Belkasoft

Belkasoft is happy to announce an upcoming release of massively updated version 8.0 of its leading digital forensic solution Belkasoft Evidence Center 2017. Version 8.0 will include a number of newly added useful features that are going to significantly improve the efficiency of digital forensic investigations.

Among the new features:

* A new imaging tool, Belkasoft Acquisition Tool, or BelkaImager
* Social Graph Builder, capable of finding communities of users in a course of large investigations
* In-depth support for Volume Shadow Copy
* and many other

Read more about the new release and Early Access Program at https://belkasoft.com/bec2017

Sign up for a free webinar at https://belkasoft.com/webinar.

Belkasoft announces a major update to Belkasoft Evidence Center, the company’s flagship digital forensic solution. The new release brings a revamped user interface, improved search and enhanced analytics. A major addition to Evidence Center 7.5 is the ability to directly access encrypted iTunes backups whether or not the password is known. Unknown passwords can be attacked directly by using the new Decryption module. Other changes include the updated Photo Forgery Detection, EML and MSG email analysis and Google Maps clustering support.“Evidence Center 7.5 delivers better usage experience with new user interface and more features”, says Yuri Gubanov, Belkasoft CEO. “The integrated iTunes decryption, support for additional email formats, the all-new photo forgery detection module and tons of smaller improvements and enhancements all contribute to a better, smoother usage experience”.

Modern User Interface with Theme Support

For years, Belkasoft Evidence Center was employing the same concept for its user interface. While staying put during all those years provided the much needed consistency to our customers, we felt it’s time for a change. In version 7.5, we brought customizable theme support, allowing our users switching to a new modern look with a push of a button. In addition, Evidence Center 7.5 redesigns searching and filtering, offering smoother performance with cleaner looks.

Access to Encrypted iTunes Backups

Prior to version 7.5, Belkasoft Evidence Center could only process unencrypted iTunes backups. Today, Evidence Center moves one step closer to becoming a true all-in-one solution for desktop and mobile forensics. In this release, Evidence Center gains the ability to automatically decrypt iTunes backups using a known password. If the password is unknown, the new Decryption module is available to attack and recover the password.

Revamped Photo Forgery Detection Plugin

The Forgery Detection Plugin automatically discovers altered, forged and tampered photos among the thousands of files available on the suspect’s computer. In this release, the Photo Forgery Detection plugin received a major overhaul with new types of analysis and better reporting.

More Improvements and Enhancements

This release packs a large number of improvements and enhancements. Improved SQLite analysis with better freelist and unallocated space support, support for updated versions of popular chat apps, support for EML and MGS email formats, Evidence Reader no longer requiring Administrator privileges and tons of other features are listed in the official change list: https://belkasoft.com/new

About Belkasoft Evidence Center

Belkasoft Evidence Center is a world-renowned tool used by thousands of customers for conducting computer and mobile forensic investigations. Belkasoft Evidence Center can automatically discover, extract and analyze evidence from a wide range of sources including computer hard drives and disk images in all popular formats, memory dumps, mobile backups and chip-off dumps. The tool can capture and analyze volatile evidence stored in the computer’s RAM, identify encrypted files, carve Internet chat logs, Web browsing history and email communications including information stored in digital pictures and videos. The ability to process office documents in a wide range of formats enables investigators to perform near-instant full-text search among all the documents discovered on the suspect’s PC.

Low-level access to hard disk and system structures means that even data that has been deleted by the suspect cannot escape from investigators. Supporting Windows, Unix/Linux, Android and Mac OS X file systems, natively mounting images created in EnCase, FTK, X-Ways, DD and SMART formats, UFED and chip-off binary dumps, and many popular virtual machines without using these or any third-party tools, Belkasoft Evidence Center can collect more evidence than any single competing tool in its class.

About Belkasoft

Founded in 2002, Belkasoft is a global leader in digital forensics technology, known for their sound and comprehensive forensic tools. With a team of professionals in digital forensics, data recovery and reverse engineering, Belkasoft focuses on creating technologically advanced yet easy-to-use products for investigators and forensic experts to make their work easier, faster, and more effective.

With this focus in mind, Belkasoft introduces their flagship product, Belkasoft Evidence Center – an easy-to-use, integrated solution for collecting and analyzing digital evidence from mobile and computer devices. Customers in law enforcement, police, military, business, intelligence agencies, and forensic laboratories in 70+ countries worldwide use Belkasoft Evidence Center to fight homicide, crimes against children, drug trafficking, data leakage, fraud, and other online and offline crimes.

Belkasoft D-U-N-S number 683524694.
Belkasoft NATO Commercial and Government Entity (NCAGE, also CAGE) code SKF09.
Belkasoft is also registered within Central Contractor Registration (CCR), ORCA and WAWF.
Belkasoft is a registered trademark.

