Sneak Peek Of Belkasoft Evidence Center 2017

Belkasoft is happy to announce an upcoming release of massively updated version 8.0 of its leading digital forensic solution Belkasoft Evidence Center 2017. Version 8.0 will include a number of newly added useful features that are going to significantly improve the efficiency of digital forensic investigations.

Among the new features:

* A new imaging tool, Belkasoft Acquisition Tool, or BelkaImager
* Social Graph Builder, capable of finding communities of users in a course of large investigations
* In-depth support for Volume Shadow Copy
* and many other

Read more about the new release and Early Access Program at https://belkasoft.com/bec2017

Sign up for a free webinar at https://belkasoft.com/webinar.

Belkasoft Evidence Center v.7.5 Offers iTunes Backup Decryption and Many More

Belkasoft announces a major update to Belkasoft Evidence Center, the company’s flagship digital forensic solution. The new release brings a revamped user interface, improved search and enhanced analytics. A major addition to Evidence Center 7.5 is the ability to directly access encrypted iTunes backups whether or not the password is known. Unknown passwords can be attacked directly by using the new Decryption module. Other changes include the updated Photo Forgery Detection, EML and MSG email analysis and Google Maps clustering support.“Evidence Center 7.5 delivers better usage experience with new user interface and more features”, says Yuri Gubanov, Belkasoft CEO. “The integrated iTunes decryption, support for additional email formats, the all-new photo forgery detection module and tons of smaller improvements and enhancements all contribute to a better, smoother usage experience”.

Modern User Interface with Theme Support

For years, Belkasoft Evidence Center was employing the same concept for its user interface. While staying put during all those years provided the much needed consistency to our customers, we felt it’s time for a change. In version 7.5, we brought customizable theme support, allowing our users switching to a new modern look with a push of a button. In addition, Evidence Center 7.5 redesigns searching and filtering, offering smoother performance with cleaner looks.

Access to Encrypted iTunes Backups

Prior to version 7.5, Belkasoft Evidence Center could only process unencrypted iTunes backups. Today, Evidence Center moves one step closer to becoming a true all-in-one solution for desktop and mobile forensics. In this release, Evidence Center gains the ability to automatically decrypt iTunes backups using a known password. If the password is unknown, the new Decryption module is available to attack and recover the password.

Revamped Photo Forgery Detection Plugin

The Forgery Detection Plugin automatically discovers altered, forged and tampered photos among the thousands of files available on the suspect’s computer. In this release, the Photo Forgery Detection plugin received a major overhaul with new types of analysis and better reporting.

More Improvements and Enhancements

This release packs a large number of improvements and enhancements. Improved SQLite analysis with better freelist and unallocated space support, support for updated versions of popular chat apps, support for EML and MGS email formats, Evidence Reader no longer requiring Administrator privileges and tons of other features are listed in the official change list: https://belkasoft.com/new

About Belkasoft Evidence Center

Belkasoft Evidence Center is a world-renowned tool used by thousands of customers for conducting computer and mobile forensic investigations. Belkasoft Evidence Center can automatically discover, extract and analyze evidence from a wide range of sources including computer hard drives and disk images in all popular formats, memory dumps, mobile backups and chip-off dumps. The tool can capture and analyze volatile evidence stored in the computer’s RAM, identify encrypted files, carve Internet chat logs, Web browsing history and email communications including information stored in digital pictures and videos. The ability to process office documents in a wide range of formats enables investigators to perform near-instant full-text search among all the documents discovered on the suspect’s PC.

Low-level access to hard disk and system structures means that even data that has been deleted by the suspect cannot escape from investigators. Supporting Windows, Unix/Linux, Android and Mac OS X file systems, natively mounting images created in EnCase, FTK, X-Ways, DD and SMART formats, UFED and chip-off binary dumps, and many popular virtual machines without using these or any third-party tools, Belkasoft Evidence Center can collect more evidence than any single competing tool in its class.

About Belkasoft

Founded in 2002, Belkasoft is a global leader in digital forensics technology, known for their sound and comprehensive forensic tools. With a team of professionals in digital forensics, data recovery and reverse engineering, Belkasoft focuses on creating technologically advanced yet easy-to-use products for investigators and forensic experts to make their work easier, faster, and more effective.

With this focus in mind, Belkasoft introduces their flagship product, Belkasoft Evidence Center – an easy-to-use, integrated solution for collecting and analyzing digital evidence from mobile and computer devices. Customers in law enforcement, police, military, business, intelligence agencies, and forensic laboratories in 70+ countries worldwide use Belkasoft Evidence Center to fight homicide, crimes against children, drug trafficking, data leakage, fraud, and other online and offline crimes.

Belkasoft D-U-N-S number 683524694.
Belkasoft NATO Commercial and Government Entity (NCAGE, also CAGE) code SKF09.
Belkasoft is also registered within Central Contractor Registration (CCR), ORCA and WAWF.
Belkasoft is a registered trademark.

More information about the company and its products at https://belkasoft.com

# # #

Information on Belkasoft Evidence Center as well as the free demo download are available at https://belkasoft.com/get

The complete change log is available at https://belkasoft.com/new

New! Belkasoft Evidence Center 2016

Belkasoft announces a major update to Belkasoft Evidence Center, the company’s flagship digital forensic solution, to version 2016. The new release comes with revamped user interface, numerous improvements to performance, productivity and usability. A number of new analytic functions were added, enabling investigators to dig deeper without being hit by the time penalty. Finally yet importantly, Belkasoft Evidence Center 2016 comes with full support for Windows 10, adapting its discovery and analytic engine to cope with new and changed artifacts produced by Microsoft’s new OS.

“We made a major release just before the year’s end”, says Yuri Gubanov, Belkasoft CEO. “The new version of Belkasoft Evidence Center feels like a totally new product. We made it faster and easier to use while adding new analytic features – all that to help you discover more with less time wasted”.Productivity and Usability Improvements

Compared to previous versions, Belkasoft Evidence Center 2016 looks, feels and works like whole new product. The new release adds new ways to work with discovered evidence, enables faster searching and adds instant filtering. The redesigned evidence discovery wizard makes data search settings easier to adjust, while mobile artifacts get their own dedicated section.

The newly introduced Hashset Analysis section allows searching for files based on the hash sum, matching calculated hash values against a given NSRL hash set database. MD5 and SHA1 hashes are supported.

Last but not least, Belkasoft Evidence Center 2016 receives a long-awaited ability to identify and discover artifacts produced by Microsoft’s new OS, Windows 10. The new jumplist format, Edge and Internet Explorer browser data, and a range of other artifacts produced by Windows 10 are now fully supported by Evidence Center.

For full list of changes, please refer to https://belkasoft.com/new.

New users as well as existing customers can enjoy a free webinar on the new version of Belkasoft Evidence Center on December 15, at 6 pm CET.

Sign up at https://belkasoft.com/webinar.

