What's new in version 7.0 of Belkasoft Evidence Center

What's New in Version 7.0

Version 7.0 of Belkasoft Evidence Center 2015 is a major step ahead. Now the tool becomes a full digital forensic solution, rather than a product for gathering "low hanging fruits". With the introduction of File System Explorer, capable to show file and directory structure of a device, image, mobile dump or backup, the product allows user to perform low-level investigation of any digital data source. Revamped Hex Editor helps to analyze any file, in-memory process or a volume. Handy Type Converter shows any selected set of bytes in all data formats. Powerful BelkaScripting module gives a user a possibility to infinitely extend functionality of the tool. Live RAM Process Analyzer helps to see all processes inside a memory dump, including already killed or completed processes.

Apart from these revolutionary changes, there are multiple improvements in previously existing functionality: new computer and mobile applications and formats analyzed, more image formats supported, reporting and search improved and so on.

Upgrading to version 7.0 is free of charge to all customers with non-expired Extended Software Maintenance and Support contracts. New modules (such as File System and Scripting) are available for free to all customers having the configuration with Case Management and floating license (offer is limited to Dec 31, 2014 only!).

Customers without the contract can purchase it from the Customer Portal. Affordable User Refresher Course is available for those who would like to catch up all recent improvements.

New Major Functions in Belkasoft Evidence Center 2015 v.7.0

New component: File System Explorer. The new component allows user to see complete structure of a device, dump, drive or memory image, mobile phone or tablet, folder and so on. You can see all volumes and partitions, folders and files, including special ones such as $OrphanFiles, $Log, $BadClus etc. For each file you can see its size and dates.

On this picture you can see an Android phone (chip-off dump) file structure shown by File System module of Belkasoft Evidence Center 7.0. Particularly, you can see hidden special folder $OrphanFiles.
Revamped component: Hex Viewer. The Hex Viewer was massively improved and extended. Now it allows investigating all types of files on the disk, database records, or processes, extracted from volatile memory captures (RAM dumps) on all supported platforms. The hex viewer supports custom searches and bookmarks, making low-level investigations easier and more convenient. As a result, investigators can view files located on computer hard drives and forensic disk images, as well as files stored in mobile backups or available in chip-off dumps of various mobile devices. Tightly integrated with Live RAM analysis, the new hex viewer allows viewing processes and data extracted from live RAM dumps.

Built-in Hex Viewer allows low-level file investigation; it has a handy type converter, showing current selection in different formats; search and bookmarking; saving selection to a file; advanced Go to, including jump to a relative offsets and many more.
Type Converter is a new feature of Hex Viewer, which conveniently shows selected data in different suitable formats, such as numbers, dates, IP addresses or strings. It supports little and big endian, different encodings and so on.
New component: Scripting. Newly appeared scripting engine (which we call BelkaScript) allows a user to extend Evidence Center functionality with your custom analysis and carving, do custom searches and create custom reports, and infinitely customize the product to tailor your needs. A set of sample scripts is included to the product installation for your reference.

Scripts are written in simplified C#. Scripting window allows to debug custom extensions using breakpoints, step-by-step debugging, variable values inspection and so on.
New feature: Live RAM Process Analysis. Apart from previously existing function of Live RAM carving for various artifacts, such as Gmail, Facebook, Skype or WhatsApp, the product gains general analysis for processes: you can see all processes, running or dead, inside Windows 7 or Unix memory dump. Each process can be inspected inside Hex Viewer.

Windows 7 Live RAM processes are shown, including dead processes; it is possible to select a process and review its memory in Hex Viewer.

New and improved functions

Android and iTunes backups can be viewed in File System. Besides, you can unpack the whole backup or a selected folder from within to your drive.
Support for Android and iTunes backup is improved: now you can select applications to analyze.
Android analysis extended: Dropbox, Grindr, Textplus, GTalk, Zello, Sina Weibo, MeowChat supported
Psi for Windows supported.
L01 and Lx01 logical images are supported.
UFED physical dump for iOS supported.
Passware integration updated to v.13 of the tool.
Evidence Reader is now included to the product: you do not have to download it. Just export your case to Evidence Reader and give the whole folder contents to your colleague!
To ease handling of cases, now only one case is stored in an SQLite database. A user can configure a folder for each case, browse existing case, open a network case (Enterprise edition only) and so on. This also improves performance when you work with multiple cases at a time.
All SQLite-related analyzers now support freelist and transaction/WAL analysis, so that you can extract deleted SQLite data and data from journal files.
It is now possible to configure options before creating a case and running analysis.
In addition to binary Plist, the built-in Plist Viewer now supports XML Plists.
Registry ShellBag artifacts supported.
Individual picture can now be selected for Photo Forgery detection (before you could only select all pictures inside data source or in a filter)
Massive report improvements: better column selection, one file per case report improved, issue with External and Internal IPs in Skype chatsync report fixed, issue with large carved data reports fixed, links to attachments for mails in HTML report fixed.
Table "Visits" analysis supported for Chrome.
Mail.ru Agent and Windows Live Mail support updated.
Search problem for Evidence Reader fixed.
Hundreds of other improvements and bugfixes made.