More information about the company and its products at https://belkasoft.com

# # #

Information on Belkasoft Evidence Center as well as the free demo download are available at https://belkasoft.com/get

The complete change log is available at https://belkasoft.com/new

Belkasoft announces a major update to Belkasoft Evidence Center, the company’s flagship digital forensic solution, to version 2016. The new release comes with revamped user interface, numerous improvements to performance, productivity and usability. A number of new analytic functions were added, enabling investigators to dig deeper without being hit by the time penalty. Finally yet importantly, Belkasoft Evidence Center 2016 comes with full support for Windows 10, adapting its discovery and analytic engine to cope with new and changed artifacts produced by Microsoft’s new OS.

“We made a major release just before the year’s end”, says Yuri Gubanov, Belkasoft CEO. “The new version of Belkasoft Evidence Center feels like a totally new product. We made it faster and easier to use while adding new analytic features – all that to help you discover more with less time wasted”.Productivity and Usability Improvements

Compared to previous versions, Belkasoft Evidence Center 2016 looks, feels and works like whole new product. The new release adds new ways to work with discovered evidence, enables faster searching and adds instant filtering. The redesigned evidence discovery wizard makes data search settings easier to adjust, while mobile artifacts get their own dedicated section.

The newly introduced Hashset Analysis section allows searching for files based on the hash sum, matching calculated hash values against a given NSRL hash set database. MD5 and SHA1 hashes are supported.

Last but not least, Belkasoft Evidence Center 2016 receives a long-awaited ability to identify and discover artifacts produced by Microsoft’s new OS, Windows 10. The new jumplist format, Edge and Internet Explorer browser data, and a range of other artifacts produced by Windows 10 are now fully supported by Evidence Center.

For full list of changes, please refer to https://belkasoft.com/new.

New users as well as existing customers can enjoy a free webinar on the new version of Belkasoft Evidence Center on December 15, at 6 pm CET.

Sign up at https://belkasoft.com/webinar.

About Belkasoft Evidence Center

Belkasoft Evidence Center is an all-in-one forensic solution for locating, extracting, and analyzing digital evidence stored inside computers and mobile devices. Belkasoft Evidence Center makes it easy for an investigator to search for, analyse, store and share digital evidence found inside computer and mobile devices. The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps. Evidence Center will automatically analyse the data source and lay out the most forensically important artefacts for investigator to review, examine more closely or add to report.

Low-level access to hard disk and system structures means that even data that has been deleted by the suspect cannot escape from investigators. Supporting Windows, Unix/Linux, Android and Mac OS X file systems, natively mounting images created in EnCase, FTK, X-Ways, DD and SMART formats, UFED and chip-off binary dumps, and many popular virtual machines without using these or any third-party tools, Belkasoft Evidence Center can collect more evidence than any single competing tool in its class.

About Belkasoft
Founded in 2002, Belkasoft is a global leader in digital forensics technology, known for their sound and comprehensive forensic tools. With a team of professionals in digital forensics, data recovery and reverse engineering, Belkasoft focuses on creating technologically advanced yet easy-to-use products for investigators and forensic experts to make their work easier, faster, and more effective.

With this focus in mind, Belkasoft introduces their flagship product, Belkasoft Evidence Center – an easy-to-use, integrated solution for collecting and analyzing digital evidence from mobile and computer devices. Customers in law enforcement, police, military, business, intelligence agencies, and forensic laboratories in 70+ countries worldwide use Belkasoft Evidence Center to fight homicide, crimes against children, drug trafficking, data leakage, fraud, and other online and offline crimes.

Belkasoft D-U-N-S number 683524694.
Belkasoft NATO Commercial and Government Entity (NCAGE, also CAGE) code SKF09.
Belkasoft is also registered within Central Contractor Registration (CCR), ORCA and WAWF.
Belkasoft is a registered trademark.

More information about the company and its products at https://belkasoft.com

# # #

Information on Belkasoft Evidence Center as well as the free demo download are available at https://belkasoft.com/get

Today is Cyber Monday, and if you missed Belkasoft’s Black Friday wholesale, you can still purchase our flagship digital forensic product Belkasoft Evidence Center 2015 with deep discounts! Today only, the product can be purchased for as little as $499 – a small fraction of the regular price!

Don’t wait: proceed at http://belkasoft.com/cyber-monday-2015!

Today is Black Friday, and everything is possible. Belkasoft announces a one-time, one-day discount towards the purchase of its flagship digital forensic product Belkasoft Evidence Center 2015! Today only, the product can be purchased for as little as $99 – a tiny fraction of the regular price!To purchase at this price, fill the form today at http://belkasoft.com/black-friday-2015.

Digital investigator nowadays has access to a wide array of solid forensic tools. Some of them offer mobile forensics only, some help with computer or laptop analysis, some – like Belkasoft Evidence Center – support all types of devices, but the task flow and product logic is more or less fixed in every product. If an investigator faces an unusual task, it is hard to solve it within the workflow offered by a product. And unusual tasks are not that rare – we hear about them very often, just take a glance at Forensic Focus forums page.

In this article, we will discuss some real life stories that involved cases hard to solve with the standard workflow in Belkasoft Evidence Center:

• Good Employee, Bad Employee
• Bar Fight
• Digging Deep Inside PhotosHowever, it became possible with BelkaScript, a free built-in scripting module that allows users to write custom scripts to extend Evidence Center capabilities. Scripts can be used to automate some of the routine (for example, reporting or bonding together two operations) or to extend product’s functionality for a specific situation. But it most certainly does not end there as we will now show on real-life examples.