About Belkasoft Evidence Center

Belkasoft Evidence Center is an all-in-one forensic solution for locating, extracting, and analyzing digital evidence stored inside computers and mobile devices. Belkasoft Evidence Center makes it easy for an investigator to search for, analyse, store and share digital evidence found inside computer and mobile devices. The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps. Evidence Center will automatically analyse the data source and lay out the most forensically important artefacts for investigator to review, examine more closely or add to report.

Low-level access to hard disk and system structures means that even data that has been deleted by the suspect cannot escape from investigators. Supporting Windows, Unix/Linux, Android and Mac OS X file systems, natively mounting images created in EnCase, FTK, X-Ways, DD and SMART formats, UFED and chip-off binary dumps, and many popular virtual machines without using these or any third-party tools, Belkasoft Evidence Center can collect more evidence than any single competing tool in its class.

About Belkasoft
Founded in 2002, Belkasoft is a global leader in digital forensics technology, known for their sound and comprehensive forensic tools. With a team of professionals in digital forensics, data recovery and reverse engineering, Belkasoft focuses on creating technologically advanced yet easy-to-use products for investigators and forensic experts to make their work easier, faster, and more effective.

With this focus in mind, Belkasoft introduces their flagship product, Belkasoft Evidence Center – an easy-to-use, integrated solution for collecting and analyzing digital evidence from mobile and computer devices. Customers in law enforcement, police, military, business, intelligence agencies, and forensic laboratories in 70+ countries worldwide use Belkasoft Evidence Center to fight homicide, crimes against children, drug trafficking, data leakage, fraud, and other online and offline crimes.

Belkasoft D-U-N-S number 683524694.
Belkasoft NATO Commercial and Government Entity (NCAGE, also CAGE) code SKF09.
Belkasoft is also registered within Central Contractor Registration (CCR), ORCA and WAWF.
Belkasoft is a registered trademark.

More information about the company and its products at https://belkasoft.com

# # #

Information on Belkasoft Evidence Center as well as the free demo download are available at https://belkasoft.com/get

BelkaScript: How to Get Most out of Digital Forensic Software

Digital investigator nowadays has access to a wide array of solid forensic tools. Some of them offer mobile forensics only, some help with computer or laptop analysis, some – like Belkasoft Evidence Center – support all types of devices, but the task flow and product logic is more or less fixed in every product. If an investigator faces an unusual task, it is hard to solve it within the workflow offered by a product. And unusual tasks are not that rare – we hear about them very often, just take a glance at Forensic Focus forums page.

In this article, we will discuss some real life stories that involved cases hard to solve with the standard workflow in Belkasoft Evidence Center:

• Good Employee, Bad Employee
• Bar Fight
• Digging Deep Inside PhotosHowever, it became possible with BelkaScript, a free built-in scripting module that allows users to write custom scripts to extend Evidence Center capabilities. Scripts can be used to automate some of the routine (for example, reporting or bonding together two operations) or to extend product’s functionality for a specific situation. But it most certainly does not end there as we will now show on real-life examples.

Read more

Free Webinar: Enhance Digital Investigations with New Belkasoft Evidence Center

Belkasoft announces an upcoming release of their flagship all-in-one forensic product. Belkasoft Evidence Center 2016 comes with a substantial number of improvements and new features that are to bring the product to a new level of convenience and effectiveness in working with digital evidence.

In the new release, we added a lot of new supported artifacts, including a significant number of mobile apps such as browsers, payment systems, messengers, and social networking apps. At the same time, we refined the interface in such a way that it is now more convenient to work with the increased amount of artifacts. In particular, we reworked artifact selection window, and added filters that allow you to sort items by text, metadata, date, or other criteria. Besides, evidence search engine was empowered and now works faster than ever.One of the newly added important features of the product is hashset analysis (uses NSRL hash database). These and many more other changes and enhancements of the new version will be covered during our free webinar “Enhancing digital investigations with Belkasoft Evidence Center 2016”. The webinar will be conducted by Yuri Gubanov, Belkasoft CEO & Founder and a renowned expert in digital forensics.

The webinar will feature a presentation with an overview of the most significant improvements and new features of Belkasoft Evidence Center 2016, as well as questions from the viewers, answered live.

Date: November 4, 2015
Time: 17:00 UTC / 18:00 CET/ 12:00 EST / 20:00 MSK

Sign up for the webinar now and get your guaranteed free trial version of the product: http://belkasoft.com/webinar

Advanced SQLite Analytics with Belkasoft Evidence Center (Part II)

In the first part of our series on SQLite analysis we talked about accessing corrupted SQLite files and recovering deleted SQLite records from the freelist. Today we will cover two more important topics: SQLite write-ahead log (WAL) and unallocated space of SQLite databases, and how to analyze them using Belkasoft Evidence Center.

Write Ahead Logs: Access to Non-Committed Data

From our original article on SQLite forensics you may already know that straightforward analysis of a SQLite file rarely shows the complete picture. Indeed, free and open-source SQLite tools rarely (if ever) deal with freelists. Yet another thing they do not normally deal with is write-ahead logs.

Write-ahead logs, or WAL, work in an opposite way to freelists. While the freelist contains deleted SQLite records, the write-ahead log is used by the SQLite engine to store pages not yet committed into main database.

Belkasoft Evidence Center is an integrated forensic product with advanced out-of-the-box analysis of SQLite databases. Unlike many other tools on the market, Evidence Center automatically parses freelists and write-ahead logs, merging found records together with data from the main database.

Evidence Center’s SQLite Viewer is a convenient and powerful built-in tool for thorough examination of SQLite databases

How much information can a write-ahead log contain? Usually, that would be a few hundred records, and it is an awful lot if we are talking, for example, about instant messengers. So what exactly is write-ahead log, and why does SQLite use it?

SQLite Journaling and Write-Ahead Logs

SQLite is a transaction-based database. Historically, SQLite used rollback journals, the atomic commit and rollback mechanism to guard against potential write errors. Rollback journals worked by saving old copies of pages being overwritten with new data into a separate journal file. SQLite removed the journal file if the write operation was concluded successfully. If an error occurred, the engine would roll back the original page from the journal file, returning the database to original state by merging data from rollback journals into the main file.

Skype databases: main.db (8 572 KB) and main.db-journal (1 588 KB). Using regular tool, you can lose up to 20% of records! Belkasoft Evidence Center will automatically merge data from both files to a single list

Rollback journals provided a robust and reliable way of safeguarding information. Unfortunately, their use required a lot of extra read and write operations, causing significant slowdowns on heavy load. Since the release of SQLite 3.7.0 back in 2010, the database engine no longer uses rollback journals. A new commit and rollback method called write-ahead log ("WAL") was introduced.

