{"id":1884,"date":"2016-11-25T15:03:47","date_gmt":"2016-11-25T20:03:47","guid":{"rendered":"https:\/\/www.digitalforensicscorp.com\/blog\/?p=1884"},"modified":"2024-12-11T18:51:45","modified_gmt":"2024-12-11T18:51:45","slug":"review-of-belkasoft-evidence-center-bec","status":"publish","type":"post","link":"https:\/\/www.digitalforensics.com\/blog\/software\/review-of-belkasoft-evidence-center-bec\/","title":{"rendered":"Review of Belkasoft Evidence Center (BEC)"},"content":{"rendered":"

<\/span>Introduction<\/span><\/h2>\n

Hello fellow digital forensic colleagues! This a brief review of the BEC product, but let me preface this first, by stating that anything stated herein is a reflection of my own thought processes and is not representative of my employer or has NOT been influenced by the Belkasoft group. My second prefacing statement: I use a wide variety of tools for analyzing data. I find leveraging this pluralistic diversity of using a variety different tools an asset in that it allows me to view the same data from different perspectives. No software is perfect, our collective use and subsequent reporting of any issues greatly helps improve any product.<\/p>\n

<\/p>\n

My first interest in the Belkasoft products was specifically for parsing Instant Messenger (IM) chat communications. I have been watching the Belkasoft products evolve for well over 5 years, with more features and being added to assist examiners.<\/p>\n

 <\/p>\n

<\/span>Belkasoft Front Matter<\/span><\/h2>\n

If you are not familiar with the Belkasoft products you can check out their website: https:\/\/belkasoft.com\/<\/a>.<\/p>\n

A most excellent resource for the reader is also their blog: https:\/\/belkasoft.wordpress.com\/<\/a>. The blog contains news as well as excellent articles, which provide a great deal of information. All articles are also available at https:\/\/belkasoft.com\/articles<\/a>.<\/p>\n

The intent of this review is to provide an overview of the Belkasoft Evidence Center Ultimate (BEC) 8.0.1762. I will not be examining every intimate detail of BEC, which is beyond the scope of this article. I strongly urge you to obtain a trial version and explore the product.<\/p>\n

In addition to BEC, there are two FREE, companion standalone tools, which Belkasoft provides: Belkasoft Acquisition Tool (called BelkaImager), and Belkasoft Live RAM Capturer. BelkaImager is also integrated into BEC and is found under the Tools->Acquisition. The BelkaImager product can be used for acquiring data from traditional computers, laptops and also mobile devices. Interesting feature of the imager is an ability to download cloud data. Google Drive, Google Plus and iCloud are currently supported.<\/p>\n

 <\/p>\n

<\/span>Starting BEC & Case Setup<\/span><\/h2>\n

Like other forensic acquisition and analysis products that you may have been exposed to, BEC is a GUI based interface tool.<\/p>\n

When starting the product, there seems to be some delay on my examination computer, which I first observed a few releases ago pre version 8. The case setup is consistent regardless of what type of device\/file\/image\/data you are examining. In order to configure BEC options you will need to create a case first. In this product overview an Android image will be used to demonstrate basic product features. During the case creation process please remember to select the appropriate time zone settings and any case description that you feel is necessary.<\/p>\n

 <\/p>\n

<\/span>Open Case Dialog \u2013 New Case<\/i><\/span><\/h3>\n

\"01-new-case\"<\/p>\n

New case creation<\/i><\/p>\n

Make sure, that after you create your case, and before you press ‘OK’, that you select Options, which is found on the right side of the ‘Open Case’ window. This is not necessary, but can be useful for example to assign temporary folder (in case C drive is small SSD drive, it makes sense to assign another, bigger magnetic drive to store BEC temporary data). Otherwise default options will work well without any further adjustments.<\/p>\n

 <\/p>\n

Within the \u2018Open Case Dialog\u2019 window there are 4 tabs: General, Picture, Video and Hashes.<\/p>\n