Read more

Belkasoft announces an upcoming release of their flagship all-in-one forensic product. Belkasoft Evidence Center 2016 comes with a substantial number of improvements and new features that are to bring the product to a new level of convenience and effectiveness in working with digital evidence.

In the new release, we added a lot of new supported artifacts, including a significant number of mobile apps such as browsers, payment systems, messengers, and social networking apps. At the same time, we refined the interface in such a way that it is now more convenient to work with the increased amount of artifacts. In particular, we reworked artifact selection window, and added filters that allow you to sort items by text, metadata, date, or other criteria. Besides, evidence search engine was empowered and now works faster than ever.One of the newly added important features of the product is hashset analysis (uses NSRL hash database). These and many more other changes and enhancements of the new version will be covered during our free webinar “Enhancing digital investigations with Belkasoft Evidence Center 2016”. The webinar will be conducted by Yuri Gubanov, Belkasoft CEO & Founder and a renowned expert in digital forensics.

The webinar will feature a presentation with an overview of the most significant improvements and new features of Belkasoft Evidence Center 2016, as well as questions from the viewers, answered live.

Date: November 4, 2015
Time: 17:00 UTC / 18:00 CET/ 12:00 EST / 20:00 MSK

Sign up for the webinar now and get your guaranteed free trial version of the product: http://belkasoft.com/webinar

In the first part of our series on SQLite analysis we talked about accessing corrupted SQLite files and recovering deleted SQLite records from the freelist. Today we will cover two more important topics: SQLite write-ahead log (WAL) and unallocated space of SQLite databases, and how to analyze them using Belkasoft Evidence Center.

From our original article on SQLite forensics you may already know that straightforward analysis of a SQLite file rarely shows the complete picture. Indeed, free and open-source SQLite tools rarely (if ever) deal with freelists. Yet another thing they do not normally deal with is write-ahead logs.

Write-ahead logs, or WAL, work in an opposite way to freelists. While the freelist contains deleted SQLite records, the write-ahead log is used by the SQLite engine to store pages not yet committed into main database.

Belkasoft Evidence Center is an integrated forensic product with advanced out-of-the-box analysis of SQLite databases. Unlike many other tools on the market, Evidence Center automatically parses freelists and write-ahead logs, merging found records together with data from the main database.

Evidence Center’s SQLite Viewer is a convenient and powerful built-in tool for thorough examination of SQLite databases

How much information can a write-ahead log contain? Usually, that would be a few hundred records, and it is an awful lot if we are talking, for example, about instant messengers. So what exactly is write-ahead log, and why does SQLite use it?

SQLite is a transaction-based database. Historically, SQLite used rollback journals, the atomic commit and rollback mechanism to guard against potential write errors. Rollback journals worked by saving old copies of pages being overwritten with new data into a separate journal file. SQLite removed the journal file if the write operation was concluded successfully. If an error occurred, the engine would roll back the original page from the journal file, returning the database to original state by merging data from rollback journals into the main file.

Skype databases: main.db (8 572 KB) and main.db-journal (1 588 KB). Using regular tool, you can lose up to 20% of records! Belkasoft Evidence Center will automatically merge data from both files to a single list

Rollback journals provided a robust and reliable way of safeguarding information. Unfortunately, their use required a lot of extra read and write operations, causing significant slowdowns on heavy load. Since the release of SQLite 3.7.0 back in 2010, the database engine no longer uses rollback journals. A new commit and rollback method called write-ahead log ("WAL") was introduced.

Write-ahead logs no longer back up information from the main database. Instead, the new commit scheme uses a temporary database file to write new records to, only merging the temp file with the main database on commit. In essence, write-ahead logs work in the opposite way to rollback journals. Where the rollback journal saved a copy of the original database content into a separate file and then wrote new data directly into the database file, WAL preserves the original content in the main database while writing new data into a separate WAL file. WAL was found to be significantly faster in most scenarios compared to the old journaling mechanism, providing better concurrency and optimizing disk I/O operations.

The two files (the main database and the write-ahead log) are merged when committed. The commit event occurs when a certain size of the write-ahead log is reached, or if a manual commit event is received. Typically, SQLite automatically commits after the WAL reaches the size of 1000 records. Until then, the database reads new records from the WAL file. Does that ring a bell?

Indeed, when analyzing a SQLite database, one can access up to a thousand new records by parsing the WAL file, and read all the old records from the main database file. General-purpose SQLite tools don’t normally offer the choice, either parsing the main database only or (more commonly) automatically merging the content of the WAL file with the main database, thus overwriting old records. Neither approach is good for digital forensics.

Remember how many records a write-ahead log may contain? By default, SQLite commits a checkpoint when the WAL file reaches a threshold size of 1000 pages. A thousand records is an awful lot in the context of chatting or casual Web browsing. A typical chat session never triggers the commit checkpoint, leaving all sent and received messages uncommitted and stored in the WAL file.

