Review of Belkasoft Evidence Center (BEC)
Hello fellow digital forensic colleagues! This a brief review of the BEC product, but let me preface this first, by stating that anything stated herein is a reflection of my own thought processes and is not representative of my employer or has NOT been influenced by the Belkasoft group. My second prefacing statement: I use a wide variety of tools for analyzing data. I find leveraging this pluralistic diversity of using a variety different tools an asset in that it allows me to view the same data from different perspectives. No software is perfect, our collective use and subsequent reporting of any issues greatly helps improve any product.
My first interest in the Belkasoft products was specifically for parsing Instant Messenger (IM) chat communications. I have been watching the Belkasoft products evolve for well over 5 years, with more features and being added to assist examiners.
Belkasoft Front Matter
If you are not familiar with the Belkasoft products you can check out their website: https://belkasoft.com/.
A most excellent resource for the reader is also their blog: https://belkasoft.wordpress.com/. The blog contains news as well as excellent articles, which provide a great deal of information. All articles are also available at https://belkasoft.com/articles.
The intent of this review is to provide an overview of the Belkasoft Evidence Center Ultimate (BEC) 8.0.1762. I will not be examining every intimate detail of BEC, which is beyond the scope of this article. I strongly urge you to obtain a trial version and explore the product.
In addition to BEC, there are two FREE, companion standalone tools, which Belkasoft provides: Belkasoft Acquisition Tool (called BelkaImager), and Belkasoft Live RAM Capturer. A really quick overview of BelkaImager product can be found at: https://www.digitalforensicscorp.com/blog/imaging-drives-and-mobile-devices-with-belkaimager/ . BelkaImager is also integrated into BEC and is found under the Tools->Acquisition. The BelkaImager product can be used for acquiring data from traditional computers, laptops and also mobile devices. Interesting feature of the imager is an ability to download cloud data. Google Drive, Google Plus and iCloud are currently supported.
Starting BEC & Case Setup
Like other forensic acquisition and analysis products that you may have been exposed to, BEC is a GUI based interface tool.
When starting the product, there seems to be some delay on my examination computer, which I first observed a few releases ago pre version 8. The case setup is consistent regardless of what type of device/file/image/data you are examining. In order to configure BEC options you will need to create a case first. In this product overview an Android image will be used to demonstrate basic product features. During the case creation process please remember to select the appropriate time zone settings and any case description that you feel is necessary.
Open Case Dialog – New Case
New case creation
Make sure, that after you create your case, and before you press ‘OK’, that you select Options, which is found on the right side of the ‘Open Case’ window. This is not necessary, but can be useful for example to assign temporary folder (in case C drive is small SSD drive, it makes sense to assign another, bigger magnetic drive to store BEC temporary data). Otherwise default options will work well without any further adjustments.
Within the ‘Open Case Dialog’ window there are 4 tabs: General, Picture, Video and Hashes.
Open Case Dialog – Options and Tab Options
The tab layout is shown in the screenshots below with default settings.
General BEC options
Picture processing options
Note in the Video tab the ability to extract frames automatically.
Video processing options
Hashset analysis options
The default settings are used which are already checked.
Add data source Window – Step 1: What sources would you like to analyze?
After you select your options, BEC will prepare the case and then prompt you to add a data source through the ‘Add data source’ window. From this window you can choose one type or multiple types of data sources. In this case, BEC is used to analyse a ‘DumpData.bin’ file. This is a physical Image of Android Samsung SM-G900W8, running Android OS 5.1.1, device acquired with UFED 4PC 5.3. The screenshot below provides a view of the ‘Add data source Dialog’ window.
Add data source Dialog – Data sources
Take note of the various type of data sources that can be added for ingestion into BEC.
The ‘Run hashset analysis‘ allows an examiner to import hashsets which BEC can leverage in order to perform hash value matches of content.
Add data source Window – Step 2: What would you like to search for?
In this window the examiner will hopefully be quite informed about the type of content that is to be searched. As you can see data type categories are shown in the left pane, with the app types supported relative to each operating system. As a humble suggestion, please take the time to really target what you are looking for and try NOT to select everything as shown in the screenshot below.
The more artifacts you select, the longer will be the initial analysis. For example, if you are looking inside Android phone, there is no sense to look for Windows artifacts. However, if you are investigating Windows computer, it makes sense to have Android artifacts selected just in case an Android backup is found on the computer. Encrypted files detection can take a good amount of time so if a user is not interested in encryption search, unchecking ‘Encrypted files’ will speed up the analysis without.
Analyze: Take a moment to review which partition areas you want to look at.
This specific Android operating system image has numerous partitions, and in this case, only partition structures which might prove of use are selected for examination.
If you want to pursue data carving you can check ‘Carve‘ and again specify the partitions, allocated and/or unallocated space.
When you have finished optimizing the data searches, for your specific needs, then press the Finish button. Another window will appear asking whether you want to add another data source.
If ‘Yes‘ was selected, then ‘Add data source Dialog – Data sources’ dialog window would appear. In this case, ‘No‘ was selected and this initiates the processing of the data source along with specified search selections.
The main BEC interface window will present with 3 main areas, which is much like most GUI based digital forensic products:
Above the tri-pane interface, please note the product toolbar which consists of both icons and text based menu driven interface. Under ‘Help’ there is an offline and online help documentation.
If you find the tri pane interface too congested, you have the option of customizing the display of the windows using the floatable, auto-hide, tab, or hide features.