Write-ahead logs no longer back up information from the main database. Instead, the new commit scheme uses a temporary database file to write new records to, only merging the temp file with the main database on commit. In essence, write-ahead logs work in the opposite way to rollback journals. Where the rollback journal saved a copy of the original database content into a separate file and then wrote new data directly into the database file, WAL preserves the original content in the main database while writing new data into a separate WAL file. WAL was found to be significantly faster in most scenarios compared to the old journaling mechanism, providing better concurrency and optimizing disk I/O operations.

The two files (the main database and the write-ahead log) are merged when committed. The commit event occurs when a certain size of the write-ahead log is reached, or if a manual commit event is received. Typically, SQLite automatically commits after the WAL reaches the size of 1000 records. Until then, the database reads new records from the WAL file. Does that ring a bell?

Indeed, when analyzing a SQLite database, one can access up to a thousand new records by parsing the WAL file, and read all the old records from the main database file. General-purpose SQLite tools don’t normally offer the choice, either parsing the main database only or (more commonly) automatically merging the content of the WAL file with the main database, thus overwriting old records. Neither approach is good for digital forensics.

Remember how many records a write-ahead log may contain? By default, SQLite commits a checkpoint when the WAL file reaches a threshold size of 1000 pages. A thousand records is an awful lot in the context of chatting or casual Web browsing. A typical chat session never triggers the commit checkpoint, leaving all sent and received messages uncommitted and stored in the WAL file.

Accessing Write-Ahead Logs and Rollback Journals with Belkasoft Evidence Center

Belkasoft Evidence Center natively supports both the old journaling method and the newer write-ahead logs. When opening a SQLite database, Belkasoft Evidence Center will automatically look for rollback journal and write-ahead log files. If either file is discovered, Belkasoft Evidence Center will parse both the main database file as well as the temporary rollback and write-ahead files. As a result, you will be able to see both the old (historic) copy of a page as well as the new (uncommitted) copy of the same page stored in the write ahead log (or vice versa if an older version of SQLite with rollback journals is used). Uncommitted records are then highlighted with a different color:

SQLite Viewer allows you to see the full picture by reviewing both committed and uncommitted records (the latter are highlighted with blue)

In some cases, cleaning up a database or deleting records does not remove entries from the write-ahead log. This results in the most recent records (up to 1000 in typical conditions) being available for analysis.

SQLite Unallocated Space Analysis

When it comes to storing information in a file, SQLite features a fairly complex structure. As many other databases, SQLite breaks information stored in a file into pages. Inside these pages there are smaller chunks of information called cells. Due to the way SQLite allocates space, new cells are normally placed towards the end of the page. Preceding cells that have not yet been used constitute unallocated areas.

Similar to disk space allocated by the file system, unallocated space in SQLite can be just empty. However, it may contain deleted data or remnants of previously used pages. In other words, unallocated space is constituted from page fragments that contain random pieces of data.

Analyzing unallocated space in SQLite databases is not easy. Since unallocated space does not contain valid data or pointers and is not referenced from the page index, data stored in unallocated areas is difficult to extract and almost impossible to reconstruct into something meaningful. You may find that examining unallocated space can be difficult and time-consuming. Even if you are able to locate a fragment, you will not be able to tell which page used to contain it. Recover the broken relations is also not possible.

It is important to note that absolutely no general-purpose SQLite tools using standard access methods and high-level API’s can access unallocated space or extract data from these areas. You will need a forensic-grade product such as Belkasoft Evidence Center in order to discover unallocated areas inside a SQLite database, view and extract information.

Why should you bother analyzing unallocated space? These free, unallocated areas may contain bits and pieces of data deleted by the user long time ago.

Belkasoft Evidence Center is one of very few products that allow you to examine unallocated space of SQLite databases. The product extracts data located in unallocated space completely automatically. After that, you can use the built-in Hex Viewer for thorough manual examination, or you can simply open the built-in SQLite Viewer and select the "Unallocated space" tab.

Notably, Belkasoft Evidence Center can carve unallocated SQLite space for hundreds of supported artifacts. If anything found, you can review "Carved data from unallocated space" tab for the findings (see screenshot below).

Belkasoft Evidence Center can recover information from unallocated SQLite space

This feature makes work with SQLite databases in Evidence Center even more convenient: instead of spending hours looking through chunks of binary data in Hex Viewer, you can just open the tab with carved data from unallocated space in SQLite Viewer and review it – sorted out by columns, formatted and laid out cleanly. Besides, SQLite Viewer allows you to create reports directly from within its interface, so that, when you find what you were looking for, you can export the findings immediately:

Create report from SQLite Viewer in just a few clicks

Belkasoft Evidence Center allows you customize your report by choosing format (PDF, CSV, XML, and others), adjusting logo, fonts, table size and contents, number of pages, etc:

Reports created with Belkasoft Evidence Center are accepted in courts

Belkasoft Evidence Center: Advanced SQLite Analysis at Your Fingertips

Belkasoft Evidence Center implements the lowest-level approach to handling SQLite databases. When it comes to SQLite evidence, Belkasoft Evidence Center is an all-in-one digital forensic tool, and is as close to a one-button solution as at all possible in the complex world of digital forensics. With Belkasoft Evidence Center, you can carve the disk, forensic disk image, or a memory dump for SQLite databases, automatically extract and analyze information from all available sources including freelists, rollback journals and write ahead logs. The built-in SQLite Viewer and Hex Viewer, as well as some of other advanced features, allow you to perform low level examination and, for instance, can help discover evidence that is still available in unallocated areas of the SQLite database.


Belkasoft Evidence Center is perfectly equipped to handle existing, emptied, deleted or corrupted SQLite databases

Belkasoft Evidence Center is able to recognize hundreds of applications that use SQLite, extracting and displaying mobile apps data, browser histories, smses, messages, call logs or chat logs discovered in current, deleted, uncommitted and unreferenced database records.

Interested in SQLite analysis? Get your free evaluation license of Belkasoft Evidence Center at http://belkasoft.com/trial!

Recovering SQLite Evidence with Belkasoft Evidence Center

Much has been said about the different tools to extract, view, and recover SQLite databases. Why is SQLite analysis so important for digital forensics? Why is SQLite not straightforward to investigate? Why use Belkasoft Evidence Center for SQLite analysis? Read along to find out!