Belkasoft Evidence Center natively supports both the old journaling method and the newer write-ahead logs. When opening a SQLite database, Belkasoft Evidence Center will automatically look for rollback journal and write-ahead log files. If either file is discovered, Belkasoft Evidence Center will parse both the main database file as well as the temporary rollback and write-ahead files. As a result, you will be able to see both the old (historic) copy of a page as well as the new (uncommitted) copy of the same page stored in the write ahead log (or vice versa if an older version of SQLite with rollback journals is used). Uncommitted records are then highlighted with a different color:

SQLite Viewer allows you to see the full picture by reviewing both committed and uncommitted records (the latter are highlighted with blue)

In some cases, cleaning up a database or deleting records does not remove entries from the write-ahead log. This results in the most recent records (up to 1000 in typical conditions) being available for analysis.

When it comes to storing information in a file, SQLite features a fairly complex structure. As many other databases, SQLite breaks information stored in a file into pages. Inside these pages there are smaller chunks of information called cells. Due to the way SQLite allocates space, new cells are normally placed towards the end of the page. Preceding cells that have not yet been used constitute unallocated areas.

Similar to disk space allocated by the file system, unallocated space in SQLite can be just empty. However, it may contain deleted data or remnants of previously used pages. In other words, unallocated space is constituted from page fragments that contain random pieces of data.

Analyzing unallocated space in SQLite databases is not easy. Since unallocated space does not contain valid data or pointers and is not referenced from the page index, data stored in unallocated areas is difficult to extract and almost impossible to reconstruct into something meaningful. You may find that examining unallocated space can be difficult and time-consuming. Even if you are able to locate a fragment, you will not be able to tell which page used to contain it. Recover the broken relations is also not possible.

It is important to note that absolutely no general-purpose SQLite tools using standard access methods and high-level API’s can access unallocated space or extract data from these areas. You will need a forensic-grade product such as Belkasoft Evidence Center in order to discover unallocated areas inside a SQLite database, view and extract information.

Why should you bother analyzing unallocated space? These free, unallocated areas may contain bits and pieces of data deleted by the user long time ago.

Belkasoft Evidence Center is one of very few products that allow you to examine unallocated space of SQLite databases. The product extracts data located in unallocated space completely automatically. After that, you can use the built-in Hex Viewer for thorough manual examination, or you can simply open the built-in SQLite Viewer and select the "Unallocated space" tab.

Notably, Belkasoft Evidence Center can carve unallocated SQLite space for hundreds of supported artifacts. If anything found, you can review "Carved data from unallocated space" tab for the findings (see screenshot below).

Belkasoft Evidence Center can recover information from unallocated SQLite space

This feature makes work with SQLite databases in Evidence Center even more convenient: instead of spending hours looking through chunks of binary data in Hex Viewer, you can just open the tab with carved data from unallocated space in SQLite Viewer and review it – sorted out by columns, formatted and laid out cleanly. Besides, SQLite Viewer allows you to create reports directly from within its interface, so that, when you find what you were looking for, you can export the findings immediately:

Belkasoft Evidence Center allows you customize your report by choosing format (PDF, CSV, XML, and others), adjusting logo, fonts, table size and contents, number of pages, etc:

Reports created with Belkasoft Evidence Center are accepted in courts

Belkasoft Evidence Center implements the lowest-level approach to handling SQLite databases. When it comes to SQLite evidence, Belkasoft Evidence Center is an all-in-one digital forensic tool, and is as close to a one-button solution as at all possible in the complex world of digital forensics. With Belkasoft Evidence Center, you can carve the disk, forensic disk image, or a memory dump for SQLite databases, automatically extract and analyze information from all available sources including freelists, rollback journals and write ahead logs. The built-in SQLite Viewer and Hex Viewer, as well as some of other advanced features, allow you to perform low level examination and, for instance, can help discover evidence that is still available in unallocated areas of the SQLite database.

Belkasoft Evidence Center is perfectly equipped to handle existing, emptied, deleted or corrupted SQLite databases

Belkasoft Evidence Center is able to recognize hundreds of applications that use SQLite, extracting and displaying mobile apps data, browser histories, smses, messages, call logs or chat logs discovered in current, deleted, uncommitted and unreferenced database records.

Much has been said about the different tools to extract, view, and recover SQLite databases. Why is SQLite analysis so important for digital forensics? Why is SQLite not straightforward to investigate? Why use Belkasoft Evidence Center for SQLite analysis? Read along to find out!

When looking for digital evidence, one has to look through a large number of files on the disk to discover just the few important pieces. Automating evidence search can help locate evidence stored in files that were moved, renamed or deleted. This article offers a general overview of data carving techniques used in todays computer forensic tools, outlines benefits and limitations of the technology, and demonstrates how to use carving in a forensic tool to discover evidence.

"Carving" refers to a very specific technique for locating evidence. The carving technique is based on signature search analysis. Instead of relying on the file system in order to locate files, carving algorithms use a much lower-level approach. During carving, the algorithm will read the content of the disk, partition, or forensic disk image one block after another. Each data block is analyzed against a database of known file formats. If the algorithm discovers a match, and after performing one or more secondary checks, the carving algorithm may assume that a certain data block contains a file header.

