Presenter: Yuri Gubanov, CEO, Belkasoft
Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.Hello everyone, my name is Yuri Gubanov, and today I will show a presentation about our digital forensic tool, Belkasoft Evidence Center. We will discuss how you can conduct computer and mobile investigations with the help of our product.
First, I will show you some slides, then we will move on to live demonstration of Evidence Center. Let me give you a brief introduction of what the tool can do for you.
First of all, this tool can mount and analyze a lot of various digital sources, such as:
– Hard drives or removable drives, including drives that are enclosed in write blocker devices or network shared devices
– Disc images: EnCase, FTK, X-Ways, DD, and some others
– Logical images: L01, Lx01
– Mobile devices: iPhone/iPad, Android, Blackberry backups
– UFED dumps, both physical and logical, JTAG and chip-off dumps
– Virtual machines – the product can handle nested virtual machines (without having to switch it on), meaning you can unwind series of nested virtual machines and extract artifacts from them: documents, mails, chats, browsers and so on.
– Live RAM analysis is an important feature of the product, allowing it to extract hundreds of different types of application data from memory dumps, hibernation files, and page files. By the way, we have a free tool for capturing live memory dumps, which you can download from belkasoft.com.
While the product itself works only on Windows (versions from Windows XP to Windows 10), it can analyze all modern operating systems, such as Windows, Linux and other UNIX-based systems, Mac OS X, iOS, Android, Blackberry, and Windows Phone.
The product supports analysis of multiple wide-spread file systems, including all versions of FAT, NTFS, HFS and HFS+, ext2, ext3, ext4, YAFFS, YAFFS2, and more.
The main idea of the tool and of the most useful types of analysis it offers is its ability to automatically locate, extract and analyze artifacts for more than 600 application data types, file formats, database formats, and so on.
It starts with office documents, including Microsoft Office, Open Office, PDF, RTF documents. We also support most wide-spread email clients such as Outlook and Outlook Express, Windows Live Mail and so on. There are hundreds of mobile applications supported out of the box, including most famous WhatsApp, Skype, Viber, WeChat, and many more. The tool has powerful support for SQLite databases, a separate slide is dedicated to that, and same with registries, which we can analyze, carve, and find in live memory. There are a number of important system files that we support, such as jumplists, thumbnails, event logs, and so on. Of course, support for various internet-related artifacts is important nowadays, and we offer support for browsing histories, instant messenger chats, social network communications, chats in multiplayer online games, and so on. Next, the product supports different types of analysis for pictures and videos. Finally, it can find more than 200 types of encrypted files.
As promised, here is a separate slide for SQLite. One of the strongest features of the tool is its support for SQLite databases. SQLite is now everywhere, as it is widely used in mobile phones as well as on computers by such software as Skype, WhatsApp, or Firefox to store data. SQLite is tricky, because it can store recently deleted data or destroyed data that is sometime possible to recover. What can Evidence Center do for you here? First of all, it has SQLite Viewer, a built-in feature which can display every table of the database. The tool can show you even badly damaged and destroyed databases, while many other tools will fail to open carved SQLite databases that do not have a proper structure. Belkasoft Evidence Center will try to recover as much information as possible and show it to you. Apart from just showing SQLite data, we can recover freelist details that will be shown in SQLite Viewer as well. When we analyze applications such as Skype or Firefox, we also show you deleted data in a corresponding viewer for this or that application (this will be shown in live demo). Apart from freelists, we support analysis for write-ahead logs and journal files, which can contain significant amount of data so it’s important to analyze these alongside with the main SQLite database, because otherwise you will miss a lot of important information. Finally, there is analysis of unallocated space. Don’t confuse SQLite unallocated space with hard drive unallocated space, similar yet different phenomena, so you need a tool to analyze SQLite unallocated space, and Evidence Center has this type of analysis.