SQLite: The De-Facto Standard

SQLite is today’s database of choice for nearly every software manufacturer with very few exceptions. Unlike MS SQL Server, SQLite is extremely lightweight and compact, does not require installation, and can be easily distributed with the product if needed. In other words, SQLite is perfect for applications with light database loads – such as Web browsers, instant messengers, or password keepers. Indeed, SQLite is employed by thousands application developers including some well-known names. So who is using SQLite?
Applications Using SQLite

SQLite gained its well-deserved popularity among developers on all major desktop and mobile platforms including Windows, Linux, and Mac OS, as well as Android, iOS, and Windows Mobile. With SQLite being an open format there are no legal, financial or technical limitations that would restrict developers from using the database. As a result, SQLite databases are used system-wide in Android and iOS as containers for call logs and messages, configuration settings, calendars, notes, search history, messages, system logs, Web browsing history and password management. Major Web browsers (Chrome, Firefox) and instant messengers (Skype, WhatsApp) are also using SQLite. Even Belkasoft Evidence Center, a digital forensic tool that can parse others’ SQLite databases, employs a SQLite database internally to keep and manage cases!
To sum it up, SQLite is used in the following applications:

• Android: system-wide for call logs, message history, settings, system logs, apps etc.
• iOS: system-wide for call logs, message history, system logs, apps etc.
• Instant messengers (on all desktop and mobile platforms): Skype, WhatsApp, Viber, eBuddy and hundreds more
• Web browsers (on all desktop and mobile platforms): Firefox, Chrome, Safari
• Other apps: PhotoBox, Picasa Explorer and thousands more

With that many applications using the SQLite format, choosing the correct forensic tool becomes utterly important. One can ask, however, “Why can’t we just use the free DB Browser for SQLite (former SQLite Database Browser)? Oh, and I’ve heard there’s that Firefox plugin! Can we use that to browse SQLite databases?” Yes, you can, but you should keep in mind that in this case you cannot rely on the results you get. And here’s why.
Free SQLite Forensic Tools: You Get What You Pay For

With free SQLite tools you at least get a program that can display the content of a SQLite database. However, this is often not much use for the purpose of digital forensics. Let’s look at this screenshot:
Obviously, the view is empty. You always get what you pay for, in this case, zero for zero…

So what to do if no messages are showing up in the database (message count = 0), but its size is a full 5 MB and a hex viewer shows bits and pieces of conversations? It’s time to use a proper forensic tool. Here’s the very same database opened with Belkasoft Evidence Center’s built-in SQLite Viewer:

As you can see, Belkasoft Evidence Center discovered as many as 53 records in the “Messages” table and highlighted them in red color, signaling that these were deleted by the user. How does that happen?
Native SQLite Processing

The problem with free SQLite tools is the method they use to access databases’ records and tables. In order to keep things simple, these tools just use ready-made components to process SQLite files. These days finding a suitable open-source component in one of the many code repositories is a matter of minutes. However, such components are inherently limited in the way they handle SQLite files. Following established guidelines, these components (as well as the tools using them) communicate with the SQLite engine by using a high-level API. This is a stable and reliable way to handle databases, only it does not work with corrupted SQLite files. Neither can it recover records that have been deleted or not yet committed into the main database.

Belkasoft Evidence Center is not using third-party components for accessing SQLite databases. Instead, we developed our own low-level code for discovering SQLite evidence. This opens the door to a number of things that are not possible if you are using most other tools.

For one, Belkasoft Evidence Center allows analyzing corrupted SQLite databases if, for example, the database files were deleted by the suspect and then recovered with file carving.

Besides, SQLite analysis algorithm used by the product is advanced and efficient, allowing to process gigabytes of SQLite data in reasonable time.

Moreover, Belkasoft Evidence Center fully supports analysis of “freelists” – special area in SQLite databases where unused pages are stored. Belkasoft Evidence Center automatically discovers evidence located in those records that were deleted from SQLite databases.

This enables access, for example, to deleted entries from the call log or Skype histories (as shown in the screenshot above), and even allows recovering deleted iMessages or SMSes from iPhone backups. Let’s talk a bit more about accessing deleted records in SQLite databases.

Recovering Deleted SQLite Records with BEC

When analyzing evidence obtained from various sources, you will likely encounter a database that contains at least a few deleted records. These records may contain information that is vital for an investigation – such as deleted browser history, messenger chat history, sent or received SMS or iMessages, or data from thousands of other apps.

Why is it possible to access deleted messages at all? The reason lies in the way in which SQLite handles deleted records. In order to maintain performance, SQLite does not immediately erase records deleted from the database. Instead, these records are kept temporarily in “freelists”, which can be accessed and parsed using Belkasoft Evidence Center.

While extracting data from freelists, the product automatically figures out which column the deleted items used to belong to, and merges them into this column.

Viewing deleted items in Belkasoft Evidence Center is easy – the product automatically locates and lays out all of the data for you, marking whether it was deleted or not:

"Is Deleted" column helps to understand whether a record was found in existing SQLite database table or recovered from a freelist

Convenient features of SQLite Viewer

We tried to make work with SQLite as convenient as possible, while integrating it into the variety of Evidence Center’s features and capabilities. For instance, while navigating through artifacts found by the product, select an application that uses SQLite for storing data, and Evidence Center will automatically display them in SQLite Viewer:

If you choose Skype profile, the contents of Skype’s main.db are automatically shown to you in SQLite Viewer, including data from freelists.
Item Properties is a convenient window that will show you all of the existing columns of a table, so that you can review the selected record as a whole, even if the amount of columns is too big to fit into the list of records.

If you want to leave just a few of the most important columns, you can change their number by right-clicking the header of the table and selecting visible columns and adjusting their size in convenient "column chooser":

Column Chooser allows to select or deselct the columns, arange them, and adjust their width (automatic or proportional, in % of the maximum size)
Belkasoft Evidence Center allows formatting of any column. For instance, timestamp column can be changed to represent information in the suitable time format:

After that, the contents of the whole column will be adjusted accordingly:

As you can see, timestamp column now correctly displays time and date in convenient format.
Interestingly, column formatting is taken into account and preserved when you create a report from SQLite Viewer:

PDF report, generated based on data from Messages table of Skype’s main.db
In this paper, we have not mentioned some of other important features and capabilities of Belkasoft Evidence Center, such as SQLite unallocated space analysis (don’t confuse with a hard drive unallocated!), analysis of Write-Ahead Logs and journal files, smart carving of SQLite databases, examination of SQLite using Hex Viewer, etc. We will try to cover these topics later.
Advantages of SQLite Analysis with BEC

To sum up, using Belkasoft Evidence Center for SQLite analysis gives you the upper hand in digital investigations. Not only is it fast, but it also gives you access to some of the information that would not be available otherwise.

Deleted records from little-know, but very important areas of SQLite databases, such as freelists and unallocated space, will be found and analyzed by Evidence Center within short time and completely automatically, thus saving your time and effort. You can find even more records in write-ahead logs, a valuable source of data. Native SQLite parsing will allow you to restore most of the information by carving damaged or deleted databases.

Convenient SQLite Viewer tool is built into Evidence Center and available to you out of the box, giving you access to comprehensive low-level expertise of SQLite databases. You can easily present your findings in a court by creating a report directly from SQLite Viewer’s interface:

Belkasoft Evidence Center makes your investigations easier, faster, more comprehensive and more effective. Learn more on our website or download a full trial version today at http://belkasoft.com/trial.
Read more about freelists, write-ahead logs, and SQLite analysis in our article: Forensic Analysis of SQLite Databases.
More articles by Belkasoft: http://belkasoft.com/articles

Carving for Evidence: Why Choose Belkasoft Evidence Center

When looking for digital evidence, one has to look through a large number of files on the disk to discover just the few important pieces. Automating evidence search can help locate evidence stored in files that were moved, renamed or deleted. This article offers a general overview of data carving techniques used in todays computer forensic tools, outlines benefits and limitations of the technology, and demonstrates how to use carving in a forensic tool to discover evidence.