The algorithm then analyzes the file header (assuming that it is in a certain format), and attempts to determine the length of the file. While it may sound easy on paper, determining the correct file length is not always easy. While some formats (e.g. PDF, DOC, PNG) specify the length of the file in the header, other formats (e.g. JPEG or SQLite) don't.

Belkasoft Evidence Center carves both pictures, documents and SQLite

This means that further analysis of subsequent data blocks is required when carving these files. For example, carving a SQLite database involves reading and analyzing subsequent data blocks in order to determine whether or not they contain valid records in the SQLite database format.

Now, what happens if a file being carved was already partially overwritten? In this case, the carving algorithm will obviously extract incomplete or corrupted files. What is more interesting is what happens next: instead of extracting a file of (N) blocks and resuming carving from block number (N+1), the carving algorithm actually returns to the data block located immediately after the detected header, and resumes carving from that point.

This allows dealing with partially overwritten and fragmented files. However, one of the consequences of this carving approach is that it may result in a larger carved data set than was originally available on the disk being carved. This is why we recommend having as much as 1.5 to 3 times more free space on your hard drive compared to the storage size of the disk being carved.

Belkasoft Evidence Center (BEC) is an all-in-one forensic tool known for its comprehensive set of helpful and convenient analysis features – and carving with this product is no exception.

Carving is an integral part of Belkasoft Evidence Center. The entire procedure is automated, allowing you to pick what types of evidence to carve for and to choose whether to carve the entire disk contents or to analyze only certain allocated (or unallocated) areas, which helps you save your time. Moreover, you can choose to carve only the free space inside allocated. Since Belkasoft Evidence Center locates and analyzes the data automatically, choosing to carve only free space will ease and speed up the examination, because this way we reduce the amount of data to carve. Also, there will be no duplication of evidence that has already been discovered by the tool.

You can select to carve only Free space in BEC

Belkasoft Evidence Center allows you to carve devices or images for hundreds of different kinds of forensically important artifacts, including documents, pictures, system and registry files, SQLite databases, browser data, messenger and peer-to-peer communication histories, and more. (Note that while above we were discussing file carving only, BEC extends its set of data to carve to separate chats, visited URLs, emails and so on). It is particularly convenient to be able to choose what to look for when you already know or can assume what kind of evidence you are looking for and want to snipe it quickly.

Selecting types of evidence to carve in BEC

It is important to note that with Evidence Center you can also carve a Live RAM dump, which can be – and most of the time is – a crucial source of digital evidence. While Belkasoft Evidence Center supports the output of any of other RAM dumping tools on the market, it also comes with a free powerful volatile memory acquisition product – Belkasoft Live RAM Capturer. Live RAM Capturer is available for download: http://belkasoft.com/ram-capturer.

Live RAM contents are often fragmented, which might become a serious problem for investigators, but Belkasoft Evidence Center offers a reasonable solution to it with a smart carving mode – BelkaCarving™. BelkaCarving effectively deals with fragmentation of data, allowing a more accurate recovery of evidence that would not be available otherwise.

Besides RAM image file, you can also specify a path to hibernation or page files (hiberfil.sys and pagefile.sys). These two kind of files contain Live RAM data written on a hard drive as a part of Windows functioning, thus they are important source of live memory artifacts, because the RAM contents may survive switching computer off and can be discovered by Belkasoft Evidence Center.

Once the product has finished the analysis, it will sort found data by type and lay it out so that it is easy and convenient to review. You can now inspect the desired artifacts even more closely with one of the built-in low-level tools, for example, Hex Viewer.

Handy Hex Viewer allows to see binary file data and do type conversions

Belkasoft updates its digital forensic solution, Belkasoft Evidence Center 2015, with the ability to perform forensic analysis of Windows Phone 8.1 images acquired via JTAG flashers and Cellebrite UFED hardware.

The new release enables automated extraction, discovery and analysis of user data available in chip-off dumps acquired from mobile devices running Windows Phone 8 and 8.1. Supported data includes Web browsing histories, contacts, call logs, chats, instant message conversations, cached social network communications, screenshots of background applications, and many other types of data.

Analyzing Windows Phone 8.1 Dumps

The new release of Belkasoft Evidence Center 2015 enables full support for information dumped or extracted from all Windows Phone 8.1 devices with the use of JTAG or UFED hardware. Belkasoft Evidence Center 2015 can parse the binary dumps, reconstructing the original file system of the device and enabling experts browse, view and extract individual files and folders. The tool will automatically search for, extract and analyze the many types of evidence recognized by Belkasoft Evidence Center including contacts and address books, call logs, communication histories in Skype and third-party messenger apps, browsing history and cached social network conversations.

SQLite database, carved from JTAG dump, is shown in the built-in SQLite Viewer

Page File Analysis
Similar to its desktop counterpart, the mobile version of Windows swaps memory pages into a page file. Considering the domination of low-memory devices with only 512 MB of RAM, their reliance on page files is extremely strong. However, due to the different microprocessor architecture, the format and content of the page file differs significantly. At the same time, page files contain a host of forensically important information, preserving snapshots of the device’s volatile memory and containing essential real-time information that would be otherwise lost once device has been powered off.