 <\/p>\n

<\/span>Open Case Dialog \u2013 Options and Tab Options<\/i><\/span><\/h3>\n

The tab layout is shown in the screenshots below with default settings.<\/p>\n

\"02-options\"<\/p>\n

General BEC options<\/i><\/p>\n

\"03-picture-options\"<\/p>\n

Picture processing options<\/i><\/p>\n

Note in the Video tab the ability to extract frames automatically.<\/p>\n

\"04-video-options\"<\/p>\n

Video processing options<\/i><\/p>\n

\"05-hashset-options-1\"<\/p>\n

Hashset analysis options<\/i><\/p>\n

The default settings are used which are already checked.<\/p>\n

 <\/p>\n

<\/span>Add data source Window \u2013 Step 1: What sources would you like to analyze?<\/span><\/h2>\n

After you select your options, BEC will prepare the case and then prompt you to add a data source through the ‘Add data source’ window. From this window you can choose one type or multiple types of data sources. In this case, BEC is used to analyse a ‘DumpData.bin’ file. This is a physical Image of Android Samsung SM-G900W8, running Android OS 5.1.1, device acquired with UFED 4PC 5.3, a format commonly used when investigators need to access files on a locked Android during forensic analysis<\/a>. The screenshot below provides a view of the \u2018Add data source Dialog\u2019 window.<\/p>\n

<\/span>Add data source Dialog \u2013 Data sources<\/i><\/span><\/h3>\n

Take note of the various type of data sources that can be added for ingestion into BEC.<\/p>\n

\"06-add-data-source\"<\/p>\n

The ‘Run hashset analysis<\/i>‘ allows an examiner to import hashsets which BEC can leverage in order to perform hash value matches of content.<\/p>\n

<\/span>Add data source Window \u2013 Step 2: What would you like to search for?<\/span><\/h2>\n

In this window the examiner will hopefully be quite informed about the type of content that is to be searched. As you can see data type categories are shown in the left pane, with the app types supported relative to each operating system. As a humble suggestion, please take the time to really target what you are looking for and try NOT to select everything as shown in the screenshot below.<\/p>\n

\"07-select-artifacts\"<\/p>\n

The more artifacts you select, the longer will be the initial analysis. For example, if you are looking inside Android phone, there is no sense to look for Windows artifacts. However, if you are investigating Windows computer, it makes sense to have Android artifacts selected just in case an Android backup is found on the computer. Encrypted files detection can take a good amount of time so if a user is not interested in encryption search, unchecking \u2018Encrypted files\u2019 will speed up the analysis without.<\/p>\n

Analyze: Take a moment to review which partition areas you want to look at.<\/p>\n

\"08-analyze-or-carve\"<\/p>\n

This specific Android operating system image has numerous partitions, and in this case, only partition structures which might prove of use are selected for examination.<\/p>\n

\"09-advanced-analysis-options\"<\/p>\n

If you want to pursue data carving you can check ‘Carve<\/i>‘ and again specify the partitions, allocated and\/or unallocated space.<\/p>\n

\"10-advanced-carving-options\"<\/p>\n

When you have finished optimizing the data searches, for your specific needs, then press the Finish button. Another window will appear asking whether you want to add another data source.<\/p>\n

\"11-add-another-data-source\"<\/p>\n

If ‘Yes<\/i>‘ was selected, then ‘Add data source Dialog \u2013 Data sources’ dialog window would appear. In this case, ‘No<\/i>‘ was selected and this initiates the processing of the data source along with specified search selections.<\/p>\n

<\/span>BEC Interface<\/span><\/h2>\n

The main BEC interface window will present with 3 main areas, which is much like most GUI based digital forensic products:<\/p>\n

\"12-bec-interface_sm\"<\/p>\n

Above the tri-pane interface, please note the product toolbar which consists of both icons and text based menu driven interface. Under ‘Help’ there is an offline and online help documentation.<\/p>\n

If you find the tri pane interface too congested, you have the option of customizing the display of the windows using the floatable, auto-hide, tab, or hide features.<\/p>\n

Left Pane: Consists of 3 tabs: Overview, Case Explorer and File System. The tab you select in this area also drives the right upper pane to different view. Clicking actions taken by the user in any of the tabs drive the right upper pane to display certain data source items depending on the tab you are in and type of data being viewed.<\/p>\n

