Belkasoft Evidence Center X (Belkasoft X) is Belkasoft’s flagship product for digital forensics and cyber incident response.
Version 1.12 features the following major improvements:
- Massive update of file-based decryption: a possibility to brute-force passwords using a key dictionary based on particular case data, use of custom password dictionaries and use of a customized PKF (Passware Kit Forensic) attack
- SQLite forensics improvements based on NIST testing of Belkasoft X
- iOS agent-based acquisition now supports keychain extraction on iOS 14.0-14.3
- iOS checkm8-based acquisition improvements
- New powerful eDiscovery features
- Semantics 21 integration
- Multiple performance improvements, including responsiveness of gallery view and graphical timeline
- New and updated artifacts for mobile and computer sources, including new versions of WhatsApp, Signal, Snapchat, Viber, and other apps
Upgrading from previous versions of Belkasoft X to version 1.12 is free to all customers with a non-expired Software Maintenance and Support (SMS) contract. Customers without a current contract can purchase it from the Customer Portal.
You can also purchase affordable training with an optional certification. An on-demand training course is available.
More on new features
eDiscovery support
The latest version of Belkasoft X has a number of important updates for our corporate customers who are using the product for eDiscovery. There are a number of new features facilitating assistance with the Preservation and Collection steps of the Electronic Discovery process. Among them are:
- New filters in the File System window. You can now filter by any available column
- New condition types in filters. Particularly, there are a number of new text-based filters such as “contains”, “starts with”, “ends with”, as well as date range filters
- New list-based filter “IN”. Using this filter, you can build quite the complex criteria, based on long lists, for example, to filter all graphical files
- The filters in the File System viewer are now global, meaning that they are automatically applied to all data in all folders and even all data sources, not just to a current view
- The new filters also work within the “Recursive view”, which enables you to effectively filter the entire file system
- You can filter files by whitelist and blacklist hash sets. The whitelist filter will hide all files with matching hash values, while the blacklist filter will show only matching files
- Mini-timeline is now included on top of the File System viewer window, allowing you to visually locate periods of high or low activity while working with files. You can also create a filter by time with the help of this mini-timeline, by clicking and dragging the mouse cursor inside (likewise you can do this inside the Artifacts window)
- The results of your work can be now exported to the standard Concordance load file format used by wide spread eDiscovery tools, such as Relativity. While Belkasoft X can perform additional steps of the eDiscovery process, including Processing, Review and Analysis, the possibility to export data into a standard format gives our customers a wider flexibility of tool selection
Semantics21 integration
We are proud to announce the integration with one of the world-leading tools for child protection, S21 by Semantics21. Belkasoft X now supports export of discovered media files to the S21 format, which assists many customers working with both tools to streamline their workflows.
You can read more about the Semantics21 product at https://www.semantics21.com.
File decryption improvements
Belkasoft X has a number of important improvements in its file decryption functionality. Particularly, brute-forcing file encryption can now be done using the following methods:
- Utilize a key dictionary from the case. This option will instruct the product to try applying all text found within your case inside the text of artifacts extracted. Meaning, it will take all the language from Word and Excel files, chats, metadata from pictures, email and so on, and try to use said language as a password, one by one. This approach significantly raises your chances to guess the password and the more data you have analyzed from a specific user, the higher the chances of a successful brute force are. Typically passwords are based on a person’s experience and language (unless autogenerated). Terms like the model of a car, a license plate number, a family member’s name, birthdays and so on, have a higher chance to appear in non-password related files and be stored as a plain text
- Use external password dictionaries. The second option allows you to attach third-party dictionaries from some of the most popular passwords that have been, or are currently being utilized. If the password used is one of those, the decryption process should make for an easy day. The product comes equipped with a small dictionary to begin with, but you can browse and add in any other dictionary, so long as it has one password per line
- Iterate over all passwords, which match a specific type of attack. Using this option you can browse for a customized attack created with our partner’s tool Passware Kit Forensic (PKF). You can also leave this field blank, which will run a default attack and iterate through some of the most frequently used patterns
Please note, that to access this functionality, you have to have an optional File Decryption module purchased.
Additionally, the encrypted file detection has improved (particularly, unsupported encryption types filtered out as well as false positives such as Linux distributive .h files).
