Reviewed by Jade James
Belkasoft is a global leader in digital forensics technology, founded in 2002. The team comprises of people from different backgrounds such as digital forensics, data recovery and reverse engineering. One of the main purposes of Belkasoft is to create easy to use tools which are technologically advanced for investigators to carry out comprehensive investigations. Currently Belkasoft have three tools used for investigation, of which the Belkasoft Evidence Center (BEC) remains the flagship forensic product.Other products include the Belkasoft Acquisition Tool (BAT), or BelkaImager as you may know it, which allows you to make images of hard and removable drives, Android and iOS devices, and download Cloud data. With the BelkaImager you can acquire physical images of hard drives, SSD drives and removable drives connected to your computer, laptop or tablet. The drive can be acquired as DD or E01 image.
The acquisition tool also supports the acquisition of Mobile devices, Computer RAM memory and Cloud data.
Belkasoft Live RAM Capturer is a free forensic tool that allows to reliably extract the entire contents of computer’s volatile memory. It even allows you to extract RAM even if it is protected by an active anti-debugging or anti dumping system. The memory dumps captured by the tool can then be analysed using the Belkasoft Evidence Center.
Belkasoft Evidence Center 2019 v9.5 is an all-in-one forensic solution – combining mobile, computer, RAM, cloud and remote forensics. There are a lot of new features with the latest version of Belkasoft Evidence Center v9.5 and the full list of features can be found on the website, but I will highlight a few.
Firstly the Remote Acquisition allows you to install an agent on any computer inside the network you are investigating. Various image types can be acquired: computer, mobile, and memory dumps. The acquired image can then be scheduled for upload to a central location; this can be in the evening when employees are out of the office so it does not cause disruption to the network. The Remote Acquisition feature is only available as a separate plug-in.
With BEC v9.5, you can mount and analyse TWRP Android images. Team Win Recovery Project (TWRP) is an open source, community project which specifically enables an open-source custom recovery image for Android devices. Using TWRP, you can create a full logical copy of a user’s ‘/data’ partition of an Android device and then analyse it using BEC. A full list of supported devices and more information can be found on the TWRP website. This feature is available for all BEC customers who have an up-to-date Mobile Device Analysis module.
Artificial Neural Network (ANN) detection for arrow and cross signs on images has been incorporated in the latest version of BEC. ANN is one of the main tools used in machine learning, trying to replicate how humans learn. In drug related crimes, it is common for images to be taken of a place and hand drawn arrows and crosses are used to indicate where in the image the “stash” is hidden. BEC extends further support for investigators dealing with drug related crimes by using state of the art artificial neural networks to analyse specific sets of pictures stored on a suspect’s device. ANN detection is available for all BEC customers, although a separate installer is required.
BEC requires the following hardware in order to function optimally:
● Windows 7 or Windows 10
● 4-core i7 processor with hyper threading
● 16 GB of RAM
● SSD drive as a system disk and big magnetic drive for case data (1TB or larger)
A comprehensive list of all supported data sources and file types are available on the BEC website.
To get set up initially, I was sent a link to the Customer Portal and a license file, however physical dongles and a portable version are also available. I downloaded the tool with ease and then I had to save the license file in the same folder as the app data, in order for the tool to work.
When the tool is launched, you are prompted to set up a new case. You are given the option to choose where to save the case data and select the time zone, which could be important. Once you have created a new case you are then prompted to add a data source. With BEC, you are able to add pre-existing data or have the opportunity to acquire and add it to the case.
When adding a pre-existing disk image, you can add the following file types:
● Advanced forensics format (*.afd, *.aff, *.afm)
● AccessData logical image (*.ad1)
● Atola image (*.img)
● Belkasoft image file (*.belkaml)
● DD image (*.000, *.001, *.dd)
● EnCase image (*.e01, *ex01)
● Logical evidence file (*.L01, *.Lx01)
● Smart image file (*.s01)
● DMG image file (*.dmg)
● X-Ways containers (*.ctr)
● Tar and Zip archives
Virtual machine files (VMWare, VirtualBox, XenServer and Virtual PC/Hyper-V):
● *.vdi
● *.vhd
● *.vmdk
● *.xva
You can add data from either a physical or logical drive on the system. The following mobile backup file types are compatible:
● .ofb
● tar
● zip
● belkaml
● .ab
● .bbb
● .bin
● .ipd
● Manifest.mbdb
● Manifest.db
● ufd.
Finally you are also able to add data sources of RAM dumps and data from specific folders. A more comprehensive list of file types is available on the Belkasoft website.
The next prompt will allow you to tailor what you would like BEC to analyse and carve. According to the BEC accompanying documentation, the Analyze option will go through the data source file system, going into each and every logical drive, folder (including system, hidden and special ones), and look for data of interest inside each existing file. This option is limited as it will not recover deleted files, it will not work if there is no file system, and it will not perform a signature match analysis. The ‘advanced analysis options’ window allows you to select partitions and to recover the Windows recycle bin.
