Forensic Analysis Of Files And Memory Processes In Belkasoft Evidence Center

Belkasoft Evidence Center (or BEC) is an all-in-one digital forensic product, which helps investigators to acquire, extract and analyze digital data. The product offers out of the box analysis of hundreds of important artifacts (such as documents, emails, pictures and videos, chats and browser links, registry and system data, etc), as well as low level analysis of files and processes.

In this article we will discuss how BEC supports the second type of analysis: low level investigation of files and processes.

Sign up to the free webinar on BEC 2017: https://belkasoft.com/webinar

File System and File Analysis with BEC 2017
You start your investigation by acquiring data from a data source. BEC supports acquisition of hard or removable drives, computer RAM memory, mobile devices and cloud data:


BEC is able to acquire Google cloud and iCloud

Besides, you can also add already acquired data, such as a mobile phone dump or a backup, a folder, a virtual machine file and so on. In the screenshot below, we add an E01 image:


All popular types of images are supported, including EnCase, FTK, UFED and X-Ways

The product asks whether you would like to analyze the image or not. Here, “analysis” means out of the box extraction of 700+ types of artifacts BEC supports, such as the above-mentioned ones. We do not need this now, thus the checkbox is not ticked in order to save time by skipping out of the box analysis.

Once a data source is added to the case, it immediately appears in the File System Explorer window. This window allows you to see the volume, partition and folder structure of the data source. BEC allows you to see all folders, including hidden and system ones:


Particularly, BEC allows you to analyze all or selected VCS snapshots

Leave a Comment