Meet
Belkasoft Evidence Center 3.0!
What's new in the recent Belkasoft release?
Yuri Gubanov
CEO, Belkasoft
http://belkasoft.com
Previous forensic software
Belkasoft Evidence Center 1.0, 1.1
and 2.0.
Evidence Center is successor for
Belkasoft Forensic Studio
3 separate products in 1: chats, browsers,
emails
Belkasoft Forensic IM Analyzer
Chats
Belkasoft Forensic Carver
Chats, Browsers
New Belkasoft release: Belkasoft
Evidence Center 3.0
Major Evidence Center features
Search and extraction for chats, browser
history and emails
Carving, Live RAM and Network traffic
analysis
Mounting drive and Live RAM images
Case and User management
Bookmarking
Reports in text, xml, html, csv, pdf
Hash calculation
No Internet connection required
(included in previous v.2.0)
New Belkasoft release: Belkasoft
Evidence Center 3.0
Major improvements to 3.0
Not just Windows anymore
MacOS support added
Not just histories anymore
Picture and video support added
Not just history extraction anymore
Analysis added
Also:
Option to carve allocated/unallocated
Hibernation and page file analysis
Thunderbird email client support
New Belkasoft release: Belkasoft
Evidence Center 3.0
MacOS support
Mounting HFS/HFS+ drives and drive
images supported
Encase, SMART, DD
Carving and regular history extraction,
Instant Messengers only
Currently supported:
Adium InstantBird
AIM Mail.Ru Agent
Brosix Mercury
Fire Nimbuzz
iChat Trillian
ICQ Yahoo! Messenger
More history types to come
New Belkasoft release: Belkasoft
Evidence Center 3.0
Picture support
Search for pictures
Extracting and showing EXIF and
other properties
Filtering by various properties
Showing pictures with GPS
coordinates on Google Maps and
Google Earth
New Belkasoft release: Belkasoft
Evidence Center 3.0
Picture analysis
Pornography detection (beta)
Face detection
Both frontal and profile
Text detection
English
Russian
New Belkasoft release: Belkasoft
Evidence Center 3.0
Video support
Search for video
Extracting key frames
Saves time for video analysis: only
significantly changed frames need review
Less emotional stress for an investigator
Only need to see a set of pictures
The same analysis available for key
frames as for pictures
New Belkasoft release: Belkasoft
Evidence Center 3.0
Filters
Powerful filter manager
Allows to create filters on one or
more criteria
Arithmetic, boolean and string operations
AND/OR conjunctions
Negating criterion using NOT
Applied to pictures and videos
New Belkasoft release: Belkasoft
Evidence Center 3.0
Carving
Previously: carving all drive/image
Now 3 options:
Carve allocated
Carve unallocated
Carve both
Why carving allocated?
E.g. corrupted files (e.g. met with IE dat
files)
Renamed files
Also: "mounting does not work under
some XP machines" problem fixed
New Belkasoft release: Belkasoft
Evidence Center 3.0
Hibernation and page files
Support for carving hibernation and
page files
hiberfil.sys
pagefile.sys
LiveRAM analysis available
Instant Messenger artifacts
Social network artifacts (Facebook)
Browser artifacts (IE, Firefox)
Gmail letters and drafts
Regular carving available
All supported types
New Belkasoft release: Belkasoft
Evidence Center 3.0
Thunderbird support
Search and extraction of Thunderbird
mailboxes
msf format
SQLite format is on the way
Huge mailboxes supported
Tested on 3Gb mailbox: 30 minutes to
extract
New Belkasoft release: Belkasoft
Evidence Center 3.0
Smaller enhancements
New Windows messengers:
Paltalk (LiveRAM)
Gajim
emClient
Nimbuzz
Qutim
Gadu-Gadu (old and new versions)
MacOS: see previous slides
New Belkasoft release: Belkasoft
Evidence Center 3.0
Smaller enhancements
Social networks: Facebook
IE remnants
Live RAM: chats and group chats
Better Gmail support
Live RAM: Not only emails, but also drafts extracted
Better Skype group chats extraction
Better ICQ 6 and 7 file transfer extraction
Multiple usability improvements
E.g. Reporting now considers From/To dates
inclusively
Possibility to tweak report templates
E.g. put own logo instead of Belkasoft's one, tweak
colors, fonts etc.