Left Pane: Consists of 3 tabs: Overview, Case Explorer and File System. The tab you select in this area also drives the right upper pane to different view. Clicking actions taken by the user in any of the tabs drive the right upper pane to display certain data source items depending on the tab you are in and type of data being viewed.
Overview tab (left tab in left pane): This tab will provide a breakdown of the various types of data sorted into categories.
Case Explorer tab (middle tab, in left pane): This tab provides access to view Timeline data, and data sources. Here you can see that it also shows the partition structures that are contained within the binary dump. If you recall earlier, I only selected to have three partitions ingested for data parsing. It would be nice to have an option to exclude the unselected partitions, from being viewed in this tab.
Within the Case Explorer tab, data is broken down into data type categories: Browsers, Cloud services, Instant Messengers etc.
File System tab (right tab, in left pane): This tab shows all the data sources ingested by BEC. If the data source contains partitions/volumes which contain file systems that BEC can understand, they will appear here. This is a refined view from the Case Explorer tab. However, I still have to dig to identify the various partitions/volumes, as they are named with ‘vol_xxxxxx’ where xxxxx is the offset value in decimal of the start of the volume. As indicated previously, I am only interested in three partitions. It would be nice if in future BEC releases the actual volume (partition) name was provided, and only volumes selected for analysis were listed, with the option to view unselected volumes if an examiner needs.
Right Upper Pane: This is the data examination area where you can review the parsed data or analyze data structures. The user can add or remove tabs in this area through the ‘View’ function on the toolbar.
Right Lower Pane: This pane consists of 4 tabs: Task Manager, Item Properties, Hex Viewer and Search Results.
Task Manager: Here you can observe any tasks that are running, scheduled, or completed.
Item Properties: Here you can inspect the properties of a single item that has been selected from a parsed data source in the Case explorer (left pane) and viewed within a correlated tab in the right upper pane. An example is shown in the following screenshot, following the arrows, with review of the touch.db file (Case Explorer in the left pane), the database structure viewed in the right pane upper pane, in SQLite viewer, and examination of a specific record, Item Properties (right lower pane) in the touch.db file, experience_members table. The actual database (.db) file is identified in the ‘Current file’ information bar.
Hex Viewer: This is located in the lower right pane, Hex Viewer tab. From the previous example, highlighting a record (row) in the SQLite database file, Data tab, locates that data in the Hex Viewer showing the offset it is located at. There is also a ‘Type Converter’ which assists with data decoding.
Search Results: This tab displays the search results. To initiate a search access the search function from the search icon in the toolbar.
Then select what you would like to search, data source(s) and the profiles to search in:
The ability to filter data is important when trying to sift through any amount of information. The filter window is automatically invoked by BEC when you are either in the Case Explorer tab, or Overview tab, looking at a specific category of data.
Select ‘Add Filter’.
Then select one or more of the filter criteria. The filter criteria change based upon the type of data being viewed: Pictures, Videos, Browsers, Instant Messengers, Mailboxes, etc.
For examination of a SQLite database, I can use the SQLite Viewer tab (upper right pane) to examine each table and the columns within a table. BEC very nicely displays the number of database records and the number of journaled records (which are part of the number of records count).
The colouring of the rows is done by BEC to visually assist with identification of data:
- journaled records – light blue coloured row
- examiner selected record – dark blue coloured row
- actual database records – white coloured row
- deleted records – red coloured row
However, what I do note is that, I cannot easily search/filter any table columns, which would be a useful feature. I cannot invoke the Filter window, whilst in the SQLite viewer tab. I must go back to the Message List tab. I would like to see the ability to filter any item of data from any column.
I can quickly convert the time stamps by right clicking on the ‘experience_comment_creation_timestamp’ column and drilling down to ‘Choose type’ and selecting UTC Unix time.
During my analysis of the parsed binary file, I was able to exclude the Touch app (touch.db) for any data of interest, other than verifying the Touch account user identification information. The date filtering feature, allowed for a quick review of messages for a specific time period. The Timeline view provided me with a nice overview of the activities that occurred on the device in the time period of interest. The SQLite viewer tool, in conjunction with the Hex Viewer, proved very useful in reviewing data that consisted of any deleted recovered artifacts, journaled data, and live database records.
The BEC software usage information presented thus far is certainly not exhaustive, of all the complete features of this product. Depending upon the types of data sources you are examining, there are other areas of the product, which are not demonstrated like those available in the View dropdown menu:
- Registry viewer and Plist Viewer data
- Connection graph functions are useful features to view communication relationships between contacts.Also take note of the being able to export the data from BEC to the:
- BEC evidence reader, which allow investigators to review the data themselves
- And ‘Export to UFDR’, which exports the data in a UFDR for import into UFED Physical Analyzer.
All the numerous benefits of BEC can be reviewed at this link: https://belkasoft.com/ec
However, as a user of this product one of the key benefits for me is the ability of this product to ingest multiple data sources, with the ability to review data from various types of apps on smart phone platforms.
As noted at the start of this review, software products can be improved with user input to the developer. If you encounter a situation where the data you are examining is not being parsed correctly, missed, and/or you note an issue with the software, then please make the time to contact Belkasoft so they can provide assistance. When I have contacted Yuri, I have received a timely reply, (usually within 24-48 hours) from Yuri acknowledging any issues. And they (Yuri and his team) have been very responsive, in providing fixes.
In closing, I hope you take the time to review this product on your own and test it for your own needs.
By Shafik G. Punja
About the Reviewer
Shafik is a digital forensic examiner for a law enforcement agency, currently assigned to the Digital Forensics Team (Cyber/Forensic Unit), and has been working in digital forensics since 2003.