What Is Carving and How It Works

"Carving" refers to a very specific technique for locating evidence. The carving technique is based on signature search analysis. Instead of relying on the file system in order to locate files, carving algorithms use a much lower-level approach. During carving, the algorithm will read the content of the disk, partition, or forensic disk image one block after another. Each data block is analyzed against a database of known file formats. If the algorithm discovers a match, and after performing one or more secondary checks, the carving algorithm may assume that a certain data block contains a file header.

The algorithm then analyzes the file header (assuming that it is in a certain format), and attempts to determine the length of the file. While it may sound easy on paper, determining the correct file length is not always easy. While some formats (e.g. PDF, DOC, PNG) specify the length of the file in the header, other formats (e.g. JPEG or SQLite) don't.

Belkasoft Evidence Center carves both pictures, documents and SQLite

This means that further analysis of subsequent data blocks is required when carving these files. For example, carving a SQLite database involves reading and analyzing subsequent data blocks in order to determine whether or not they contain valid records in the SQLite database format.

Now, what happens if a file being carved was already partially overwritten? In this case, the carving algorithm will obviously extract incomplete or corrupted files. What is more interesting is what happens next: instead of extracting a file of (N) blocks and resuming carving from block number (N+1), the carving algorithm actually returns to the data block located immediately after the detected header, and resumes carving from that point.

This allows dealing with partially overwritten and fragmented files. However, one of the consequences of this carving approach is that it may result in a larger carved data set than was originally available on the disk being carved. This is why we recommend having as much as 1.5 to 3 times more free space on your hard drive compared to the storage size of the disk being carved.

Carving Text Files

Text files (including HTML pages and XML files) are a special case for carving. Text files do not have defined file headers. However, their content features character set that is limited by the file's language. In order to detect text files, carving algorithms apply statistical analysis to each data block, trying to determine if the particular block contains text in a wide range of encodings (including two-byte and variable-length encodings). In fact, the same procedure has to be repeated for each consecutive data block; matching blocks are appended to the resulting file until the algorithm encounters the first sector containing data that are not part of the detected character set.
Carving and Fragmentation

How does the carving algorithm attempt to determine which data blocks belong to a certain file? It knows the address of the initial data block (file header), and it calculates the length of the file. By knowing the beginning and length of the file, carving algorithms calculate which sectors on the disk belong to that file.

Again, this sounds great in theory, but what about fragmentation? The technique works great for contiguous files, but can fail miserably on fragmented data.

Now, there are at least two distinctly different ways to handle carving of fragmented data sets. The first approach just assumes that a certain number of data blocks following the file's header belong to that file, ignoring the existence of the file system. This method is often used if there is no file system available.

There is also another, more complex approach that reads the file system before making assumptions. With this approach, carving will treat occupied and unoccupied sectors separately.

Let's say, for example, that we have four data blocks marked 1, 2, 3 and 4. Sectors 1, 3 and 4 are unused, while sector 2 is occupied by existing data. A carving algorithm determined that a DOC file begins at sector 1, and is 2 sectors long.

A simple carving algorithm will extract the content of sectors 1 and 2, producing a corrupted file.

A smart algorithm will check the file system and realize that sector 2 is occupied by a different file, so itll extract sectors 1 and 3, possibly producing a working document. Well, or maybe not.

Of course, either algorithm could be wrong. Nonetheless, separate treatment of occupied and unoccupied data blocks definitely has its benefits.

Carving Existing Data

Traditionally, carving was used for the purpose of data recovery. The algorithms were developed to scan free disk space or entire disk contents. However, forensic use of carving has its own specifics.

In digital forensics, carving is used to scan the existing file system as much as the free space. Suspects can move or rename files, change file extensions and attempt other naive anti-forensic techniques to make finding evidence more difficult. Indeed, if only the Windows\WinSxS\ folder contains several hundred files and folders with long, obscure names, who is going to notice yet one more folder named "amd64_microsoft-windows-bing-shell-education_31bf3856ad364e35_10.0.10240.16384_none_f414688676e1420e" when analyzing the system? This is where carving of allocated disk space comes to the rescue. Carving becomes a truly indispensable technique while searching for deleted or obscured evidence.

Data Carving with Belkasoft Evidence Center

Belkasoft Evidence Center (BEC) is an all-in-one forensic tool known for its comprehensive set of helpful and convenient analysis features – and carving with this product is no exception.

Carving is an integral part of Belkasoft Evidence Center. The entire procedure is automated, allowing you to pick what types of evidence to carve for and to choose whether to carve the entire disk contents or to analyze only certain allocated (or unallocated) areas, which helps you save your time. Moreover, you can choose to carve only the free space inside allocated. Since Belkasoft Evidence Center locates and analyzes the data automatically, choosing to carve only free space will ease and speed up the examination, because this way we reduce the amount of data to carve. Also, there will be no duplication of evidence that has already been discovered by the tool.


You can select to carve only Free space in BEC

Belkasoft Evidence Center allows you to carve devices or images for hundreds of different kinds of forensically important artifacts, including documents, pictures, system and registry files, SQLite databases, browser data, messenger and peer-to-peer communication histories, and more. (Note that while above we were discussing file carving only, BEC extends its set of data to carve to separate chats, visited URLs, emails and so on). It is particularly convenient to be able to choose what to look for when you already know or can assume what kind of evidence you are looking for and want to snipe it quickly.



Selecting types of evidence to carve in BEC

It is important to note that with Evidence Center you can also carve a Live RAM dump, which can be – and most of the time is – a crucial source of digital evidence. While Belkasoft Evidence Center supports the output of any of other RAM dumping tools on the market, it also comes with a free powerful volatile memory acquisition product – Belkasoft Live RAM Capturer. Live RAM Capturer is available for download: http://belkasoft.com/ram-capturer.

Live RAM contents are often fragmented, which might become a serious problem for investigators, but Belkasoft Evidence Center offers a reasonable solution to it with a smart carving mode – BelkaCarving™. BelkaCarving effectively deals with fragmentation of data, allowing a more accurate recovery of evidence that would not be available otherwise.

Besides RAM image file, you can also specify a path to hibernation or page files (hiberfil.sys and pagefile.sys). These two kind of files contain Live RAM data written on a hard drive as a part of Windows functioning, thus they are important source of live memory artifacts, because the RAM contents may survive switching computer off and can be discovered by Belkasoft Evidence Center.

Once the product has finished the analysis, it will sort found data by type and lay it out so that it is easy and convenient to review. You can now inspect the desired artifacts even more closely with one of the built-in low-level tools, for example, Hex Viewer.


