What's new in Belkasoft X v.2.0

What's new in Belkasoft X v.2.0 May 24, 2023

Belkasoft Evidence Center X (Belkasoft X) is Belkasoft's flagship product for digital forensics, cyber incident response, and eDiscovery.

The latest update, Belkasoft X v.2.0, is a major release featuring the capability to handle even large cases and hundreds of data sources with unprecedented speed.

The major updates in v.2.0 include:

  • High-performance database engine
  • Significant improvements in mobile forensics: Android SIM card acquisition and more
  • Enhanced drone support
  • Extensive hashset improvements
  • Automation enhancements
  • NTFS Volume Shadow Copy deduplication
  • Improvements in cloud forensics
  • Various improvements in third-party integrations: including Volatility, Clam AV, and VirusTotal
  • Significant updates to Sigma and YARA rules
DOWNLOAD A TRIAL
REQUEST A QUOTE

Upgrading from previous versions of Belkasoft X to v.2.0 is free for all customers with an active Software Maintenance and Support (SMS) contract. Customers with expired or expiring SMS contracts may review and renew them through the Customer Portal.

Affordable training with optional certification is also available, including on-demand options.

New Features Details

Introducing the Powerhouse: Enterprise-Level Postgre Database in Belkasoft X v.2.0

This is the show-runner of the new product version—the introduction of the highly scalable and efficient Postgre database to operate with the case data.

With the support of the Postgre database, Belkasoft X v.2.0 offers enterprise-level storage and management of case data. The transition to a new database type enables seamless handling of large-scale cases and extensive data sources, ensuring robustness and scalability for users.

Moreover, Belkasoft X v.2.0 has undergone various optimizations to streamline the forensic workflow. Carving processes have been fine-tuned, resulting in significant speed improvements. Additionally, the error log has been refined to exclude irrelevant entries, reducing clutter and improving efficiency. Post-processing tasks have also been optimized, enabling faster data analysis and processing.

Mobile Forensics

Android:

  • SIM card acquisition is added (including eSIMs; has to be the first slot in case of multi-slot devices)
  • More robust APK downgrade. Backup copies of .apk files are now stored to the case folder instead of on the device, eliminating situations where Android falsely reports successful restoration of an APK and permanently deletes it from the mobile device 'tmp' folder
  • HiSuite Huawei backup decryption with the default password is updated
  • Troubleshooting link for APK downgrade is now shown if acquisition fails
  • Fixed: ADB backup and APK downgrade methods on Samsung Galaxy S9+
  • Screen Capturing: Signal message capturing is fixed for Huawei Nova

iOS:

  • Screen Capturing method is updated up to iOS 16.5
  • 'Create encrypted backup' option is fixed for iTunes backup method. If a previously created backup was encrypted, a proper message is now shown
  • Troubleshooting link for Checkm8 is now shown if acquisition fails
  • Password extraction from keychain is improved
  • Signal decryption is improved

Please also note our Belkasoft X Brute-Force product, which unlocks iOS devices.

Drone Forensics

  • New drone models analysis supported:
    • Ryze Tello
    • Sense Fly
    • Sky Viper
    • Yuneec H520
  • Drone flight routes on built-in Maps: The built-in Maps window now shows routes for drone flights (and other applications with geodata)

Hashset analysis improvements

  • Gallery view is now available in the Hashsets node of Overview window. Based on feedback from our customers, when working with hashsets, they mostly expect media files. It is vital for them to have a preview of these files
  • Repeat hashset analysis with another database: Hashset analysis can now be started for previously analyzed data source. Before, it was only available once at the moment of adding a new data source
  • Improved hashset filtering: A hashset label column and filter are added into the File System
  • Import of NSRL RDSv3 is improved

Third-party integrations

  • New Volatility modules: 'dlllist', 'filescan', 'modules', and 'malfind' modules support are added:
    • dlllist: retrieves information about the loaded dynamic link libraries
    • filescan: identifies any open or deleted files
    • modules: retrieves a list of loaded kernel modules
    • malfind: identifies and extracts any injected or malicious code
  • Cisco Clam AV integration added. Unlike the previously supported VirusTotal analysis, Clam AV can work without an Internet connection
  • VirusTotal improvement: Now, file hashes are sent to VirusTotal instead of the file content

Sigma and YARA support

Sigma:

  • '1 of selection*' condition is supported
  • A few dozen event log values have been added as new columns to the corresponding artifact. Previously, all of them were merged into the Description field, which was less convenient when working with Sigma rules
  • Rule syntax is validated while adding a rule

YARA:

  • YARA analysis can now be started for the previously analyzed data sources. Before, it was only available once at the moment of adding a new data source
  • 'Matching time' and 'YARA file path' columns are added
  • Filters are added to the YARA results node in the Overview window
  • Fixed: 'Address' is empty for matches found in memory processes

NTFS Volume Shadow Copy deduplication

This indispensable feature adds a new level of depth to your VSC analyses and also saves a wealth of your time analyzing snapshots. Instead of seeing the entire content of the file system for a specific snapshot, you can now choose to see only changes related to that snapshot, including added, modified, or moved files.

