Francois H. Putter is DFIR expert and independent consultant from Deep Truth.
"...the Belka X suite is indeed easy to use and easy to become proficient. As the swiss army knife of DFIR products, Belkasoft Evidence Center X does everything well and it will not break the bank!"
About the author
My name is Francois H. Putter. I have over 14 years of Cyber Security and Digital forensics experience where I applied my craft for our intelligence services as an IT Security adviser and cyber investigator. I have also served on one of the very first INTERPOL African working parties on Cyber Crime. For a few years now I am an independent consultant with a small DFIR lab called Deep Truth and is involved in both private, corporate, criminal and civil investigations.
You can contact me directly at deeptruthforensics@gmail.com or look me up on LinkedIn.
Backgroung to the review
I was requested to review Belkasoft’s new flagship DFIR product Belkasoft X and share my personal findings on its suitability for the South African market. I decided to install the freely available demo and put it through its paces. My findings are by no means an exhaustive summary but the basic highlights of the product and then of course a few issues that lies close to my heart which I found to be really helpful.
Belkasoft X
I trust by now, like myself you have heard of Belkasoft Evidence Center since it recently also won a top three DFIR products of the 2020 Forensic 4:cast awards, beating the popular commercial tools currently widely in use by governments and auditing firms.
Belkasoft describes themselves as a global leader in developing advanced digital forensics software suitable for both the seasoned expert and novice alike. Belka X has an intuitive forensically workflow that will do:
- Data acquisition from various devices and clouds
- Artifact extraction and recovery
- Analysis of extracted data
- Reporting
Sharing evidence, the product supports the following types of digital forensics in a single user interface:
- Mobile forensics
- Computer forensics
- Memory (RAM) forensics
- Cloud forensics
My initial concern was that this product will require a huge learning curve to effectively use the Belka X suite and that training will be a non-negotiable extra expense in time and money. I have experienced this hidden cost with other commercial suites.
Valid concern then?
The short answer is… No. It was easy! The short videos guided me to quickly get started and the clean design from the home screen onwards was really intuitive and straight forward.
Was it too easy?
Naturally my new concern was if it was so fast and easy to use will it truly satisfy my realistic and general technical requirements? Will I get the maximum data? Lastly, will it eventually fall short as a true all-round solution for myself and the ever cash strapped government within Southern Africa?
I will try to answer that question at the end of this review.
Here is a few of my highlights which I personally liked about Belka X.
Data sources and acquisition
By scanning the screenshot above you see that as claimed they do integrated mobile data acquisition. Belkasoft also makes sure its customers know they were the first to commercially enable the iOS acquisition of locked iPhones through the checkm8 vulnerability.
My tests on this aspect found that it works extremely well and not as I initially expected to be a marketing gimmick or afterthought. This in my eyes holds major advantages for the cash strapped consumer. No more investing in an additional mobile solution, it all gets represented for investigation and reporting in the same suite.
Once you have acquired your data source you can now choose your setting from a quick triage to an in-depth exhaustive carving looking at everything from slack space deleted data to passwords and artifacts. Triage for quick eDiscovery is a useful function saving time.
Once all triaging, carving and indexing is done, all the findings are presented in your dashboard screen from where you can go directly to your artifacts beautifully categorized for you. Detailed artifact findings can be listed under the Artifacts and File System menu items. For the old school purists and Hex lovers each data source can be traced to its basic binary source.
I cannot mention artifacts if I don’t mention that I have discovered that encrypted files are not merely identified but the suite has a built-in capabilities to crack passwords, no more buying expensive third party suites! It’s all included. I for one is going to save money on this capability.
Simple presentation of results on the Dashboard:
The results are all captured under the Dashboard menu function.
Speed and hardware challenges
I ran various tests and settings on various data sources and not once did my lab computer froze or bombed out and I was able to do some additional unrelated work while the lab PC was carving and indexing. This is a personal issue for me since I did not have the same smooth experience with 2 of the other major suites on the same setup.
For those interested with my setup:
As you can see its no slouch but by far not the expensive high-end computer required by other DFIR software vendors. Good news for the budget conscious DFIR lab.
Incident Investigation module
A major improved factor is the Incident Investigations menu item. I can see its use for corporate and large organizations. I find it suited for hacking, ransomware and malware persistence root cause analysis.
This module is also useful for insider threat analysis and user behavior analysis especially with investigations where a user left the company to join a competitor.
Searching
This bread-and-butter function of any investigation is assisted by intuitive built in custom search functions, manual search function which is also GREP enabled and the very useful timeline & mini timeline, this timeline search enables you to sift through massively less data if your searches are time specific.
My findings in a nutshell
PROs | CONs |
---|---|
VALUE FOR MONEY: Up to 3 times more affordable than similar packages or the popular packages. | CLOUD ACQUISITION: My version of Belka X can acquire the major personal cloud providers such as Google, iCloud etc. But I feel this needs more work and is not a major selling point since my attempts in acquiring my personal clouds were not always successful. |
ONE PACKAGE TO DO IT ALL: Seamless computer and mobile data source integration, HDD Decryption and Password detection and decryption. | NO REMOTE OR AGENT BASED ACQUISITION: With the worldwide pandemic we have seen an unprecedented need for remote workforce. Belka X would do well with such a module, I suspect it is in the making since this module used to be in previous versions. |
FAST: Never freezes up my PC or hogging all resources. | NOT MUCH |
INTUITIVE WORKFLOW: Easy to acquire, find and represent data. | |
ARTIFACTS: Exhaustive list of artifacts from deleted files to SQLite apps such as WhatsApp and Telegram, Option to limit type of artifacts to find thus making the need like a e-discovery faster. IOS & Android acquisition and data presentation. | |
SUITE CUSTOMIZATION & UPDATES: The standard Belka X suite has most of the functionality discussed or mentioned but suite customization makes it even more affordable if you omit certain features like decryption or mobile device functionality. |
As you can see its no slouch but by far not the expensive high-end computer required by other DFIR software vendors. Good news for the budget conscious DFIR lab.
At the end of the day
I tested this product for a month and I cannot fault the BelkaX suite. It is indeed easy to use and easy to become proficient. As the swiss army knife of DFIR products it does everything well and it will not break the bank!
My experience in government has taught me two things: a) Budget is always an issue & b) Obtaining and Retaining skills especially DFIR software skills is expensive and difficult. With a suite like BelkaX I feel Government and cash strapped DFIR labs will no longer need to buy multiple suites and the learning curve and training cost is significantly lower than with other products. I personally believe the type of candidate required to successfully use this suite can be now sourced from a wider pool in house or elsewhere and a IT Degree for instance is not necessary to use this product.
See also