For registries, we also have a viewer that will open carved files or registries from live memory, which are usually incomplete. Microsoft Regedit will fail to open such files at best, and at worst, it will crash. Evidence Center will not crash on incorrect registries, it will try to show whatever is available. Apart from just showing you the contents of registry, Evidence Center will show hundreds of forensically important keys, such as USB devices plugged into a computer, IP configurations, User assists, Shellbags, and many other types of keywords that you usually search for when you open this or that registry file.
For pictures and videos, the product can find pictures, carve, extract them from email attachments, from documents, RAM, volume shadow copy, and many other places. Apart from extracting pictures, it can perform various types of analysis, such as skin tone detection, face detection, text detection (scanned or photo’d) with automatic recognition and indexation of the text, making it searchable (so that you can find a word in the text in the picture).
A separate module called Photo Forgery Detection module can identify edited pictures, allowing you to answer the question whether the picture is genuine or there are traces of editing. This module also has a photo ballistics feature: when you have a photo even with deleted/modified EXIF metadata, the module will robustly determine which camera was used to make a shot.
Finally, the product supports video keyframe extraction. Instead of having to watch the entire film, you can extract a number of still images called keeframes, and you can quickly review these images without losing any information from the video because the idea of keyframes is that one significantly differs from another, meaning any changes will be detected. Apart from just extracting keyframes, you can analyze them using the abovementioned types of detection.
We will skip information about jumplists because it will be more handy to show in live demo, same with thumbnails.
It is important to mention carving. Of course, we can find existing files, that is the easy part, but when individual files (say, chat messages or visited URLs) are deleted, it’s important to be able to recover the deleted data. Carving is a specific type of analysis when the tool does not rely on file system because a file can be deleted or the entire file system can be formatted, for example. Carving does not look for files, instead, it looks for signatures. Signature is a sequence of bytes which is specific to a type of application or format. Carving helps to find deleted data, hidden data, data embedded into container files, and so on. Belkasoft Evidence Center uses carving for both unallocated space and allocated space analysis, analysis of hibernation files, page files, and memory dumps, and for other types of analysis.
RAM analysis helps you recover information that is never recorded on a hard drive, for example, various decryption keys, recent social network chats, in-private history, which could not be accessed otherwise. That is why analysis of RAM contents is very important in digital forensic investigations. Another interesting function of Evidence Center can be used when you have a data source (image of virtual machine), the product will look inside it and will automatically attach hibernation and page files inside this datasource. You do not have to mount a specific hibernation/page file manually, which could be time-consuming in case you have, for example, a nested virtual machine.
The tool has different timeline types, which can help you to narrow down your search using visual tools such as graphical timeline or textual table-view timeline combing all the events in the case in a single view, allowing filtering these events by different criteria (time, event type, text, etc).
Apart from analysis of 700 hundred types of artifacts out of the box, the tool allows you to low-level investigations. It features a File System module that helps you to review the structure of a hard drive, mobile device, or mobile dump, while for live memory it shows you the list of processes. File System explorer shows you all the folders and files, including hidden and deleted ones, and you can navigate through them. Then you can review them in handy Hex Viewer. You can review a volume or a partition in the Hex Viewer, or you can review the entire contents of an image or a drive, so that you can perform custom carving.
Finally, the product has a scripting module that is based on simplified C# programming language. The scripting module is called BelkaScript, and it allows you to extend the product’s capabilities by writing your own scripts for custom carving, custom search, reporting, and so on. It also has full debugging capabilities, so when you have an error in a script, it will help you to locate it.
Now, let us go to the tool. First, we create a case. Here we can specify a root folder, investigator name, and time zone. You can also add a description.
We created a case, and now the product looks for physical drives and devices that are attached to the computer. The first question you are asked is what types of data sources you would like to analyze, for example, drive image file or virtual machine.
You can also analyze logical or physical drives, mobile backups (.ab for Android, .bbb/.ipd for Blackberry, .bin for JTAG or chip-off, manifest.mdbd for iOS, .ufd for UFED).
There is also support for page file, hibernation file, and memory dumps, including memory dumps created by third-party tools (not only by Belkasoft Live RAM Capturer).
