Tag Archives: news

Webinar: Investigating Computer And Mobile Artifacts With New Belkasoft Evidence Center

We finished year 2015 on a good note with the release of Belkasoft Evidence Center 2016. The new version of Evidence Center features massive updates and improvements in performance and usability, new features, and numerous other enhancements that made work with the product faster, smoother and more convenient than ever before.

To present renewed Evidence Center to our customers as well as to those who are not familiar with tthe product, we recorded a webinar. The webinar contains an introductory presentation about the product with a brief overview of its capabilities and a live demonstration of the product and its features, both pre-existing ones and those introduced in the latest release.

The webinar is available to watch free on Forensic Focus: Investigating Computer And Mobile Artifacts With New Belkasoft Evidence Center.

Try Belkasoft Evidence Center free! Download a full trial version at belkasoft.com/trial.

Free Webinar: Enhance Digital Investigations with New Belkasoft Evidence Center

Belkasoft announces an upcoming release of their flagship all-in-one forensic product. Belkasoft Evidence Center 2016 comes with a substantial number of improvements and new features that are to bring the product to a new level of convenience and effectiveness in working with digital evidence.

In the new release, we added a lot of new supported artifacts, including a significant number of mobile apps such as browsers, payment systems, messengers, and social networking apps. At the same time, we refined the interface in such a way that it is now more convenient to work with the increased amount of artifacts. In particular, we reworked artifact selection window, and added filters that allow you to sort items by text, metadata, date, or other criteria. Besides, evidence search engine was empowered and now works faster than ever.

One of the newly added important features of the product is hashset analysis (uses NSRL hash database). These and many more other changes and enhancements of the new version will be covered during our free webinar “Enhancing digital investigations with Belkasoft Evidence Center 2016”. The webinar will be conducted by Yuri Gubanov, Belkasoft CEO & Founder and a renowned expert in digital forensics.

The webinar will feature a presentation with an overview of the most significant improvements and new features of Belkasoft Evidence Center 2016, as well as questions from the viewers, answered live.

Date: November 4, 2015
Time: 17:00 UTC / 18:00 CET/ 12:00 EST / 20:00 MSK

Sign up for the webinar now and get your guaranteed free trial version of the product:http://belkasoft.com/webinar


Belkasoft Becomes IACIS Titanium Level Sponsor!

We are proud to announce that Belkasoft is now IACIS Titanium Level Sponsor! Titanium Sponsors are the ones that donated no less than $20,000 in products, services or funding which IACIS uses to subsidize the cost of student training and equipment in 2015.

IACIS is a non-profit, volunteer organization wholly dedicated to training, certifying and providing membership services to computer forensic professionals around the world.  ​IACIS provides a wide array of professional services and training for computer forensic practitioners and those aspiring to acquire certification in the discipline. This year the organization celebrates its 25th anniversary.

As a Titanium sponsor, Belkasoft provided IACIS with a fair amount of licenses of our flagship digital forensic product Belkasoft Evidence Center.

About Belkasoft Evidence Center

Belkasoft Evidence Center is an advanced all-in-one forensic solution for digital investigations. Covering both mobile and computer forensics, the product can find, recover and analyze for hundreds types of artifacts. Evidence Center is designed to make digital investigations easier, faster, more comprehensive, and more effective.

The free full trial license can be requested at http://belkasoft.com/trial

About Belkasoft Academic Program

Belkasoft offers special Academic Program for educational institutions and non-commercial training courses. We are glad to support colleges and universities, research centers, and organizations like IACIS.