The Carve option instructs BEC to run signature-based analysis (called in short “carving”). Carving is only available for physical images or dumps, such as a physical computer drives, physical images of mobile devices, memory dumps, page files or hibernation files. Advanced carving options allow you to select whether to carve Allocated space or Unallocated space, with further options of selecting all data or free space only. There is also another option to enable BelkaCarving, which is only available for memory dumps.
There are a variety of different options you can select or deselect to tailor your investigation, including options for Android, iOS and MacOS. It may take a while to analyse and carve the data depending on the system on which you are running BEC. You will be asked if you would like to add another data source; you can add multiple data sources to the same case.
The Task Manager tab helps you to review and manage running tasks and also see logs and task statuses. Task Manager will show you how many tasks are available under the current filter and how many are selected (Task Manager allows multiple selection). It also gives you the option to cancel all running, scheduled and pending tasks without clicking the X button for each one; and it can show the app and case log buttons, which open BEC log and main case log for the sake of troubleshooting.
The Overview tab allows you to quickly glance over various artifacts extracted by the tool in the process of analysing data sources which you have added to your case. If you did not run artifact analysis or hashset analysis, it will not show you anything. You do not have to wait for the analysis to be completed; you are able to preview files as they become available.
Depending on the different nodes you choose, when you highlight a certain file, you will be presented with the following options:
● Create report
● Analyze pictures (this menu item is specific to Pictures and Videos node). Using the ‘Analyze pictures’ menu you can detect pictures and videos with faces, pornography, guns, skin, and scanned texts. Neural network based types of analysis (such as pornography, guns and narcotics cache detection) require a special build of BEC, which can is currently available for all valid license holders.
● Copy files to folder. This is for file-based artifacts such as documents,
encrypted files, pictures or videos. This may be helpful if you are going to
investigate files from within a virtual machine or an image with a third-party
tool.
● Copy embedded files to folder. This item is similar to ‘Copy files to folder’, but copies files embedded to documents. This item will copy such embedded files instead of copying the document itself. This may be helpful to examine all pictures from all documents with a third-party tool, for example.
● Decrypt. If you have the Decryption module enabled with your license, the product allows you to decrypt all found encrypted files, gathered under the ‘Encrypted files’ node.
● Extract key frames. This menu item is specific to the Videos node. As a result of this action, a series of still images will be extracted for all videos. Later you will be able to review these key frames or analyze them.
● Show on Open Street Maps. Some artifacts may have geolocation data, for example, pictures taken with a smartphone, or “my location” sent via mobile chat application. Note that you will need an Internet connection to use this feature.
● Show on Google Earth. This menu item is available for the same artifact types having geolocation, but is useful when you do not have an Internet connection.
Selecting certain documents or files and double clicking them allows you to view them in their native formats. When you are viewing pictures within the ‘overview’ tab, if you hover the cursor over the pictures it will give you details about them such as file size, dimensions and camera model. If you double click on a picture, you are presented with a picture viewer which gives you much more in-depth information.
The Case Explorer tab allows you to search through the different artifacts extracted in the process of analysing the data sources. These artifacts are broken down by data source, artifact type and profile, so you can clearly see which artifacts belong to which device and application profile. Next to each artifact, you will see different coloured dots which indicate how successful the extraction process was.
The File System window allows you to examine the file system of data sources added to your case, including special and hidden files and folders. It can also visualize memory dumps, particularly showing you memory processes for a given RAM dump.
The Timeline tab allows you to view all the artifacts that have timestamps and shows you a visualisation of this. Alternatively, you can change the view to a list. On the timeline, you can right click on a certain time frame and it will give you a list of all files that were created at this time. The Timeline window is not updated automatically; for the sake of performance therefore it might be necessary to refresh it from time to time.
The Connection Graph tab visualises communications between people involved in the case at a high level. This window shows individuals as dots or avatars, and connects them with lines showing how they communicated, for example via:
● Phone call
● SMS
● Instant messenger chat, file transfer or voicemail
● Email
As with a lot of tools, there is also the facility to bookmark data so that you can return to it at a later stage in your investigation. If you bookmark an item in BEC which originated from other items, for example a picture from an email attachment, then both the parent and child items are bookmarked.
There is a lot of functionality to the Belkasoft Evidence Center: it is simple to navigate and easy to use. This tool could be used in many different cases, for example in mobile forensics, computer forensics, memory (RAM) forensics, cloud forensics, or remote forensics: it is an all-in-one tool, which makes it pretty handy.
With the option to acquire data or to add pre-existing data, you don’t have to keep changing between different tools. However, you will need to run BEC on a system that is high spec, otherwise you will struggle to run it efficiently.
Find out more about Belkasoft Evidence Centre and order your copy at belkasoft.com.
About The Reviewer
Jade James BSc (Hons) is currently a Digital Forensic Investigator at the Serious Fraud Office. She has previous professional Digital Forensic experience from working at IntaForensics, Home Office Centre for Applied Science and Technology and the City of London Police. Jade has gained experience from conducting Computer, Mobile devices examinations, Drone Forensics and has been involved with ISO 17025 & Quality Standards both as a Digital Forensic Practitioner and Quality Manager.