Mobile forensics
- iOS
- Agent-based acquisition on iOS now supports keychain extraction up to iOS 14.0-14.3. A number of limitations have been removed (e.g. lack of support for 6S and SE in iOS 13.5-13.7). See agent-based acquisition fact sheet
- Several improvements for checkm8-based acquisition stability: more stable work on iPhone 5s, 6, 6+ and corresponding iPad models. The image creation speed has increased 1.5-2 times depending on other circumstances
- Android
- Signal decryption supported (see also: Signal decryption decryption with Belkasoft X)
- Google Sync data support updated
- Automatic chip detection improved for MediaTek devices (for MTK-specific acquisition methods). See also: Agent-based MTK acquisition
Additionally, a number of mobile applications have been added or updated (see the full list below).
See also: Why Belkasoft X should be your tool of choice for mobile forensics
Computer forensics
- Windows
- Numeric values extraction improved for XLSX documents
- System event log parsing updated for Windows 10 v.2004 and above
- Embedded files processing improved (that is, artifacts, which are embedded into other artifacts, such as documents or emails)
- Linux
- ext2 file system parsing significantly improved
- Linux login logs parsing supported
- See also: BelkaCTF #4 Kidnapper Case, which featured Linux forensics
- macOS
- DMG mounting and parsing stability improved
SQLite forensics
NIST (National Institute of Standards and Technology) has recently tested Belkasoft X support for SQLite forensics. Based on their feedback, we have improved our SQLite support:
- SQLite database metadata is now shown in the SQLite Viewer, including page size, journaling type and so on
- Structure tab fixed (in the previous build it was showing a table contents rather than structure)
- Conversion from Apple Cocoa time to human readable date fixed in the SQLite’s Type Convertor
- You can now see a picture preview for BLOB data by specifying the corresponding column type
See also: Forensic Analysis of SQLite Databases: Free Lists, Write Ahead Log, Unallocated Space and Carving
New and Updated Artifacts
- iOS
- Facebook Messenger (updated: secret chat data extracted for the latest version of the app)
- Mail.Ru (updated)
- Odnoklassniki 9.11.2 (updated)
- Signal v.5.26.10 (updated)
- Telegram v.8.3 (updated)
- Viber (updated: calls extraction fixed)
- WhatsApp (updated: crypt15 decryption added; blocked WhatsApp contacts are now extracted)
- Android
- AllTrails v.13.5.0 (supported)
- Facebook Messenger (updated: secret chat data extracted for the latest version of the app)
- Gmail chats v.2021.10.03.404390235 (updated)
- Imgur v.5.2.9 (updated)
- Mega chat ver 5.2 (413) (supported)
- Odnoklassniki v.21.11.8 (updated)
- Signal (supported)
- Snapchat v.11.51.0.37 (updated)
- WhatsApp (updated: blocked WhatsApp contacts are now extracted)
- Ya Passman (supported)
- Yandex Mail v.8.2.1 (updated: archive and social media folders extraction fixed; inline attachments extraction supported)
Updated User interface
- Performance improved for gallery views (pictures and video) and Artifacts view in general, when it is updated with new data from analysis tasks
- File selection from an attached image is added. This can be useful, for example, when an encryption key must be specified from inside an image vs. local storage
- If during ongoing analysis, the currently selected view receives new items, they are placed at the bottom of that view. To distinguish them from older items (which are sorted, unlike new ones), the label “new” is added to such new items
- Export to a portable Evidence Reader case now allows users to save media files to the database (you can now review such media files even if the original image is already detached)
- Ability to disable “Carved and embedded data analysis” added. These artifacts, typically carved documents and email, as well as artifacts embedded into documents and email, take a significant time to analyze, while not absolutely required in every case. Per our customer requests, we added this option, which allows to switch off this type of analysis
- Performance of Graphical Timeline improved (also positively impacts general performance of data extraction on large cases)
Issues fixed
- Fixed: Received SMS with static location detected as a picture transfer
- Fixed: Android calls are not extracted
- Fixed: Android Bluetooth devices are not extracted
- Fixed: Mini-timeline is not updated after opening a new case
- Fixed: Search inside indexed artifacts properly processes numbers with separators
- Fixed: Incorrect visualization of partitions from Android physical dumps
- Fixed: Connection Graph’s node selection fixed
- Fixed: “Device not responding…” error during an acquisition of a Samsung A51 device
- Fixed: A number of MTK acquisition issues
- Fixed: “Couldn’t link device” error for downloading WhatsApp cloud data using QR method