Finally, you can analyze a selected folder. If you are in a rush, you can analyze just one folder, and it will be much quicker, for example user folder that contains most of user-related data. For this webinar, we will show analysis of “Samples” folder, which is included in the tool.
Let me mention that we have a hashset analysis feature. Apart from extracting data like emails, SQLite databases, mobile apps and such, we can also detect some files hashset values for which are already known. For this, you can click on “options”, where you can add any NSRL hashset database.
On the next screen you can see what types of artifacts we support. On the left, you can see types: Browsers, Chats, Documents, Encrypted files, Geolocation data, Mails, Payment Systems, Standard Mobile Applications, and so on and so forth. When you select one of these, you can see corresponding applications for different operating systems. So, if you are investigating an Android device, you would probably want to uncheck iOS and other irrelevant operating systems in order to speed up the analysis. For example, if you click on “Chats” you can see that we support more or less every known chat application in the world.
Let’s select everything for this demonstration and click “Finish”. The product asks if you would like to add another data source. Sometimes, you have, for example, a hard drive, a mobile device image and a memory dump, so you can immediately add another data source to the case if you like. For this demonstration, we will not be adding any other data sources. In the meanwhile, you can see that the product has started the analysis. In Task Manager window what tasks are now ongoing, the progress, their status. There is also a tab called “Completed” where you can see what tasks have already been processed, and whether they were completed successfully or not.
While the product is still running the analysis, you can see that the Overview window is already filled with some data extracted from the data source. There is also Case Explorer window that shows you the data sorted by data source, data type, and application type. For example, if we go to Instant Messengers, we can see a lot of found profiles for Skype, ICQ, WeChat, and some other instant messengers. When you click on one of the profiles, you can see all the chats of the profile owner, along with the direction, type of chat, sender and recipient, time, and the message itself, as well as other columns (such as “Is Deleted”). By the way, you can see here that almost all of the items are deleted except for calls and few messages, but the product recovered this data from a freelist. Let me prove this. Click on “View” and select SQLite Viewer. Whenever you click on something that stores data in SQLite format, the viewer will display the tables of the database. You can see the structure of a table and the data itself. When you go to “Messages” table (a table where Skype stores chat-related data) you can see 53 records, but all of them are marked in red color, meaning these items came from freelists.
You can go to “Item Properties” window and review the details about the selected item. If you open this database, for example, in SQLite DB Browser, you will see 0 messages in “Messages” table, so you will lose all of the chat-related information in this case.
Let’s go back to the message list. You can see that you can select one, several, or all items and add them to a report or bookmark them. Bookmarked items will be highlighted, and bookmarks will appear in Case Explorer. You can also create a report from Case Explorer by selecting “Create Report” in the context menu or by clicking on “Create Report” button in the toolbar.
On the right, you can see “Filter by” window, allowing you to filter the selected item list by different criteria, such as participants, sender or recipient, text, or date and time range.
Let’s create a report in PDF. You can customize the report by clicking “Advanced options”. For example, you can select a logo, fonts, you can choose which columns you would like to include in the report. For Skype, we are not interested in “Time (local)” column as it stores this information in UTC format. We also exclude “Attachments” and “Read status”. Specify the target folder and click “OK”. We can go to Task Manager to check the status. Here you are, now we can see the report. There are details about the case itself, about the profile, and the actual history (only the columns that we selected).
That was Instant Messengers. Now we can go to Browsers to see, for example, Cookies extracted for a Chrome profile, downloaded files, favourites, and, of course, sites. For sites, you can see not only the URL, but also the time of the last visit, search term, or category (for example, social networks or dating sites). You can also apply filters here to review, for instance, only social networks or only Google searches. By the way, if you are not interested in a particular column, you can right-click on the header and navigate to “Choose columns” menu, where you can remove the column from the view. Here you can also select and bookmark different items, or create a report.
