What’s New in Version 8.4

  • Physical Acquisition of Rooted Android Devices and More Stable ADB Acquisition
  • iTunes 10.x.x Backup Support
  • Download Of iTunes Backups From iCloud For iOS 9 and Newer
  • Network Licenses
  • AD1 Images Support and AccessData Integration
  • Chinese Translation
  • New Dashboard Statistics
  • New and Updated Apps
  • Customer Requests Addressed

Physical Acquisition of Rooted Android Devices and More Stable ADB Acquisition

Belkasoft Evidence Center 2017 v.8.4 (BEC) now supports physical acquisition of rooted Android devices. The physical image allows you to recover much more information from mobile devices than a logical acquisition or a backup. Many times this will include deleted data. Our free Belkasoft Acquisition Tool is updated accordingly.

Apart from physical acquisition, v.8.4 has updated its logical acquisition, making it more stable thanks to its improved logging and the updated acquisition process for the newest of devices (in particular, new Samsung smartphones). And remember, the output of this type of acquisition are standard AB files.

BEC now analyzes both types of acquired images for hundreds of artifacts, including email, browser histories, chats and mobile apps, such as WhatsApp, WeChat, Skype, Telegram, Snapchat and so on.

iTunes 10.x.x Encrypted Backups Support

This latest version of BEC now supports all existing versions of iTunes backups, including encrypted backups for v.10.3. The support works the same as it did for previous versions of iTunes: If you know or can recover a password, you can enter it in the corresponding node within Evidence Center’s interface and it will decrypt the backup (or inform you that password is wrong). After a successful decryption, the product will analyze the backup for artifacts we support for Apple (which includes hundreds of formats and mobile applications).

Download Of iTunes Backups From iCloud For iOS 9 and Newer

The process of downloading new iOS 9 iTunes backups changed, effectively disabling older versions of Evidence Center and BelkaImager to download Apple backups. BEC v.8.4 solves this issue by supporting this new operating system. BelkaImager (aka our Free Belkasoft Acquisition Tool) has also been updated accordingly.

Network Licenses

The long awaited network licensing is now supported in the new version of BEC. This type of license is a very efficient way to use Evidence Center in medium to large teams, and thus a great way to save those departments money. For example, say you have 20 investigators, each investigator is using 3-4 computers, and they have at their disposal multiple forensic tools, not just Belkasoft product. They won’t be using Evidence Center every second. Previous versions of BEC didn’t support network dongles. You would have needed to purchase up to 20 regular standalone dongles, this made it a pricy. Now you can purchase a single dongle for say 10 concurrent users, and thereby dramatically saving your money.

Just plug the network dongle into any computer available to BEC users over a local network (usually this is a computer which serves as license server and has other dongles, from various tools, plugged in). You can choose to have 5, 10, 20 or even 50 concurrent users. When the amount of users reaches the purchased limit, no more connections are allowed, however, when a user closes BEC, another user may start using it.

What do you do, if you have a in-field investigation, where you LAN is not accessible? This is also solved by BEC’s new network licensing: each package has one or more free “standalone” dongles, so it doesn’t require access to your local license server.

Interested? Request a quote

AD1 Images Support and AccessData Integration

Previously announced, Belkasoft has recently become a new AccessData Technology Partner, a definite quality seal on our products. Together, we have released a new version of AccessData’s Lab Web UI, enriching it with hundreds of new apps and formats, now analyzed by AD Lab out of the box. All this is thanks to the Belkasoft engine. We will continue our collaboration, and we are working on the same feature for AccessData’s FTK product.

Since both of AccessData’s products use an AD1 image format, the new version of BEC now supports this type of image. You can now ingest AD1 images into your case, along with E01, Ex01, L01, Lx01, AFF, UFD, CTR, DMG and many other formats, including virtual machines, RAM, chip-off and JTAG dumps, and analyze the lot of them using all the power of BEC.

Chinese Translation

BEC now has an up-to-date Chinese translation what enables our huge amount of customers in China to use BEC more effectively including creation of reports on their native language. Many thanks goes out to DataExpert, our partner in China for the help in the translating.

 

New Dashboard Statistics

The BEC Dashboard screen, introduced in v.8.3 received a very positive feedback from our customers, and so we improved it even more with the v.8.4 release. New things to look fore in this screen are:

  • Predefined search results. A predefined search is made automatically by the BEC while analyzing a data source for artifacts. Searches include IP and MAC addresses, emails, SSN numbers, browser searches and many other standard artifacts you usually search yourself. Since BEC now performs these searches automatically you don’t have to wait after you run corresponding searches, saving your time and labor. Now the Dashboard conveniently shows you the result amounts for each type of search. Click on an icon and the results of the selected type will be shown.
  • Count by item type. You can now review the number of artifacts extracted for each particular application. Thus you can immediately observe the most frequented apps inside your case. In the picture below, under the Artifacts Heading, is an example of how this graph will look:

New and Updated Apps

We continually work on updating the support for formats and apps which are constantly releasing new versions. Here is the list of apps updated or newly supported in BEC v.8.4:

All platforms, including mobile and desktop:

  • Skype
  • Tumblr
  • Growlr
  • ICQ
  • Twitter
  • Textie
  • VK
  • Gigatribe
  • Chrome
  • Firefox
  • Performance of carved MIME mail parsing significantly improved

iOS:

  • WhatsApp
  • FireChat
  • Geolocation data
  • Contacts
  • AnyDo
  • Mail.Ru
  • VK
  • Vipole
  • Twitter
  • Tumblr
  • TextPlus
  • Textie
  • Mail.Ru Agent
  • Growlr

Mac OS:

  • InstantBird
  • Google Drive
  • Evernote
  • Dropbox
  • Mail app
  • Yahoo IM
  • InstantBird
  • Pidgin IM
  • Document Revisions data
  • Address Book
  • Bluetooth configurations
  • Wifi configurations

Android:

  • Uber
  • Zalo
  • Thumbnails

Customer Requests Addressed

Thanks to everyone who contributed to the improvement of the BEC product quality by sharing your feedback. It tremendously helps in moving the tool forward. Among the fixes we have done for you are:

  • Very long BEC start up – caused by third-party library changed behavior. This is now fixed. This fix is especially important for Windows 10, where the worst performance degradation was noticed on v.8.3
  • Rare crash in “Open File” dialog opening fixed (Windows 10)
  • Is Deleted flag value for SQLite based artifacts fixed
  • Origin path improved for many data types
  • Incorrectly added default data range filter fixed
  • The hang during text detection for specific TIFF files fixed
  • Visualization of large number of values in mail filters fixed
  • Rare Item List’s columns vanishing after resize fixed
  • Rare problem of incorrect sort by column and column options loss fixed
  • Filter names synced with column names in item list where corresponding filter buttons present
  • Rare “Error loading value” during item list sorting fixed
  • Selecting “Show in file system” context menu item now properly expands folder tree in File System window
  • Support of L01 updated: File System window now correctly processes L01/Lx01 images created by EnCase v.7
  • About 200 of other improvements were made in this new release