Handy Hex Viewer allows to see binary file data and do type conversions

Belkasoft Evidence Center makes your investigations easier, faster, more comprehensive, and more effective. Learn more about Belkasoft Evidence Center or download a free trial. Read our research articles at http://belkasoft.com/articles.

New Belkasoft Evidence Center 7.3 Enhances Data Carving and SQLite Analytics

Belkasoft updates Belkasoft Evidence Center, the company’s flagship digital forensic solution, to version 7.3. The new release comes with significant improvements to file carving and SQLite analysis algorithms as well as the search engine. With this update, Belkasoft Evidence Center enables investigators discover more evidence faster, while raising the bar of SQLite analysis to a whole new level. In addition, the product now supports Cellebrite Link Analysis integration, and offers numerous other enhancements.
Carving hard drives or binary disk images helps investigators locate evidence that was hidden or destroyed by a suspect, such as deleted photos, cleared browsing history, internet chats and so on.

Belkasoft Evidence Center v.7.3 brings major improvements to the tool’s carving algorithms, significantly reducing the time required to carve the disk in many scenarios. Added to v.7.3 is the new carving mode that analyzes just the free space of allocated areas of the disk. This type of analysis specifically targets deleted files, locating destroyed evidence much faster than ever before.

In version 7.3, SQLite Viewer was empowered notably, offering massively improved performance and making it possible to open huge databases in a matter of seconds. Selected column values can now be converted to multiple data types such as date and time, integer and floating values, string types, IP/IPv6 formats and so on. Specified column types are stored throughout the investigation, and show up in reports that can now be directly generated from the SQLite Viewer.

Searching for, locating and analyzing evidence is a major function of Belkasoft Evidence Center. The search engine has been significantly enhanced in version 7.3 with major improvements to search performance, greatly decreased search index and reworked Search Results window.

Besides the abovementioned ones, Belkasoft Evidence Center 7.3 offers numerous performance and usability enhancements, as well as better reporting and exporting.

Download the trial today at http://belkasoft.com/trial
What’s new in 7.3: http://belkasoft.com/new

Discover More Than 100 Mobile Artifacts with Evidence Center v.7.2

Belkasoft extends support for mobile applications in the new v.7.2 of its Belkasoft Evidence Center. In addition to more than half a thousand artifacts found inside desktop and laptop computers, which the software was able to analyze before, the new version also finds and extracts 100+ types of mobile artifacts for modern mobile devices such as Android, iPhone/iPad, Blackberry and Windows Phone 8/8.1.
Among new mobile applications that the new version of Evidence Center can extract and analyze data from are: FireChat, Tango, MeetMe, IM+, Whisper, QIWI wallet, Google+, Touch, textPlus, MeowChat, Grindr, ooVoo, CommFort, Tinder, SinaWeibo, Vipole, AIM, Evernote, Growlr, BBM, Foursquare, and more. These apps, in addition to previously supported Skype, WhatsApp, Viber, Telegram, Kik, and other popular messengers, cover the majority of mobile applications that are relevant to digital investigations. You can find a complete list at http://belkasoft.com/ec.

Apart from out-of-the-box support for numerous applications, the software allows for low-level investigation of mobile devices, using built-in File System Viewer, Hex Viewer, SQLite Viewer, Type Converter and others:

With growing number of mobile apps and steadily increasing smartphone usage, ability to perform mobile device data extraction and analysis is a crucial feature for any forensic tool. With the release of the latest 7.2 version, Evidence Center now supports over 100 types of mobile artifacts for all major mobile operating systems. Having reached this milestone, Belkasoft Evidence Center makes yet another step to being a complete all-in-one forensic tool.

A full list of newly added and improved functionality in v.7.2 can be found at http://belkasoft.com/new
To test the product, download a fully functional trial version at http://belkasoft.com/trial.

Belkasoft Adds Forensic Support for Windows Phone 8.1

Belkasoft updates its digital forensic solution, Belkasoft Evidence Center 2015, with the ability to perform forensic analysis of Windows Phone 8.1 images acquired via JTAG flashers and Cellebrite UFED hardware.

The new release enables automated extraction, discovery and analysis of user data available in chip-off dumps acquired from mobile devices running Windows Phone 8 and 8.1. Supported data includes Web browsing histories, contacts, call logs, chats, instant message conversations, cached social network communications, screenshots of background applications, and many other types of data.

Analyzing Windows Phone 8.1 Dumps

The new release of Belkasoft Evidence Center 2015 enables full support for information dumped or extracted from all Windows Phone 8.1 devices with the use of JTAG or UFED hardware. Belkasoft Evidence Center 2015 can parse the binary dumps, reconstructing the original file system of the device and enabling experts browse, view and extract individual files and folders. The tool will automatically search for, extract and analyze the many types of evidence recognized by Belkasoft Evidence Center including contacts and address books, call logs, communication histories in Skype and third-party messenger apps, browsing history and cached social network conversations.


SQLite database, carved from JTAG dump, is shown in the built-in SQLite Viewer

Page File Analysis
Similar to its desktop counterpart, the mobile version of Windows swaps memory pages into a page file. Considering the domination of low-memory devices with only 512 MB of RAM, their reliance on page files is extremely strong. However, due to the different microprocessor architecture, the format and content of the page file differs significantly. At the same time, page files contain a host of forensically important information, preserving snapshots of the device’s volatile memory and containing essential real-time information that would be otherwise lost once device has been powered off.


Internet Explorer history is found inside pagefile, located in JTAG dump

Belkasoft Evidence Center becomes the first digital forensic tool to parse Pagefile.sys files produced by Windows Phone 8.1. The tool will automatically parse the page file, carving all known types of artifacts such as cached Web pages and pictures, chat messages and posts in social networks.

Screenshots of Minimized Applications

Windows Phone devices can only run one app in the foreground. Background applications are minimized and often pushed out of the volatile memory. At the time Windows Phone minimized an app, the system captures and stores its screenshot. Depending on the application, the screenshot may display current user activity such as the currently visited Web page or social network profile, open chat session, picture or video being viewed. Information captured with these screenshots is often unavailable elsewhere. Belkasoft Evidence Center recognizes the importance of application screenshots, targeting these pictures specifically during carving and displaying them in a dedicated section.


A pack of application screenshots found inside particular JTAG dump

About Belkasoft Evidence Center 2015

Belkasoft Evidence Center is a digital forensic solution enabling security experts and forensic specialists collect and analyze digital evidence from computer and mobile devices. Belkasoft Evidence Center can automatically locate, process and analyze evidence stored inside hard drives, forensic images and dumps. Hundreds of evidence types supported out of the box, such as documents, emails, pictures and videos, chats and browser histories, encrypted and system files.