Next, you can see mailboxes, there are two of them. One is Outlook and another one is The Bat. You can see the mailbox structure, select any mail folder and review the items inside it. You can see details in Item Properties, such as sender and receiver, priority, encoding and so on. You can also review plain text, which is also searchable even if it was in HTML or RTF. You can see headers, for example, IP addresses, and Attachments if there were any. For instance, this email had 6 attachments that you can review, open, or save separately. By the way, it is also possible to right-click on the profile and choose to Copy attachments to folder, which is sometimes useful instead of doing it manually for every single attachment. Attachments with the same name will be copied under names “name_1”, “name_2” etc. to make sure that the names are unique and avoid the attachments being overwritten.
Speaking about attachments, if you select Pictures and go to a filter called File Origin, you can see that there are 6 pictures that are extracted from email attachments. If you select those, you can see that they are the same pictures that we saw when reviewing the email. After resetting the view we can see some pictures that were stored in the Sample folder in mail attachments, in office documents, and of other origins. You can double-click on a picture to see the entire picture and review EXIF information, or you can go to Item Properties to see this information as well as file path and size and some other. You can also right-click on the picture and select one of the many possible operations, like “copy files to folder” or “copy picture”. If you filter items by geolocation data, you can right-click on one of the pictures and choose to display it on Google Maps. In the example with Tower Bridge in London, you can see the map or go to street view and see the spot where the picture was taken. As many investigators are not allowed to have internet access on their machines, you can export selected items to Google Earth format (KML) and later review them on a computer with access to the internet. For example, if a suspect had an iPhone and they were taking pictures on their way somewhere, you would be able to trace their route using this function of Belkasoft Evidence Center.
Apart from that, you can analyze pictures to detect faces, skin tone, texts, or forged (edited) pictures. While the Face detection is in progress, let’s take a look at Videos. Here you can see all of the found videos. You can extract (or re-extract) keyframes to see the important scenes, and then you can run the same detection types as with pictures.
Let’s go back to pictures, where we can that the girl in the pictures has a green box underlining her face that was detected by the product. You can now apply filter “pictures with faces”.
Task manager shows no ongoing tasks, and now we can see that a new filter has appeared: pictures with texts. If you select it, you can see a scanned page from a book about wine and wineglasses. You can go to item properties and see the text that was perfectly recognized by the tool. Now, if we press Ctrl+F and specify word “wineglass” in the search window, then click OK. You can see the the word “wineglass” was found in the picture. It may look like a miracle, but it works.
Now to the Registries. Whenever you select any registry files, Registry Viewer shows its contents, but most of the time this is what you can do with Microsoft Registry Editor. The interesting part here is extraction of the most important registry artifacts, such as user assists or last applications and paths. You can see the Virtual box has been run recently, and if I go to user assists, I can learn the Virtual Box was run twice. You can go to other nodes and review such registry artifacts as Windows accounts (with usernames, logon times and other details), network information (network cards and wireless network profiles), connected USB devices, TCP/IP configurations, and so on. Overall, the product can extract over 200 types of keys out of the box.
The tool has found some documents, and for each one you can see plain text, properties (metadata and file details), embedded files (can be pictures, scripts, archives, etc). If you go to Case Explorer and right-click on the Documents node, you can copy all the documents to a single folder, or copy all the embedded files to a folder (same as with mail attachments from earlier). Again, if I go to Pictures, I can see Pictures from documents, allowing us to filter them from the rest.
We found 4 encrypted files. For each file, the product shows its name, type, md5 hash, complexity (how hard it would be to decrypt the file), protection feature, recovery options. Belkasoft Evidence Center cannot decrypt the files by itself, but if you have our partner product Passware Kit Forensic, you can right-click the item and decrypt it from within Evidence Center’s interface.
