Presenter: Yuri Gubanov, CEO, Belkasoft
My name is Yuri Gubanov, I am from company called Belkasoft, and today I’d like to show you a sneak peek into our Evidence Center 2017 v.8.3.
Here is the plan for today. First, I will briefly introduce the company (Belkasoft). Then, also briefly, I will give you an overview of what Evidence Center is about for those of you who have never seen the tool, and then I will move on to the main topic of today’s webinar, which is: what’s new in the upcoming Evidence Center v.8.3. Finally, we will conduct a Q&A session.
First of all, what is Belkasoft? Belkasoft has a number of offices. “Belkasoft LLC” is a United States-based company. The company was established in 2002, with the first forensic product in 2007. Most of our customers are the police and law enforcement organizations in more than 70 countries all over the world. We also have academic partnerships with many universities and colleges. Belkasoft is a member of IACIS and HTCIA. We are sponsoring both organizations (HTCIA Star Supporter and IACIS Titanium Sponsor). We have a number of customers in the United States, such as the FBI, US Secret Service, Department of Justice, and many more. We also have customers in most countries in Europe and on the other continents. Many different police departments (federal, state, county) are among our customers.
What is Belkasoft Evidence Center? This is a digital forensic product that supports all stages of working with a case, starting from acquisition. We support acquisition of hard drives, mobile devices, clouds, and Live RAM. The hardware allows you to acquire even badly damaged hard drives (the hardware part of the product is supplied by our partner Atola).
When you have a data source, like an acquired hard drive or image, a smartphone dump, the product can extract and recover hundreds of types of data, like emails, documents, messengers, browsers, social networks, and so on and so forth. We can recover and analyze deleted data; we can recover data from special areas of SQLite, Volume shadow copy, and more.
When you have data extracted and recovered already, the product will continue analysis: it will index all the text data so that you can search for just words or words from a reference file; you can do GREP (or “regular expression”) searches; you can find skin, text, or faces in pictures and videos; you can detect whether a picture was forged or not; you can build social graphs that show how people inside the case were communicating, and so on and so forth.
Then you can conclude your case with a report. We support customizable reports in many formats. You can create a report for the entire case or just for the selected items, for bookmarks, and so on.
The product can analyze more or less all imaginable sources of data, such as hard drives, images, mobile devices and dumps, virtual machines, volatile memory, and special files like hibernation files and page files. Despite being available on Windows only, the product can still analyze all of the major operating systems: Android, Linux/Unix, Mac OS and so on.
One of the most outstanding features of our product is out-of-the-box analysis of hundreds of artifacts. You just click a few buttons – and the product will find a large variety of artifacts for you, such as documents, hundreds of mobile apps, browser histories, system files, media files like pictures and videos; it can detect more than 220 types of encryption and, if you have a decryption module, will decrypt them.
This was a brief introduction of the company and of the product. Now, let me show you what’s new in v.8.3.
If you are wondering what the timeframe for v.8.3 is, it’s the end of January, so it will be released right after everyone returns from Christmas and New Year holidays, no long waiting time expected for the new release.
Now, what is new?
Dashboard is a handy new window that allows you to manage your cases;
Improved Task Manager window;
A number of improvements in Social Graphs;
Internal links will help you to answer the question of where exactly this or that artifact was extracted from;
Long-awaited x64 version of the product, which will help you to get rid of memory issues on huge cases with multiple data sources and millions of artifacts;
And, of course, a lot of usability features, like new layout of windows in the product, new Add Datasource screen, a number of new filters.
Let me show you how it all works. Let’s open the product.
Immediately, you can see the new Dashboard window. On the Dashboard you can see all the recent cases. If you want, you can click on them to review what was inside.
Now let me create a new case, I’ll call it “Christmas case”, create and open it. You see the new Add Data Source screen. If you remember, previously you were able only to add existing data source, while there was another screen for acquisition. Now acquisition and adding existing data source are on the same screen, and it’s also made a little nicer – now it has touch interface.