Questions and Answers – Belkasoft & Guidance Software Webinar

As we promised previously in our blog, here is the list of questions and answers from our recent webinar with Guidance Software. In case you have not watched it yet, you should do it now! You can find the link here. Q: Guys, you mentioned analysis of Live RAM dump created by Belkasoft tool. We use winen.exe tool by Guidance Software. Will you work with dumps created by this tool? A: Sure! As a Guidance Software partner, we support all images created by their tools, particularly, physical images such as E01 and Ex01, logical images such as L01 and Lx01, and of course, memory dumps Q: In one of your stories, your tool found some Skype data inside something you call “SQLite freelist”. When SQLite deletes data, does it always go to a freelist? A: It is only true for databases configured without option called “AutoVacuum”. If this option presents, no freelist is used, unfortunately. However, quite a bit of forensically important applications store their data inside SQLite databases configured without such option. Particularly, Skype, WhatsApp, Chome, Firefox and many more. Q: Are there any chances to find SQLite data if it is not present in regular SQLite areas (I mean, tables) and freelist? A: SQLite forensic analysis is a tricky thing because SQLite itself is tricky. Besides regular tables and freelist area, which we already explained, it has some more peculiarities. For example, older versions of SQLite had so-called “journal” file, which was used to coordinate database transactions. Newer versions of SQLite have so-called Write Ahead Log files, or WAL-files, which contain uncommitted transaction data. Both journal and WAL files sit in the same folder as main database and may contain up to 20-30% of data inside main database file. For example, my Skype database is around 100 megabytes (yes, I use Skype for a long time and never delete my history). In my setup journal file for my Skype account is 20 megabytes, what is 20%. So if you don’t investigate these files, you are going to lose 20% of information, what you absolutely cannot afford in a course of criminal investigation. That’s why you need a tool like Evidence Center to automate such routine things. For a moment, there are not much forensic tools capable to do automatic processing of freelist, journal and WAL files, so this is one of the reason to have Evidence Center to complement your EnCase installation. I can also mention that SQLite database can have so-called unallocated space. It resembles regular hard drive, which can also have unallocated. This space does not belong to any table and is not a freelist. Inside this space, you may find some remnants of deleted data, not necessarily completely valid, because already overwritten or corrupted. However, with our experience, we were able to find meaningful conversations there. Technically, you can carve unallocated space inside SQLite database and find data, such as already discussed Skype chats or WhatsApp messages. This is what Evidence Center can do automatically for you. This info, if found, then merged with existing data (I mean, non-deleted data from regular tables) and can be imported back to EnCase. Q: What can a criminal do to hide data stored once inside an SQLite database and what can Belkasoft together with EnCase do against such attempts? A: Well, to hide SQLite data they can do pretty much the same, as with other files. They can move a file, delete it, rename or delete data by using regular means of an application, which uses particular SQLite database. We have already discussed what happens, when data is deleted from an app itself: it goes to a freelist and can be partially recovered. In case a file is renamed or deleted, Evidence Center can carve such file. There are also some chances to find remnants of data inside special system areas such as hibernation or pagefile, shadow volume copy, live RAM dump, if any, and so on. Evidence Center supports all these scenarios. Q: In the drug story, you were looking for Facebook chats. Will you download Facebook chats from online? Do you need a password for that? A: No, the tool never goes online. Instead, the investigator was trying to locate chats inside RAM dump he had. When someone chats via Facebook or any other app, this data is kept inside RAM, so can be then found. To find such data we use signature approach. We know signatures for data layout in RAM for hundreds of types of applications and do data extraction for you out of the box. Therefore, no internet required and no Facebook password required. Note, however, that you can hardly hope to extract all chats, just a small fraction of an entire history. Q: If only remnants of Facebook chats could be found on a switched off machine, how long is the history you are able to recover? Can a whole history be recovered, theoretically and practically? A: Theoretically, if history is small, it is possible to recover entire history. Practically you can only recover some very recent chats. This is because portions of RAM are overwritten every fraction of second and older messages are gone quickly. If not gone, they can be corrupted. That’s life, but this is better than having nothing. Facebook and other browser applications do not store anything on a hard drive (if we are not talking about mobile Facebook app), so the only chance to find anything is to search inside RAM. Q: How quick is the data processing? A: It depends on the size of your EnCase image file and your hardware. In our lab 500 GB hard drive with all types of analysis, we have, selected, takes about 8 hours to complete. 2Tb drive with around half-million photos, takes about 18 hours, but this is because of huge amount of picture processing. We recommend you to have at least 16 GB of memory to have comfort processing time, but this is not a hard requirement. During conferences (by the way, we will be on Guidance Software’s CEIC conference as a sponsor and presenter this year), well, during conferences we use a laptop with just 4Gb of memory and the product works perfectly fast. Q: You say you can recover deleted SQLite data. What about other types of deleted data, can you restore them? A: Almost all types of data which we can analyze being non-deleted, we can carve. To name a few, documents, emails, pictures, system files such as registries, event logs, thumbnails, jumplists, chats and browser histories, SQLite databases and many more types of data. Q: You say you work with multiple platforms and multiple devices. Which platforms/devices do you support? A: We work on Windows only, but support whole variety of Windows version from Windows XP to most new and fancy Windows 10. However, we can analyze all major operating systems such as Mac OS X, iOS, Linux/Unix, Android, Windows Phone, Blackberry. Concerning devices, we support both computers and laptops as well as all modern smartphone platforms. By the way, we can also work on special “forensic” portable builds of Windows. Q: In the story with the lost girl, investigator was lucky to find girl’s laptop in a sleep mode without a password, so there were no problems to capture RAM dump. However, if a computer was switched off, how do you do Live RAM analysis? A: Windows and other systems usually use two types of files that we can roughly call “RAM dumps made by Operating System itself”. These are pagefile (where your virtual memory is kept) and hibernation file (used to quickly turn computer on after hibernation). Both files contain memory artifacts because they are indeed memory. Unlike RAM, they survive reboot so you can investigate them. Interestingly, that inside you can find quite old data, for example, we’ve seen a few cases with Facebook chats as old as few months inside a pagefile.

Belkasoft and Guidance Software Webinar on EnCase and Evidence Center Integration

Watch the most recent webinar about how Belkasoft Evidence Center allows to enhance digital investigations!