Next, you can see the .ab file. Why is it here? We did not add any .ab files to the case, but it was stored inside the Samples folder that we analyzed, and, as mentioned, all nested data sources are mounted automatically. Whenever you have an image with a virtual machine, or a virtual machine with a virtual machine, or image with smartphone backup inside, this nested data source will be automatically added to the case and analyzed for all the types of artifacts we wanted to look for. Here you can see some browsers, geolocation data, chats, mobile apps found inside this .ab file. It looks absolutely the same as for computer artifacts, so you do not need any special knowledge about mobile artifacts.
Let me go to file system. You can see the data source with all its files and folders. By the way, you can also review the contents of the .ab file, which is particularly handy because you can extract just a portion of the back-up file to your machine. You can select any folder, go to Files tab and see all the files that were stored inside this folder. Then you can open Hex Viewer and review what was inside by selecting on or multiple bytes, and the type converter screen will show you how it can interpret the selected bytes. Here you can also use bookmarks that can be reviewed, assigned different colors, given name and description, etc. Using arrow buttons, you can navigate between bookmarks. Let’s imagine that you have some data and you can only guess its meaning. You can mark it, then review the contents using type converter to prove your guess. All these features are designed to help you figure out what was inside that binary file. In Hex Viewer, you can also perform search by text or by hex values. Basically, you can do custom carving here. Let’s search for hex value 0128. You can see where it was found, now you can select a number of bytes and save selection to a file. We just carved some data that started with those bytes. If you need to select, for example, 100 KB, it will be difficult to do with your mouse, but you can select a block, specifying start offset and end offset or length. You can use different numeral systems to specify these numbers. Here you can do some more things, like adjusting the line size or specifying the encoding. Besides, you do not have to open a file from the case, you can also open an arbitrary file to use the power of Hex Viewer.
For memory files, File System explorer will show you all the processes in the system, including bad processes.
We also have export to Evidence Reader, a free tool that will help your colleagues who do not have a license of Evidence Center to work with the data extracted by you.
You can also see Plist data in our built-in Plist Viewer.
Besides, there is a scripting module, and here you can see an example of how a script looks like. It is rather complicated, so we will not go deeper into the topic.
Now let us go through evidence search and search results window. In evidence search, you have search history. You can search for a word or phrase, keywords from an attached file, or regular expressions. We also made some predefined search options for you, such as adult sites, country names, credit card numbers, dating sites, IP addresses, MAC addresses, and more. Let’s search for word “Tom”. You can specify where to search (data source, type of artifact, profile). You can see that the search is complete, and we found “Tom” in some documents, Skype conversations, ICQ chats, and so on. You can filter the search results by text, data source, profile, or field where the search term was found. Now that there are two searches, we have two tabs for each search. Moreover, we can go to search history and review all of the search requests. If we added a data source, here we can also update results for the search to see if anything new was found. From search results window you can select items and create a report or add bookmarks.
Now, let me go back to the slides and summarize what I showed you today.
You saw the Evidence Center is easy to use. It is fast, because it does not index everything on the hard drive, it only extracts and indexes a selected number of artifacts (emails, browsers, chats, system files and so on). The product is very powerful, as it does not only work with existing files, but it can also carve deleted data; it can go to unallocated space; supports volume shadow copy, live memory analysis, as well as analysis of hibernation and page files; it can recover SQLite data, including data from freelists, SQLite unallocated space, WAL and journal files, and so on and so forth. So, despite the fact that you only click twice, it does not mean the tool does only trivial work, on the contrary, it is very comprehensive. The tool comes at a fair price, starting from $1100 for a version with all functions included except File System module. The price can go up depending on the desired configuration.
The tool makes your investigations easier. It does not require any special training. As you’ve seen, most of the functions are instantly available you, even though few functions could require a little bit of practice. Thus, it saves your time and effort and allows you to find more evidence faster.
If you would like to try the tool, you can go to http://belkasoft.com/trial. We offer free 1-month trial versions with full functionality to all Law Enforcement organizations and Academic institutions. If you work in a private company, send an email to firstname.lastname@example.org, and we will see if we can provide you with a full trial. You can contact me directly at email@example.com or send me a message in LinkedIn.
Thank you for your attention, and have a great day!
End of transcript