting files, faking or clearing logs, histories and other traces of performed activities. Anti-forensic efforts are not limited to just that. In this whitepaper, we will have a brief overview of common anti-forensic techniques frequently used by suspects who are not specialists in high-tech, and ways to counter them during the investigation.

What this paper does not discuss is the suspects’ use of advanced tools dedicated to countering forensic efforts. Instead, we will talk about the most common anti-forensic techniques. In this paper, we will move from easy to moderately difficult anti-forensic techniques, explaining who might be using these methods and how to counter them.

What is anti-forensics, and how to counter it? Read in the full article: http://belkasoft.com/countering-anti-forensic-efforts-part-1

More of our articles: http://belkasoft.com/articles

New Article: The Future of Mobile Forensics

Most would agree that the golden age of mobile forensics is over. There is no longer an easy way to get through the passcode in new iOS devices running the latest version of iOS. Chip-off acquisition is dead for iOS devices due to full-disk encryption, while physical acquisition of Apple hardware is dead since the introduction of 64-bit devices and versions of iOS 8 that cannot be jailbroken. Blackberries were highly resistant to chip-off acquisition from the beginning, and Android is getting there quickly. In this whitepaper, we will look into the current state of mobile forensics for the different platforms and devices, analyze current trends and attempt to predict how mobile forensics will look in the years ahead.

To gather these predictions, Belkasoft analyzed state-of-the-art tools, methods and hardware offered by leading manufacturers, and interviewed experts working for manufacturers of digital forensic products. Since manufacturers often specialize in specific areas (e.g. producing equipment for breaking iPhone passcodes), we questioned multiple representatives to be able to see the whole picture. Today, we are ready to share our findings.

Read the full article: http://belkasoft.com/future-of-mobile-forensics

Kik Messenger Forensics

Kik Messenger is a popular free messaging app for all major mobile platforms. Available for Android, iOS and Windows phone, Kik Messenger had a user base of more than 130 million users just a year ago. Today, the company claims over 200 million registered accounts, with another 250,000 users added each day. The messenger’s user base consists of teenagers and young adults. It is estimated that approximately 40 per cent of 13- to 25-year-olds in the United States are using Kik.

As a result, Kik Messenger becomes one of the forensically important messenger apps. With hundreds of millions of users communicating with Kik on daily basis, ignoring this popular messenger during an investigation may lead to missing important evidence. With Kik’s user base mostly consisting of teenagers and young adults, Kik messages can come especially handy when investigating cases of molesting.

Unlike many cloud-based messengers, Kik Messenger stores evidence in the phones in unencrypted offline databases, which makes it possible to access this information without knowing the user’s account authentication details. Both Android and iOS versions of Kik Messenger store information in SQLite format. This allows some forensic tools like Belkasoft Evidence Center extract and analyze data, including deleted and damaged volumes.

What exactly is available to an investigator, and how can we get to that data? Read a full article on our website: http://belkasoft.com/kik-forensics.

Forensic Analysis of SQLite Databases: Free Lists, Write Ahead Log, Unallocated Space and Carving

SQLite is a widely popular database format that is used extensively pretty much everywhere. Both iOS and Android employ SQLite as a storage format of choice, with built-in and third-party applications relying on SQLite to keep their data. A wide range of desktop and mobile Web browsers (Chrome, Firefox) and instant messaging applications use SQLite, which includes newer versions of Skype (the older versions don’t work anyway without a forced upgrade), WhatsApp, iMessages, and many other messengers.

Forensic analysis of SQLite databases is often concluded by simply opening a database file in one or another database viewer. One common drawback of using a free or commercially available database viewer for examining SQLite databases is the inherent inability of such viewers to access and display recently deleted (erased) as well as recently added (but not yet committed) records. In this article, we’ll examine the forensic implications of three features of the SQLite database engine: Free Lists, Write Ahead Log and Unallocated Space.

See more on our site at http://belkasoft.com/sqlite-analysis.