Internet Explorer history is found inside pagefile, located in JTAG dump

Belkasoft Evidence Center becomes the first digital forensic tool to parse Pagefile.sys files produced by Windows Phone 8.1. The tool will automatically parse the page file, carving all known types of artifacts such as cached Web pages and pictures, chat messages and posts in social networks.

Screenshots of Minimized Applications

Windows Phone devices can only run one app in the foreground. Background applications are minimized and often pushed out of the volatile memory. At the time Windows Phone minimized an app, the system captures and stores its screenshot. Depending on the application, the screenshot may display current user activity such as the currently visited Web page or social network profile, open chat session, picture or video being viewed. Information captured with these screenshots is often unavailable elsewhere. Belkasoft Evidence Center recognizes the importance of application screenshots, targeting these pictures specifically during carving and displaying them in a dedicated section.

A pack of application screenshots found inside particular JTAG dump

About Belkasoft Evidence Center 2015

Belkasoft Evidence Center is a digital forensic solution enabling security experts and forensic specialists collect and analyze digital evidence from computer and mobile devices. Belkasoft Evidence Center can automatically locate, process and analyze evidence stored inside hard drives, forensic images and dumps. Hundreds of evidence types supported out of the box, such as documents, emails, pictures and videos, chats and browser histories, encrypted and system files.

Low-level access to hard disk and system structures means that even data that’s been deleted by a suspect cannot escape from investigators. Supporting Windows, Unix/Linux, Android and Mac OS X file systems, natively mounting images created in EnCase and FTK, DD and SMART formats, UFED, chip-off and JTAG binary dumps, X-Ways containers and many popular virtual machines without using these or any third-party tools, Belkasoft Evidence Center can collect more evidence than any single competing tool in its class.
Information on Belkasoft Evidence Center as well as the free demo download are available at http://belkasoft.com/trial.

Belkasoft have released a major update to their flagship forensic tool, Belkasoft Evidence Center. With the version 7.0, Evidence Center becomes a true all-in-one forensic solution, reliably analyzing evidence from all imaginable sources.

Evidence Center is well known for its ability to easily find and analyze 500+ types of evidence (such as documents, emails, chats, system and registry files, etc.). What makes this new release different is the ability not just to analyze supported apps and formats, but also to perform low-level investigations of any piece of evidence on a suspect’s device or image.Here are the new modules in your arsenal:

• File System Explorer shows all files and folders, including deleted and special ones
• Hex Viewer helps investigator to conveniently glance over binary data, while Type Converter assists in interpreting it
• Scripting allows to extend Evidence Center with custom functionality
• Live RAM Process Explorer helps to extract and visualize process memory

Newly added features make Belkasoft Evidence Center 2015 one of the most complete solutions in the field of digital forensics.

File System Explorer

The File System Explorer allows forensic experts to access the complete structure of a device, dump, drive or memory image, mobile phone, tablet, or virtual machine. Within this module, investigators are able to analyze all volumes and partitions to browse existing and deleted files and folders, including special ones such as $OrphanFiles, $Log, $BadClus and so on.

On this picture you can see an Android phone (chip-off dump) file structure shown by File System module of Belkasoft Evidence Center 7.0. Particularly, you can see hidden special folder $OrphanFiles.

BelkaScript

Custom scripting engine BelkaScript makes Evidence Center a truly user-extendable tool. BelkaScript uses easy to learn simplified C# programming language, so that the experts can write their own modules to extend Evidence Center functionality. We included a number of samples in the product installation, allowing users to write the first script easily. To give an example, one of the sample scripts implements custom header-footer carving using a pre-defined signature.

Scripts are written in simplified C#. Scripting window allows to debug custom extensions using breakpoints, step-by-step debugging, variable values inspection and so on.

Hex Viewer and Type Converter

Hex Viewer enables binary analysis of any file on the disk, mobile device, image, process or memory dump. Handy Type Converter allows to inspect any selected value, interpreting it as various data types, such as numbers, date/time stamps, IPs, etc.

Built-in Hex Viewer allows low-level file investigation; it has a handy type converter, showing current selection in different formats; search and bookmarking; saving selection to a file; advanced Go to, including jump to a relative offsets and many more.

Live RAM Process Explorer

Live RAM Process Explorer works similarly to File System Explorer, but with processes instead of files. For example, investigators can view all processes – dead or alive – within Windows 7 memory dump and explore memory of, say it, Skype.exe and AppleMobileDev processes using Hex Viewer and Type Converter.

Windows 7 Live RAM processes are shown, including dead processes; it is possible to select a process and review its memory in Hex Viewer.

About Evidence Center

Belkasoft Evidence Center is one of the few digital forensic tools investigating both PC and mobile devices running not just Windows, but also Mac OS X, iOS, Linux/Unix, Android, and alternative systems.