Low-level access to hard disk and system structures means that even data that’s been deleted by a suspect cannot escape from investigators. Supporting Windows, Unix/Linux, Android and Mac OS X file systems, natively mounting images created in EnCase and FTK, DD and SMART formats, UFED, chip-off and JTAG binary dumps, X-Ways containers and many popular virtual machines without using these or any third-party tools, Belkasoft Evidence Center can collect more evidence than any single competing tool in its class.
Information on Belkasoft Evidence Center as well as the free demo download are available at http://belkasoft.com/trial.

Discover Evidence on PCs and Mobile Devices with Belkasoft Evidence Center 2015

Belkasoft have released a major update to their flagship forensic tool, Belkasoft Evidence Center. With the version 7.0, Evidence Center becomes a true all-in-one forensic solution, reliably analyzing evidence from all imaginable sources.

Evidence Center is well known for its ability to easily find and analyze 500+ types of evidence (such as documents, emails, chats, system and registry files, etc.). What makes this new release different is the ability not just to analyze supported apps and formats, but also to perform low-level investigations of any piece of evidence on a suspect’s device or image.Here are the new modules in your arsenal:

File System Explorer shows all files and folders, including deleted and special ones
Hex Viewer helps investigator to conveniently glance over binary data, while Type Converter assists in interpreting it
Scripting allows to extend Evidence Center with custom functionality
Live RAM Process Explorer helps to extract and visualize process memory

Newly added features make Belkasoft Evidence Center 2015 one of the most complete solutions in the field of digital forensics.

File System Explorer

The File System Explorer allows forensic experts to access the complete structure of a device, dump, drive or memory image, mobile phone, tablet, or virtual machine. Within this module, investigators are able to analyze all volumes and partitions to browse existing and deleted files and folders, including special ones such as $OrphanFiles, $Log, $BadClus and so on.


On this picture you can see an Android phone (chip-off dump) file structure shown by File System module of Belkasoft Evidence Center 7.0. Particularly, you can see hidden special folder $OrphanFiles.

BelkaScript

Custom scripting engine BelkaScript makes Evidence Center a truly user-extendable tool. BelkaScript uses easy to learn simplified C# programming language, so that the experts can write their own modules to extend Evidence Center functionality. We included a number of samples in the product installation, allowing users to write the first script easily. To give an example, one of the sample scripts implements custom header-footer carving using a pre-defined signature.


Scripts are written in simplified C#. Scripting window allows to debug custom extensions using breakpoints, step-by-step debugging, variable values inspection and so on.

Hex Viewer and Type Converter

Hex Viewer enables binary analysis of any file on the disk, mobile device, image, process or memory dump. Handy Type Converter allows to inspect any selected value, interpreting it as various data types, such as numbers, date/time stamps, IPs, etc.


Built-in Hex Viewer allows low-level file investigation; it has a handy type converter, showing current selection in different formats; search and bookmarking; saving selection to a file; advanced Go to, including jump to a relative offsets and many more.

Live RAM Process Explorer

Live RAM Process Explorer works similarly to File System Explorer, but with processes instead of files. For example, investigators can view all processes – dead or alive – within Windows 7 memory dump and explore memory of, say it, Skype.exe and AppleMobileDev processes using Hex Viewer and Type Converter.


Windows 7 Live RAM processes are shown, including dead processes; it is possible to select a process and review its memory in Hex Viewer.

About Evidence Center

Belkasoft Evidence Center is one of the few digital forensic tools investigating both PC and mobile devices running not just Windows, but also Mac OS X, iOS, Linux/Unix, Android, and alternative systems.

In addition to low-level investigation, the tool provides out of the box evidence discovery and analysis for 500+ forensically important “low-hanging fruits”, such as email, documents, mobile apps, SQLite databases, registry and system files, internet chats, social networks, pictures, videos, encrypted files and volumes, and many more. The following data sources are supported:

• Computer hard drives
• Drive images
• Smartphone backups
• UFED images
• Raw chip-off dumps of mobile phones
• Live memory dumps
• Virtual machines
• Etc.

Time-limited offer

A number of newly released modules with a total value of $600 is available for existing customers at no charge. If you have a non-expired floating license for Belkasoft Evidence Center Ultimate with Case Management, or if you are just planning your purchase, you are eligible to upgrade and receive the new modules free of charge. The offer expires by December 31, 2014.

Request a FREE trial:
http://belkasoft.com/trial

More information about what’s new in version 7.0 is available at
http://belkasoft.com/bec/en/Whats_New_In_Version_7.0

Belkasoft Evidence Center 5.3: New Tool to Share Collected Evidence

Belkasoft announces a major update to its flagship forensic product, Belkasoft Evidence Center 2013. Version 5.3 introduces Evidence Reader, an all-new free tool allowing Belkasoft users to pass along evidence collected with the main product.

Over 12 other enhancements are made to further enhance the efficiency of forensic investigations, simplifying the process of obtaining and analyzing digital evidence. Upgrade to Belkasoft Evidence Center 5.3 is offered free of charge to all customers holding a valid license for version 5.2 and customers on the extended support and maintenance plan.Evidence Reader: the Free Way to Pass Along Digital Evidence

The newest release of Belkasoft’s popular evidence analysis toolkit introduces an all-new way to deal with collected evidence. The newly developed Evidence Reader allows accessing evidence collected with Belkasoft Evidence Center from any computer free of charge, even without Evidence Center installed. Evidence Reader allows Belkasoft users to transfer data collected during the investigation between computers, enabling them to pass digital evidence along to their colleagues and co-workers, as well as to present collected information in a court.

The new Evidence Reader greatly enhances the value of the product for those customers opting for a bare basic license without the Case Management module. Case Management allows users of Belkasoft Evidence Center storing evidence discovered during the session to a database for later use, and allows accessing, managing and deleting previously collected data. Case Management is a paid add-on. Prior to this release, customers without Case Management functionality were required to produce a report immediately after completing the session. The new Evidence Reader tool enables customers without Case Management to not only save collected evidence, but also pass it along to other people for offline analysis, albeit in read-only mode.

Extended File Carving

Version 5.3 expands file carving support, adding many document, picture and system file formats to the list of data extracted from unallocated disk space. Supported are Microsoft Word 97-2003, Excel 97-2003, PowerPoint 97-2003; jpg, bmp, gif, wmf; Thumbs.db and SQLite databases. In addition, existing Thumbs files can now be discovered and analyzed for Windows 8 and legacy versions of Windows.

Upgrade to Version 5.3 at No Charge

Belkasoft strives to deliver the best service to its valued customers. That is why the upgrade to version 5.3 is offered free of charge to all customers holding a valid, non-expired license for the previous version of Belkasoft Evidence Center (version 5.2) and all customers having a valid Extended Support and Maintenance plan.

Other Improvements

Version 5.3 also includes a wide range of other great improvements and enhancements further enhancing the efficiency of forensic investigations, simplifying the process of obtaining and analyzing digital evidence.
The complete list of additions and enhancements in version 5.3 is available at http://forensic.belkasoft.com/en/whats_new_in_version_5.3.