The new function also enables you to significantly decrease the analysis time required to analyze snapshots, as they now only contain a limited volume of files that have undergone changes. This optimization results in a more efficient export process for eDiscovery and other formats, significantly reducing the required storage space and improving overall performance.

Cloud Forensics

  • Google Drive updates:
    • Files with the same name are now correctly downloaded
    • Native Google documents downloading improved
  • Instagram updates:
    • 2FA via SMS is supported
    • A number of issues fixed
  • Microsoft 365 updated, particularly, presentation and note files are now supported
  • iCloud download fixed in the trial version

Automation Enhancements

  • Ability to add a data source into an existing case through the command line supported
  • Live disk analysis option supported
  • CLI Configurator is moved to the product installation folder for users convenience
  • Visual improvements in the Configurator window are made
  • Fixed: Hash options are taken from a profile instead of options provided via Configurator
  • Fixed: If a report format is unavailable, the task mistakenly shows as completed successfully

See also: our series of articles on automation

User Interface

  • Evidence Reader now has an option to blur pictures, which was previously only available in Belkasoft X
  • '0' is replaced with an empty value to prevent confusion with macOS system event logs
  • Advanced time filter is redesigned
  • Fixed: The product crashes when the 'Select week range' filter option is applied in the File System
  • Fixed: Upon changing the case name, it is not updated in the Windows preview for Belkasoft X
  • SQLite Viewer: Counts are added for Carved and Raw data tabs in Unallocated space
  • SQLite Viewer: Apple Cocoa time conversion is fixed
  • SQLite Viewer: Column names are fixed in the context menu
  • PDF report: Header and footer are now properly aligned

New and updated artifacts

iOS

  • Hangouts iOS (Google Chat) picture transfer analysis (updated)
  • SMS: contact name is extracted
  • Twitter (updated)
  • Firefox browser (updated)
  • Yubo (updated)

Android

  • SMS/MMS drafts (new)
  • Secret calculator (Sgallery) decryption (new)
  • Pinterest (updated: contact info, messages, and saved pictures are now extracted)
  • "OK Google" queries (new)

DOWNLOAD A TRIAL
REQUEST A QUOTE

See also:

Belkasoft X 1.17
Belkasoft X 1.16
Belkasoft X 1.15
Belkasoft X 1.14
Belkasoft X 1.13
Belkasoft X 1.12
Belkasoft X 1.11
Belkasoft X 1.10
Belkasoft X 1.9
Belkasoft X 1.8
Belkasoft X 1.7
Belkasoft X 1.6
Belkasoft X 1.5
Belkasoft X 1.4
Belkasoft X 1.3
Belkasoft X 1.2
Belkasoft X 1.1
Belkasoft X 1.0
Belkasoft Evidence Center 9.9
Belkasoft Evidence Center 9.8
Belkasoft Evidence Center 9.7
Belkasoft Evidence Center 9.6
Belkasoft Evidence Center 9.5
Belkasoft Evidence Center 9.4
Belkasoft Evidence Center 9.3
Belkasoft Evidence Center 9.2
Belkasoft Evidence Center 9.1
Belkasoft Evidence Center 9.0
Belkasoft Evidence Center 8.6
Belkasoft Evidence Center 8.5
Belkasoft Evidence Center 8.4
Belkasoft Evidence Center 8.3
Belkasoft Evidence Center 8.2
Belkasoft Evidence Center 8.1
Belkasoft Evidence Center 8.0
Belkasoft Evidence Center 7.5
Belkasoft Evidence Center 7.4
Belkasoft Evidence Center 7.3
Belkasoft Evidence Center 7.2
Belkasoft Evidence Center 7.1
Belkasoft Evidence Center 7.0
Belkasoft Evidence Center 6.3.1
Belkasoft Evidence Center 6.3
Belkasoft Evidence Center 6.2
Belkasoft Evidence Center 6.1
Belkasoft Evidence Center 6.0
Belkasoft Evidence Center 5.4
Belkasoft Evidence Center 5.3
Belkasoft Evidence Center 5.2
Belkasoft Evidence Center 5.1
Belkasoft Evidence Center 5.0
Belkasoft Evidence Center 4.2
Belkasoft Evidence Center 4.1
Belkasoft Evidence Center 4.0
Belkasoft Evidence Center 3.9
Belkasoft Evidence Center 3.8
Belkasoft Evidence Center 3.7
Belkasoft Evidence Center 3.6
Belkasoft Evidence Center 3.5
Belkasoft Evidence Center 3.0
Belkasoft Evidence Center 2.0