In addition to low-level investigation, the tool provides out of the box evidence discovery and analysis for 500+ forensically important “low-hanging fruits”, such as email, documents, mobile apps, SQLite databases, registry and system files, internet chats, social networks, pictures, videos, encrypted files and volumes, and many more. The following data sources are supported:

• Computer hard drives
• Drive images
• Smartphone backups
• UFED images
• Raw chip-off dumps of mobile phones
• Live memory dumps
• Virtual machines
• Etc.

Time-limited offer

A number of newly released modules with a total value of $600 is available for existing customers at no charge. If you have a non-expired floating license for Belkasoft Evidence Center Ultimate with Case Management, or if you are just planning your purchase, you are eligible to upgrade and receive the new modules free of charge. The offer expires by December 31, 2014.

• Request a FREE trial:
http://belkasoft.com/trial

• More information about what’s new in version 7.0 is available at
http://belkasoft.com/bec/en/Whats_New_In_Version_7.0

Belkasoft announces a major update to its flagship forensic product, Belkasoft Evidence Center 2013. Version 5.3 introduces Evidence Reader, an all-new free tool allowing Belkasoft users to pass along evidence collected with the main product.

Over 12 other enhancements are made to further enhance the efficiency of forensic investigations, simplifying the process of obtaining and analyzing digital evidence. Upgrade to Belkasoft Evidence Center 5.3 is offered free of charge to all customers holding a valid license for version 5.2 and customers on the extended support and maintenance plan.Evidence Reader: the Free Way to Pass Along Digital Evidence

The newest release of Belkasoft’s popular evidence analysis toolkit introduces an all-new way to deal with collected evidence. The newly developed Evidence Reader allows accessing evidence collected with Belkasoft Evidence Center from any computer free of charge, even without Evidence Center installed. Evidence Reader allows Belkasoft users to transfer data collected during the investigation between computers, enabling them to pass digital evidence along to their colleagues and co-workers, as well as to present collected information in a court.

The new Evidence Reader greatly enhances the value of the product for those customers opting for a bare basic license without the Case Management module. Case Management allows users of Belkasoft Evidence Center storing evidence discovered during the session to a database for later use, and allows accessing, managing and deleting previously collected data. Case Management is a paid add-on. Prior to this release, customers without Case Management functionality were required to produce a report immediately after completing the session. The new Evidence Reader tool enables customers without Case Management to not only save collected evidence, but also pass it along to other people for offline analysis, albeit in read-only mode.

Extended File Carving

Version 5.3 expands file carving support, adding many document, picture and system file formats to the list of data extracted from unallocated disk space. Supported are Microsoft Word 97-2003, Excel 97-2003, PowerPoint 97-2003; jpg, bmp, gif, wmf; Thumbs.db and SQLite databases. In addition, existing Thumbs files can now be discovered and analyzed for Windows 8 and legacy versions of Windows.

Upgrade to Version 5.3 at No Charge

Belkasoft strives to deliver the best service to its valued customers. That is why the upgrade to version 5.3 is offered free of charge to all customers holding a valid, non-expired license for the previous version of Belkasoft Evidence Center (version 5.2) and all customers having a valid Extended Support and Maintenance plan.

Other Improvements

Version 5.3 also includes a wide range of other great improvements and enhancements further enhancing the efficiency of forensic investigations, simplifying the process of obtaining and analyzing digital evidence.
The complete list of additions and enhancements in version 5.3 is available at http://forensic.belkasoft.com/en/whats_new_in_version_5.3.

About Belkasoft Evidence Center 2013

Belkasoft Evidence Center is the company’s flagship computer forensic tool enabling security experts and forensic specialists collect and analyze more digital evidence than ever Belkasoft Evidence Center can automatically locate, process and analyze Internet chat logs, Web browsing history and email communications including information stored in digital pictures and videos, a variety of history and log files. Low-level access to hard disk and system structures means that even data that’s been deleted by the suspect cannot escape from investigators. Supporting Windows, Unix/Linux and Mac OS X file systems and natively mounting images created in EnCase, DD and SMART formats without using these or any third-party tools, Belkasoft Evidence Center can collect more evidence than any single competing tool in its class.

The affordable Standard edition is available to private investigators and corporate security departments, while the more comprehensive Professional edition adds the abilities to recover hidden and destroyed evidence with Data Carving, analyze memory dumps with Live RAM analysis. The Ultimate edition adds document analysis, encrypted file discovery, mobile backup analysis and multimedia support, allowing investigators to automatically detect images and videos containing faces, pornography and scanned documents. The top-of-the-line Enterprise edition allows major security agencies and police departments to have multiple investigators work simultaneously on a case.

Pricing and Availability

Belkasoft Evidence Center 2013 is available immediately. Pricing for Forensic IM Analyzer edition starts from $499.95, the Professional edition is available from $799.95, while the Ultimate edition sells for $1099.95.

About Belkasoft

Founded in 2002, Belkasoft is an independent software vendor specializing in computer forensics and IT security software. Belkasoft products back the company’s “Forensics made easier” slogan, offering IT security experts and forensic investigators solutions that work right out of the box, without requiring a steep learning curve or any specific skills to operate.