Let me also run hashset analysis in my case. I will investigate a folder. Artifact selection screen remains the same. Click Finish, so now I run analysis, and you can see that on the taskbar it shows you a quick overview of tasks which are now running. There is status message that one task was completed with an error.
As it goes on, you can see new information appearing. We can see a pie chart with various types of artifacts found – you can see how many artifacts of each type were found. You can also see contacts found in your case, and at the top you can see data sources. Currently, we have just data source “Samples”. Once analysis is completed, you can click on one of the contacts or double-click here on any part of the pie chart; under the data source you can click on URLs, or the cookies, and the product will automatically bring you to the Overview window with the corresponding data inside.
By the way, now you can see that the second data source has appeared on the screen. It’s called “android.ab”. This is a “nested data source”, and it’s an Android backup stored in the Samples folder. You can easily review all data sources that the product has analyzed, as well as you can see how many artifacts were found in this or that data source.
Once the product completes the analysis, you can go to Overview, or to Case Explorer, or to File System Explorer, and you can see what was found inside your analyzed data sources from different perspectives.
For example, I’d like to show you our newly added internal links feature. To do so, let me go to Case Explorer – Instant Messengers – Skype profile. The product has found a number of Skype chats, and if I select any chat and go to Item Properties, I can see the “Origin path” property. What I can see here is the case name, then the name of the data source, then I can see the path to the profile file (to the Skype database ‘main.db’). Then, you can see “Messages”, which is a table from where this particular chat was extracted from, and you can see that this message was taken not exactly from just this table, but from the freelist corresponding to that table. Finally, you can see offset and length values of this chat in the database file. When you are asked where this or that artifact came from, you have an exact answer to that question for each artifact. This is what we call Internal URLs, and this feature appears in v.8.3.
Next, what I would like to show you is the improved Task Manager. Those of you who are already working with Evidence Center know that the product shows you a whole bunch of different tasks. When you analyze a big hard drive or mobile device, it’s literally hundreds or thousands of tasks.
Now, we’ve hidden smaller tasks in larger ones. You can see, for example, the analysis task for my Samples folder which consists of smaller tasks, like analysis of registry file, analysis of an instant messenger profile, estimation of size of this folder, searching, and so on. Besides, when we found a nested data source (the mobile backup), it was created as a second task, and you can see what “child”-tasks were executed by the product in the course of investigation of that android.ab file. So no more looking through thousands of tasks – instead, you can see just three: one of them you ran yourself, the second one was created automatically because we found another data source, and the third one is just the analysis of what we have carved or what the product has found as embedded data, such as pictures inside documents or documents in email attachments.
Next is the connection graph or “Social graph”. Let me open it. There are a number of improvements. For example, now the links from one person to another are highlighted better. Also you can see that the product can rebuild the layout if you’d like. Also, when you select an item here, it now has a yellow circle around it, so you can easily see what contact is now selected. When you select a contact, it shows up on the right. When you select a link, it shows you both contacts, and shows all of the communications between them. You can also do a couple of other tricks, like zooming in and out; you can show weights – it will highlight the connections with more intensive communications between the people. You can show or hide titles in order to see the graph more clearly.
This was it for today’s webinar. If you’d like to test the current version of Evidence Center, please go to https://belkasoft.com/trial. Right now, the version 8.2 is available there, but in just four weeks you will be able to get the massively improved new release. If you’d like to get a quote or get local support, please go to https://belkasoft.com/quote or ask us for a reseller contact in your region. We have resellers more or less in all countries, so we will help you pick the correct partner for you. If you’d like to ask questions and contact me personally, you can drop me an email, or add me on LinkedIn. If you have any questions right now, please ask me in the chat window.
Before we go to the Q&A sessions, I’d like to wish you Merry Christmas and a Happy New Year on behalf of the entire Belkasoft team. Be healthy and wealthy in the upcoming 2017. Thank you!