About Belkasoft Evidence Center 2013

Belkasoft Evidence Center is the company’s flagship computer forensic tool enabling security experts and forensic specialists collect and analyze more digital evidence than ever Belkasoft Evidence Center can automatically locate, process and analyze Internet chat logs, Web browsing history and email communications including information stored in digital pictures and videos, a variety of history and log files. Low-level access to hard disk and system structures means that even data that’s been deleted by the suspect cannot escape from investigators. Supporting Windows, Unix/Linux and Mac OS X file systems and natively mounting images created in EnCase, DD and SMART formats without using these or any third-party tools, Belkasoft Evidence Center can collect more evidence than any single competing tool in its class.

The affordable Standard edition is available to private investigators and corporate security departments, while the more comprehensive Professional edition adds the abilities to recover hidden and destroyed evidence with Data Carving, analyze memory dumps with Live RAM analysis. The Ultimate edition adds document analysis, encrypted file discovery, mobile backup analysis and multimedia support, allowing investigators to automatically detect images and videos containing faces, pornography and scanned documents. The top-of-the-line Enterprise edition allows major security agencies and police departments to have multiple investigators work simultaneously on a case.

Pricing and Availability

Belkasoft Evidence Center 2013 is available immediately. Pricing for Forensic IM Analyzer edition starts from $499.95, the Professional edition is available from $799.95, while the Ultimate edition sells for $1099.95.

About Belkasoft

Founded in 2002, Belkasoft is an independent software vendor specializing in computer forensics and IT security software. Belkasoft products back the company’s “Forensics made easier” slogan, offering IT security experts and forensic investigators solutions that work right out of the box, without requiring a steep learning curve or any specific skills to operate.

Belkasoft Evidence Center 2013 is a world renowned tool used by thousands of customers for conducting forensic investigations, as well as for law enforcement, intelligence and corporate security applications. Belkasoft customers include government and private organizations in more than 40 countries, including the FBI, US Army, DHS, police departments in Germany, Norway, Australia and New Zealand, PricewaterhouseCoopers, and Ernst & Young.

More information about the company and its products at http://belkasoft.com

# # #

Information on Belkasoft Evidence Center as well as the free demo download are available at http://forensic.belkasoft.com/

The complete list of additions and enhancements in version 5.3 is available at http://forensic.belkasoft.com/en/bec/en/whats_new_in_version_5.3.asp

Belkasoft Releases Free Kernel-Mode Live RAM Capturing Tool

Belkasoft has released a new kernel-mode forensic tool to capture the content of the computer’s volatile memory. Belkasoft RAM Capturer offers forensic specialists the ability to take snapshots of the computer’s volatile memory (“memory dumps”) even if an anti-dumping protection is active. The supplied kernel-mode driver can successfully capture memory content of applications protecting their working set against dumping, including chats occurring in Karos and other MMORPG games. The tool is available free of charge, and can be downloaded from http://forensic.belkasoft.com/en/ram-capturer

Protected Memory Sets

Today, many applications protect their memory sets against dumping. Such applications include multi-player online games, malware, custom and commercial products protected with active anti-debugging systems. In best-case scenario, an attempt to read a protected memory area will result in garbage data or zeroes returned instead of the actual information. In worst-case scenarios, if an anti-debug system detects an attempt to read protected memory areas, it may take measures to destroy affected information and/or cause a kernel mode failure, locking up the computer and making further analysis impossible. This may happen if a user-mode volatile memory analysis tool is used to dump content protected with a kernel-mode anti-debugging system.

Kernel Mode Memory Dumping

There are several techniques available to forensic specialists when acquiring the content of the computer’s volatile memory. Capturing live RAM content can be done with user-mode or kernel-mode software tools, or performed in a form of a FireWire attack (if the target computer supports FireWire and has corresponding drivers installed and active).

The majority of free memory dumping tools such as AccessData FTK Imager or PMDump can only run in user mode. In comparison, Belkasoft RAM Capturer supplied a kernel-mode driver that operates in the system’s most privileged ring in kernel mode. Running in kernel mode allows Belkasoft RAM Capturer to successfully bypass all currently available active anti-dumping protection systems such as nProtect GameGuard.

Anti-debug and anti-dumping systems such as GameGuard are designed to protect applications’ memory set against tools attempting to acquire or modify protected content. These systems run as system drivers in the most privileged kernel mode, leaving no chances to memory acquisition tools running in a less-privileged user mode.

Belkasoft RAM Capturer supplies its very own system driver, running in the same privileged kernel mode as anti-dumping systems. This allows Belkasoft RAM Capturer to successfully acquiring memory content protected by these anti-dumping systems.

Compared to…

Belkasoft made an internal comparison between Belkasoft RAM Capturer and latest versions of competing RAM acquisition tools. Belkasoft RAM Capturer was tried against AccessData FTK Imager 3.0.0.1443 and PMDump 1.2. The test subject, Karos, was using an active anti-debugging protection specifically designed to resist memory dumping.

AccessData FTK Imager 3.0.0.1443 returned an empty memory block filled with zeroes. PMDump 1.2 was unable to capture the memory area of interest, returning random data instead of the actual content. Belkasoft RAM Capturer was the only tool to correctly recover memory areas occupied with test subject.

About Belkasoft RAM Capturer

Belkasoft RAM Capturer is a free forensic tool to acquire the content of the computer’s volatile memory, even if anti-debugging or anti-dumping protection is active. By working in system kernel mode, Belkasoft RAM Capturer can successfully bypass protection that many other tools can’t. When tested against competing RAM capturing tools, Belkasoft RAM Capturer demonstrated the best results, being able to successfully acquire protected memory areas that the other tools couldn’t. Belkasoft RAM Capturer is available to all customers at no charge.

Pricing and Availability

The new memory dumping tool is available to all customers free of charge, and can be downloaded from the company’s Web site.

System Requirements

Belkasoft RAM Capturer supports computers running 32-bit and 64-bit versions of Windows including Windows XP, Windows Vista, Windows 7, 2003 and 2008 Server in all editions and with any combination of installed service packs.

About Belkasoft

Founded in 2002, Belkasoft is an independent software vendor specializing in computer forensics and IT security software. Running on the Microsoft Windows platform, Belkasoft products back the company’s “Forensics made easier” slogan, offering IT security experts and forensic investigators solutions that work right out of the box, without requiring a steep learning curve or any specific skills to operate.

Belkasoft Evidence Center 2013 is a world renowned tool used by thousands of customers for conducting forensic investigations, as well as for law enforcement, intelligence and corporate security applications. Belkasoft customers include government and private organizations in more than 40 countries, including the FBI, US Army, DHS, police departments in Germany, Norway, Australia and New Zealand, PricewaterhouseCoopers, and Ernst & Young.

More information about the company and its products at http://belkasoft.com
# # #

Information on Belkasoft RAM Capturer as well as the free download are available at http://forensic.belkasoft.com/en/ram-capturer