Belkasoft Evidence Center 2013 is a world renowned tool used by thousands of customers for conducting forensic investigations, as well as for law enforcement, intelligence and corporate security applications. Belkasoft customers include government and private organizations in more than 40 countries, including the FBI, US Army, DHS, police departments in Germany, Norway, Australia and New Zealand, PricewaterhouseCoopers, and Ernst & Young.

More information about the company and its products at http://belkasoft.com

# # #

Information on Belkasoft Evidence Center as well as the free demo download are available at http://forensic.belkasoft.com/

The complete list of additions and enhancements in version 5.3 is available at http://forensic.belkasoft.com/en/bec/en/whats_new_in_version_5.3.asp

Belkasoft has released a new kernel-mode forensic tool to capture the content of the computer’s volatile memory. Belkasoft RAM Capturer offers forensic specialists the ability to take snapshots of the computer’s volatile memory (“memory dumps”) even if an anti-dumping protection is active. The supplied kernel-mode driver can successfully capture memory content of applications protecting their working set against dumping, including chats occurring in Karos and other MMORPG games. The tool is available free of charge, and can be downloaded from http://forensic.belkasoft.com/en/ram-capturer

Protected Memory Sets

Today, many applications protect their memory sets against dumping. Such applications include multi-player online games, malware, custom and commercial products protected with active anti-debugging systems. In best-case scenario, an attempt to read a protected memory area will result in garbage data or zeroes returned instead of the actual information. In worst-case scenarios, if an anti-debug system detects an attempt to read protected memory areas, it may take measures to destroy affected information and/or cause a kernel mode failure, locking up the computer and making further analysis impossible. This may happen if a user-mode volatile memory analysis tool is used to dump content protected with a kernel-mode anti-debugging system.

Kernel Mode Memory Dumping

There are several techniques available to forensic specialists when acquiring the content of the computer’s volatile memory. Capturing live RAM content can be done with user-mode or kernel-mode software tools, or performed in a form of a FireWire attack (if the target computer supports FireWire and has corresponding drivers installed and active).

The majority of free memory dumping tools such as AccessData FTK Imager or PMDump can only run in user mode. In comparison, Belkasoft RAM Capturer supplied a kernel-mode driver that operates in the system’s most privileged ring in kernel mode. Running in kernel mode allows Belkasoft RAM Capturer to successfully bypass all currently available active anti-dumping protection systems such as nProtect GameGuard.

Anti-debug and anti-dumping systems such as GameGuard are designed to protect applications’ memory set against tools attempting to acquire or modify protected content. These systems run as system drivers in the most privileged kernel mode, leaving no chances to memory acquisition tools running in a less-privileged user mode.

Belkasoft RAM Capturer supplies its very own system driver, running in the same privileged kernel mode as anti-dumping systems. This allows Belkasoft RAM Capturer to successfully acquiring memory content protected by these anti-dumping systems.

Compared to…

Belkasoft made an internal comparison between Belkasoft RAM Capturer and latest versions of competing RAM acquisition tools. Belkasoft RAM Capturer was tried against AccessData FTK Imager 3.0.0.1443 and PMDump 1.2. The test subject, Karos, was using an active anti-debugging protection specifically designed to resist memory dumping.

AccessData FTK Imager 3.0.0.1443 returned an empty memory block filled with zeroes. PMDump 1.2 was unable to capture the memory area of interest, returning random data instead of the actual content. Belkasoft RAM Capturer was the only tool to correctly recover memory areas occupied with test subject.

About Belkasoft RAM Capturer

Belkasoft RAM Capturer is a free forensic tool to acquire the content of the computer’s volatile memory, even if anti-debugging or anti-dumping protection is active. By working in system kernel mode, Belkasoft RAM Capturer can successfully bypass protection that many other tools can’t. When tested against competing RAM capturing tools, Belkasoft RAM Capturer demonstrated the best results, being able to successfully acquire protected memory areas that the other tools couldn’t. Belkasoft RAM Capturer is available to all customers at no charge.

Pricing and Availability

The new memory dumping tool is available to all customers free of charge, and can be downloaded from the company’s Web site.

System Requirements

Belkasoft RAM Capturer supports computers running 32-bit and 64-bit versions of Windows including Windows XP, Windows Vista, Windows 7, 2003 and 2008 Server in all editions and with any combination of installed service packs.

About Belkasoft

Founded in 2002, Belkasoft is an independent software vendor specializing in computer forensics and IT security software. Running on the Microsoft Windows platform, Belkasoft products back the company’s “Forensics made easier” slogan, offering IT security experts and forensic investigators solutions that work right out of the box, without requiring a steep learning curve or any specific skills to operate.

Belkasoft Evidence Center 2013 is a world renowned tool used by thousands of customers for conducting forensic investigations, as well as for law enforcement, intelligence and corporate security applications. Belkasoft customers include government and private organizations in more than 40 countries, including the FBI, US Army, DHS, police departments in Germany, Norway, Australia and New Zealand, PricewaterhouseCoopers, and Ernst & Young.

More information about the company and its products at http://belkasoft.com
# # #

Information on Belkasoft RAM Capturer as well as the free download are available at http://forensic.belkasoft.com/en/ram-capturer