What’s new in Belkasoft X v.1.15
Belkasoft Evidence Center X (Belkasoft X) is Belkasoft’s flagship product for digital forensics, cyber incident response and eDiscovery.
Major updates for v.1.15:
- XFS file system supported
- YARA rules introduced
- New export type: Relativity Short Message Format (RSMF)
- Amazon S3 cloud-based image analysis extended
- NIST RDSv3 hashset format supported
- Further SIM card cloning improvements made
- Download of Huawei and Telegram cloud data supported, WhatsApp QR method updated
- Hangul documents analysis and carving supported
- Volatility integration improvements made
- More automation
Upgrading from previous versions of Belkasoft X to v.1.15 is free to all customers with an active Software Maintenance and Support (SMS) contract. Customers with SMS contracts that have expired or are near expiration, may review and renew from your Customer Portal.
An affordable training with an optional certification is also available including the on-demand options.
New features details
Computer Forensics
- XFS file system support. XFS is a popular journaling file system, used by various versions of Linux. Particularly, it serves as a default file system for Red Hat Enterprise Linux. The latest release of Belkasoft X fully supports this file system, including low-level review on the File System Viewer as well as artifact parsing
- YARA rules support. A popular request from our customers, examiners are now armed with YARA rules support within Belkasoft X Corporate edition! YARA rules enable examiners to search for malware and other items of interest using a rule-based approach, based on both text and binary patterns
- Support for the new NIST RDSv3 hashset format. The RDSv3 is a new hashset format by NIST and is now supported by Belkasoft X, in addition to previously supported NSRL, plain hashset files, and ProjectVic sets
- Hangul office format supported. This format is very popular in Korea and is typically stored in .HWP files. These files can now be found and also carved. Belkasoft X extracts plain texts and pictures from Hangul documents
Memory Forensics
- Volatility integration enhancements. Volatility integration is another function of Belkasoft’s last release, v.1.14, which has gained lots of customer interest. The updated support includes better diagnostics with improperly installed Volatility as well as some analysis improvements
eDiscovery
- Export to RSMF. RSMF stands for “Relativity Short Message Format” and is aimed for our eDiscovery customers. This format is useful for saving short message data, such as chats and emails, and is now available within Belkasoft X! Examiners can now export artifacts into RSMF and Concordance format, suitable for the file-based eDiscovery export
Mobile Forensics
- SIM card cloning improvements. The SIM cloning feature was introduced in v.1.14 and immediately attracted the attention of Belkasoft users. We have continued to improve this functionality and in v.1.15 we introduce a more extensive cloning feature: now, the product not only copies artifacts, but actually copies all files from a SIM card. Binary files are converted to text-based, whenever possible, simplifying your analysis
- SIM cards with a PIN code now supported. If a SIM card is protected with a PIN, the product now detects that and asks for the code. It also warns about the number of attempts left (it can be the case that you do not have 3 attempts, so be careful!). Once all the available attempts are used unsuccessfully, a PUK code is offered to be entered along with the number of attempts left
- Binary files acquired from a SIM card are now shown under File System window of the product
- Parsing of encrypted Huawei HiSuite 11.0 backups updated
- Export of files with corrupted names fixed, particularly for F2FS
- File System Copy is fixed for Samsung Galaxy S8+
- iOS AFC acquisition method is improved
- A problem with not showing partitions in some cases for Android physical dumps fixed
- Facebook keychain value not extracted for iPhone 7 Plus during checkm8 acquisition fixed
Cloud Forensics
- Download of Huawei and Telegram cloud data. These two cloud data sources have been added to the list of various clouds supported by Belkasoft X, such as iCloud, Google Suite, WhatsApp, Instagram, Office 365, VK, and multiple webmail engines
- Belkasoft has two methods of WhatsApp cloud data downloading and one of them, downloading of WhatsApp cloud data with the help of QR code, was updated in v.1.15
- Passwords are now hidden from the task log during cloud downloading
- An issue with not receiving 2FA code sent for WhatsApp cloud acquisition fixed
Cloud-based Belkasoft X
- Extended cloud-based image analysis. Following the huge success of the recently introduced Amazon S3 cloud support, we have improved this functionality to cover multipart images (such as E01, Ex01, L01) as well as iTunes backups stored in the cloud. Now you can analyze both single-part and multi-part images or memory dumps, stored within an S3 bucket
- Encryption added for the credentials used for the authentication on an S3 cloud—it is now safe to allow the product to save them
Enhanced Automation
Automation attracted the attention of many customers, who requested more and better capabilities for their needs. We improved automation a lot, what includes:
- Complete GUI-less execution. While the previous version allowed you to create a case, run analysis and see the results in the GUI opened afterwards, the new version does not show the user interface at all!
- Tableau TX1 support. You can now acquire and analyze images using Tableau integration from the Belkasoft X command line
- Reporting options. You can complete the examination cycle by creating a report after the analysis. Now, acquisition, analysis and reporting are all covered!
- All included. Unlike the competition, which sells automation features as a standalone product, Belkasoft users get the automation free and seamlessly integrated to Belkasoft X!
New and Updated Artifacts
iOS
- Calls (missed/refused/answered statuses are now extracted and visualized)
- CellularUsage.db (new)
- Device info is now extracted from GrayKey images and shown on the File System window (under the Device Properties)
Android
- Mail (updated)
- Phone number is now extracted from GrayKey images
- Snapchat v11.51.0.37 (updated)
- Threema v4.59 (updated)
- Voice mail (decryption supported)
- Zoom (new)
Updated User interface
- Local time columns added in the Bookmarks window