The webinar is conducted by Guidance Software’s Robert Bond, Belkasoft CEO and Founder Yuri Gubanov, and Oleg Afonin, Belkasoft Marketing Director.

The webinar unveils some of features of Belkasoft Evidence Center and how they can be used with Guidance EnCase Software in order to provide crucial data to digital experts.

Three cases, based on real-life investigations, were shown at the webinar. Customers’ questions were answered live. The list of questions and answers will be posted in our blog in a few days – don’t miss!

To learn how Belkasoft helped to return a missing girl to her grieving parents, timely discovered a know-how leak, and outsmarted a sneaky drug dealer, watch the full webinar on our partner’s website:


EnCase integration is available to all our customers free. You can test it using our free trial at http://belkasoft.com/trial.

Analyzing Windows Phone 8.1 JTAG and UFED Dumps

In recent months, we’ve started receiving calls from our customers asking us about extracting files and looking for evidence in binary dumps extracted out of Windows Phone 8 devices. We’ve got dozens of requests from European police departments, especially those from Germany, Italy, and the UK about extracting and analyzing JTAG and UFED-produced dumps of Windows phones. While in the past we were reluctant to work in this direction considering how small of a market share these devices had, the recently published numbers of every 10th device sold in Europe being a Windows Phone made us change our mind.

Meet the newest release of Belkasoft Evidence Center! In this release, we’ve added the ability to process, parse, and extract information stored in binary dumps of Windows Phone devices captured with JTAG or Cellebrite UFED hardware. We can fully reconstruct the original file system of the device, allowing experts to browse through the file system and view and extract individual files and folders.

Our signature discovery and analytics are also there for Windows Phone data. The updated Belkasoft Evidence Center will automatically search for, extract and analyze the many types of evidence essential for your investigation. Contacts and address books, call logs, Skype chats and communication histories in third-party messengers, browsing history and cached social network conversations are carefully extracted and added to the list of available evidence.

Read more at http://belkasoft.com/jtag-analysis

Conference in Italy

Belkasoft will be present at the “Forensic meeting” in Roma and Milan on Sep, 11-12. Nikita will have a speech on latest Belkasoft developments in the area of computer forensic analysis.

See more details on the event at http://www.4n6.it/en/news.php. Looking forward to meet our Italian customers!

Belkasoft Products Appear in Guidance EnCase AppStore, Two New Editions Introduced

Great news! We’re proud to announce yet another step leading to a tighter partnership with Guidance Software. Our entire product line is now officially integrated with Guidance EnCase, and appears in EnCase App Central. We view the tight integration with Guidance EnCase and the acceptance in EnCase App Central as a quality seal for our products. Our forensic tools enjoy continuous success among EnCase users. We’re looking forward for more EnCase customers to use our software.

We have also introduced two new editions of Belkasoft Evidence Center. The new entry-level edition is called Belkasoft Chat Analyzer. The other edition is called Belkasoft Chat & Social Analyzer. Belkasoft Chat Analyzer will cost EnCase users some $199, while Chat and Social Analyzer is $499. Belkasoft Chat Analyzer is identical, feature wise, to Belkasoft’s entry-level edition called Forensic IM Analyzer (regularly priced at $499.95), while Chat and Social Analyzer integrates the ability to carve hard drives, drive images and memory dumps (via Live RAM analysis) for remnants of chats and communications carried over a variety of applications such as instant messengers and social media (Facebook, Twitter etc.) At $499, Chat and Social Analyzer offers EnCase users more features than similarly priced Belkasoft’s entry-level edition.

The rest of the lineup (Professional and Forensic Studio Ultimate) is also published at EnCase App Central and is unchanged.

Belkasoft Evidence Center is available on EnCase App Central in four versions:

  • Chat Analyzer ($199)
  • Chat and Social Analyzer ($499)
  • Professional ($799)
  • Ultimate ($1,099)

You can read more on Belkasoft Evidence Center and download the free demo version at our Web site: http://belkasoft.com/

Read full press-release: Belkasoft Guidance AppCentral PR.pdf

Evidence Center 5.4 is out

We finally released this long-awaited update. We spent a lot of time developing, testing and improving this release. Well, it’s here now! Version 5.4 offers a host of new features, functionality and usability improvements, easily becoming the best Evidence Center so far. We’ve added faked image detection, recovery of destroyed SQLite evidence, Timeline view and much more!

What’s New in Belkasoft Evidence Center 5.4

Version 5.4 is an important major release, adding a wide range of new features. At a glance:

  • Forgery Detection plugin automatically identifies images that’ve been altered or modified since they left the camera;
  • Analysis of fragmented memory sets improves Live RAM analysis. It decomposes and reassembles memory snapshots to extract recently viewed JPEG images even if they are scattered around the memory dump;
  • Timeline adds a convenient aggregated view of user activities and system events;
  • Native SQLite database parsing with freelist support helps recover destroyed evidence such as cleared Skype histories;
  • Windows Registry support automatically locates and parses registry hives, extracting many types of valuable evidence.

Continue reading