Yuri from Belka is a helping hand I can confirm
Bs3xy,
Apologies for the delayed response (I was on vacation last week)
"The cases i usually have until now are data extraction from phones like viber, gps loc, messengers etc, data extraction from windows and mac machines like website history files system info etc. (for mobile devices im looking for something that can analyse and extract data from an image I have managed with imaging to tools to extract. Usually most of the phones that come to me are unlocked or i have the passcode/pin.
My budget is around 3k $. "
1) Based upon your above scope of work and budget, I would recommend BlackLight's BlackBag software.
My opinion is based upon two items BlackBag can image/extract data from Android phones and iPhones and also provide EnCase/FTK/X-Ways/Forensic Explorer type analysis capabilities of Windows/Mac OSX computers.
Also, I agree with Paul Sanderson that IEF/Belkasoft's tools should be a purchase above, or in addition to a basic analysis tool such as EnCase/FTK/X-Ways/Forensic Explorer.
In my own practice, I will run both Forensic Explorer and IEF (I have not used Belkasoft but I assume by my colleagues' approval that is a very high quality tool), to attempt to triangulate/decipher what actually occurred.
For example, I had a case in which IEF pulled out evidence of my client's current employee using his company owned computer to login to his former employer's email account (a potential element of the Computer Fraud and Abuse Act). Of course, my client wanted to know what activity occurred as a result of the employee accessing his former employer's email account.
I was able to use Forensic Explorer to sort all of the evidence from the current employee's laptop into a super timeline, which then allowed me to identify evidence that was created contemporaneously with the former work email account access.
So, ideally, the powers that be should allow you to purchase a basic analysis tool (EnCase/FTK/X-Ways/BlackBag), IEF/Belkasoft for web artifact carving, AND Cellebrite for smartphone extraction.
I know purchasing all three tools would exceed your budget by about $12,000.00, but I assume the matters you will be handling are worth more than $12,000.00 to your customers.
If you absolutely have to keep to the $3,500.00 budget, then I would go with BlackBag because it can handle both workstations and phones.
If your budget is fixed, the I would also use free tools and look at alternative methods of handling evidence. For example, with certain important caveats, jailbreaking/rooting smartphones will enable you to use FTK Imager (free) to create physical images of phones, which you can then explore with other free tools (TestDisk/Autopsy).
I do have to say though that I am in awe of how well Cellebrite works and do not regret making the $9,000.00 purchase of it (plus $3,500.00 in training/certification).
Regards,
Larry
Cellebrite is the long term goal.( fingers crossed)
your answer was very clear, i will try and give you all some more information and you might be able to help me a bit more.
I looked into the Xways software and the question is, does it analyze Mac, Android & iOS?
PC (windows and OSX support for the following)
Mozilla/chrome/ie timeline-history,
Os details usb lists event logs software installed etc,
Common file details and extraction like Mails, Pictures Documents like pdf, docx, xlsx, .pages etc.
Recover deleted files, unallocated clusters etc.
Phones (iOS & android)
Mobile extraction of Viber Whatsapp and iMessages,
geolocation data
(all cases i have full access and the phones pass codes and i know that locked ones need to be unlocked and currently im not interested in locked ones)
Very interesting discussion as I am in the same boat as the B3xy, learning to use the tools as I go along, I sent a quote request to Oxygen and am awaiting a reply….I will be going for cellebrite and Oxygen in the long term.
Good luck
These days forensic software tends to broadly fall into two categories; 'low level tools' and 'evidence aggregators'.
'Low level tools' are the more traditional forensic tools like EnCase, FTK, X-Ways. While these will let you fully explore file systems, and tend to have a lot of tools for automated extraction of Operating System artefacts, they don't offer much in terms of third party software artefact analysis (for example, you can't tell X-Ways to parse an image file for Viber artefacts). Depending on the tool, there is some scope for extending the functionality via scripting lanuages and so if you have the time and effort you can in theory use them to parse anything - but given the pace of app development, you would likely be fighting a losing battle if you were using them to examine phones.
'Evidence aggregators' are tools like XRY and IEF. While they don't typically allow you to examine the file system in great detail, they are very good at the automated collection and presentation of data from third party apps. They also update frequently, meaning the list of apps gets a refresh every few months. Traditional forensic practioners don't really like evidence aggregators, but to be honest they are a crucial tool for modern computer and phone examination if you have any sort of time constraint on your investigation.
So really you need to decide on what you want. As far as I understand it, Belkasoft Evidence Centre tends to straddle both sides of the camp - but I don't have any personal experience, this is only from demos and suchlike. I can't speak for blackbag as I have never used it.
P.s, just to chime in on the IEF 'customer care' front, the only time I've ever dealt with them they have been courteous and have responded quickly. I've only ever witnessed terrible customer service from one software vendor, but they're not the big player they used to be so *shrug*
That's what i understood by using them, you pointed it pretty good, but for low level traditional forensics ,after 2 degrees (bachelor & master's) in computer forensics, i am in a position where i can do them manually, most cases I just need 'evidence aggregators' now days as people are more stupid and don't really try to hide anything… At least where i come from.. So I am waiting for Blackbag to give a trial to check their tool also but i think after this conversation im leaning towards the BECU due to the mid grounds of 'low level tools' and 'evidence aggregators' and Yuri (Belkasoft owner) as he is really open to talk and support. And IEF lost an artefact in a case i used (thank god i know it was there) where there was a suicide note in .pages with extension on desktop (was a mac)
These days forensic software tends to broadly fall into two categories; 'low level tools' and 'evidence aggregators'.
'Low level tools' are the more traditional forensic tools like EnCase, FTK, X-Ways. While these will let you fully explore file systems, and tend to have a lot of tools for automated extraction of Operating System artefacts, they don't offer much in terms of third party software artefact analysis (for example, you can't tell X-Ways to parse an image file for Viber artefacts). Depending on the tool, there is some scope for extending the functionality via scripting lanuages and so if you have the time and effort you can in theory use them to parse anything - but given the pace of app development, you would likely be fighting a losing battle if you were using them to examine phones.
'Evidence aggregators' are tools like XRY and IEF. While they don't typically allow you to examine the file system in great detail, they are very good at the automated collection and presentation of data from third party apps. They also update frequently, meaning the list of apps gets a refresh every few months. Traditional forensic practioners don't really like evidence aggregators, but to be honest they are a crucial tool for modern computer and phone examination if you have any sort of time constraint on your investigation.
So really you need to decide on what you want. As far as I understand it, Belkasoft Evidence Centre tends to straddle both sides of the camp - but I don't have any personal experience, this is only from demos and suchlike. I can't speak for blackbag as I have never used it.
P.s, just to chime in on the IEF 'customer care' front, the only time I've ever dealt with them they have been courteous and have responded quickly. I've only ever witnessed terrible customer service from one software vendor, but they're not the big player they used to be so *shrug*