New Belkasoft release: Belkasoft
Evidence Center 3.0
Smaller enhancements
The Bat! mailbox analysis no more fails on
big mailboxes (previously was failing on
1Gb sized ones)
Outlook mailbox analysis no more fails on
10Gb mailboxes
Sample histories included to setup
Before one had to download manually from site
Setup on a machine without Internet
connection supported
4 predefined setup packages for various
Windows versions: English/German 32/64 bit
Other Windows languages are also supported
New Belkasoft release: Belkasoft
Evidence Center 3.0
Price enhancements
More clear price structure
Every additional feature cost the same
$250 per feature (floating license)
$200 per feature (fixed license)
More features in the base
configuration
Browser cache and passwords included
Previously were additional features
Basic picture and video support included
New Belkasoft release: Belkasoft
Evidence Center 3.0
Available features
1. Deleted information retrieval (carving)
2. Live RAM dump analysis
3. Mounting images such as Encase
evidence files, SMART, DD, mounting
MacOS drives
4. Network traffic analysis for chat artifacts
5. Picture analysis
6. Video analysis
New Belkasoft release: Belkasoft
Evidence Center 3.0
More convenient registration
process
No more entering licenses and
mistakes in this
All feature and license information is
included to a single file features.xml
Sent to customer right after purchase
Just put it in the product folder and
product will register automatically
As previously, no Internet required
for registration
New Belkasoft release: Belkasoft
Evidence Center 3.0
Less Hardware ID pain
Previously every change in hardware
lead to new Hardware ID
Even adding virtual device in VMWare!
Now less hardware changes count
Customers will ask for new keys less
frequently
New Belkasoft release: Belkasoft
Evidence Center 3.0
Comprehensive help
Read online at
http://belkasoft.com/bec/en/Evidence
_Center_Help_Contents.asp
Download PDF from
http://belkasoft.com/download/BEC_
3.0_Help.pdf
New Belkasoft release: Belkasoft
Evidence Center 3.0
Belkasoft customers
See http://belkasoft.com/home/en/Customers.asp for more
Why Belkasoft Evidence Center?
Reduced cost of investigation
Reduced investigation time
Less specific knowledge required for
investigator
Ideal for triage
Simultaneous work of several
analysts on the same case
New Belkasoft release: Belkasoft
Evidence Center 3.0
Where to get the product?
Product page:
http://belkasoft.com/bec/en/Evidence_Center.asp
Direct download link:
http://belkasoft.com/download/bec.zip
Registration page:
http://belkasoft.com/bec/en/register.asp
This presentation:
http://belkasoft.com/download/info/bec30.zip
New Belkasoft release: Belkasoft
Evidence Center 3.0
About Belkasoft
Belkasoft – computer forensics software vendor
Site – http://belkasoft.com
Founded at 2002
Contacts
support@belkasoft.com – product support
contact@belkasoft.com – all questions
business@belkasoft.com – business-related
DUNS: 683524694
NCAGE: SKF09
CCR: see http://www.bpn.gov/ccr
We are also in ORCA and WAWF
New Belkasoft release: Belkasoft Evidence
Center 3.0
Customer problems solved
Computer forensic investigation
Is there any evidence on a suspect's computer?
Out-of-the box solution for a number of evidence types
How to find such evidence quickly, without too much
manual work?
Corporate security
Did a fired employee unveil commercial secrets?
Are current employees use computer only for business
needs?
Intelligence and counterintelligence
Are there any suspicious chats made in an internet
café?
Parental control
Is a child safe during web surfing and chatting?
New Belkasoft release: Belkasoft
Evidence Center 3.0
Training
Belkasoft can handle online and onsite
trainings if a customer requires this
Online training delivered via
GoToMeeting (WebEx analogue)
Onsite training requires travel,
accommodation and meal expenses to
be covered by a customer
More details:
http://belkasoft.com/home/en/Training.asp
New Belkasoft release: Belkasoft
Evidence Center 3.0
Contact us!
Interested? Drop us an e-mail at
business@belkasoft.com right now!
Add Belkasoft CEO in LinkedIn:
http://ru.linkedin.com/in/yurigubanov
New Belkasoft release: Belkasoft
Evidence Center 3.0