Overview tab (left tab in left pane):<\/b> This tab will provide a breakdown of the various types of data sorted into categories.<\/p>\n

\"13-overview\"<\/p>\n

Case Explorer tab (middle tab, in left pane):<\/b> This tab provides access to view Timeline data, and data sources. Here you can see that it also shows the partition structures that are contained within the binary dump. If you recall earlier, I only selected to have three partitions ingested for data parsing. It would be nice to have an option to exclude the unselected partitions, from being viewed in this tab.<\/p>\n

\"14-case-explorer\"<\/p>\n

Within the Case Explorer tab, data is broken down into data type categories: Browsers, Cloud services, Instant Messengers etc.<\/p>\n

\"15-case-explorer-with-data\"<\/p>\n

File System tab (right tab, in left pane):<\/b> This tab shows all the data sources ingested by BEC. If the data source contains partitions\/volumes which contain file systems that BEC can understand, they will appear here. This is a refined view from the Case Explorer tab. However, I still have to dig to identify the various partitions\/volumes, as they are named with ‘vol_xxxxxx’ where xxxxx is the offset value in decimal of the start of the volume. As indicated previously, I am only interested in three partitions. It would be nice if in future BEC releases the actual volume (partition) name was provided, and only volumes selected for analysis were listed, with the option to view unselected volumes if an examiner needs.<\/p>\n

\"16-file-system\"<\/p>\n

Right Upper Pane: This is the data examination area where you can review the parsed data or analyze data structures. The user can add or remove tabs in this area through the ‘View’ function on the toolbar.<\/p>\n

\"17-view-main-menu\"<\/p>\n

Right Lower Pane: This pane consists of 4 tabs: Task Manager, Item Properties, Hex Viewer and Search Results.<\/p>\n

Task Manager:<\/b> Here you can observe any tasks that are running, scheduled, or completed.<\/p>\n

\"18-task-manager\"<\/p>\n

Item Properties: Here you can inspect the properties of a single item that has been selected from a parsed data source in the Case explorer (left pane) and viewed within a correlated tab in the right upper pane. An example is shown in the following screenshot, following the arrows, with review of the touch.db file (Case Explorer in the left pane), the database structure viewed in the right pane upper pane, in SQLite viewer, and examination of a specific record, Item Properties (right lower pane) in the touch.db file, experience_members table. The actual database (.db) file is identified in the \u2018Current file\u2019 information bar.<\/p>\n

\"19-item-properties_sm\"<\/p>\n

Hex Viewer:<\/b> This is located in the lower right pane, Hex Viewer tab. From the previous example, highlighting a record (row) in the SQLite database file, Data tab, locates that data in the Hex Viewer showing the offset it is located at. There is also a ‘Type Converter’ which assists with data decoding.<\/p>\n

\"20-hex-viewer_sm\"<\/p>\n

Search Results:<\/b> This tab displays the search results. To initiate a search access the search function from the search icon in the toolbar.<\/p>\n

\"21-search-toolbar-button\"<\/p>\n

Then select what you would like to search, data source(s) and the profiles to search in:<\/p>\n

\"22-search\"<\/p>\n

 <\/p>\n

<\/span>Data Filtering<\/span><\/h2>\n

The ability to filter data is important when trying to sift through any amount of information. The filter window is automatically invoked by BEC when you are either in the Case Explorer tab, or Overview tab, looking at a specific category of data.<\/p>\n

\"23-add-filter-pane_sm\"<\/p>\n

Select ‘Add Filter’.<\/p>\n

\"24-add-filter-pane2\"<\/p>\n

Then select one or more of the filter criteria. The filter criteria change based upon the type of data being viewed: Pictures, Videos, Browsers, Instant Messengers, Mailboxes, etc.<\/p>\n

\"25-filter-criteria\"<\/p>\n

For examination of a SQLite database, I can use the SQLite Viewer tab (upper right pane) to examine each table and the columns within a table. BEC very nicely displays the number of database records and the number of journaled records (which are part of the number of records count).<\/p>\n

\"26-sqlite-viewer_sm\"<\/p>\n

The colouring of the rows is done by BEC to visually assist with identification of data:<\/p>\n