ReviewofBelkasoftEvidenceCenter(BEC)
ByShafikG.Punja
Introduction
Hellofellowdigitalforensiccolleagues!ThisabriefreviewoftheBECproduct,but
letmeprefacethisfirst,bystatingthatanythingstatedhereinisareflectionofmy
ownthoughtprocessesandisnotrepresentativeofmyemployerorhasNOTbeen
influencedbytheBelkasoft.Mysecondprefacingstatement:Iuseawidevariety
oftoolsforanalyzingdata.Ifindleveragingthispluralisticdiversityofusinga
varietydifferenttoolsanassetinthatitallowsmetoviewthesamedatafrom
differentperspectives.Nosoftwareisperfect,ourcollectiveuseandsubsequent
reportingofanyissuesgreatlyhelpsimproveanyproduct.
MyfirstinterestintheBelkasoftproductswasspecificallyforparsingInstant
Messenger(IM)chatcommunications.IhavebeenwatchingtheBelkasoft
productsevolveforwellover5years,withmorefeaturesandbeingaddedtoassist
examiners.
BelkasoftFrontMatter
IfyouarenotfamiliarwiththeBelkasoftproductsyoucancheckouttheirwebsite:
https://belkasoft.com/.
Amostexcellentresourceforthereaderisalsotheirblog:
https://belkasoft.wordpress.com/.Theblogcontainsnewsaswellasexcellent
articles,whichprovideagreatdealofinformation.Allarticlesarealsoavailableat
https://belkasoft.com/articles.
TheintentofthisreviewistoprovideanoverviewoftheBelkasoftEvidenceCenter
Ultimate(BEC)8.0.1762.IwillnotbeexaminingeveryintimatedetailofBEC,
whichisbeyondthescopeofthisarticle.Istronglyurgeyoutoobtainatrial
versionandexploretheproduct.
InadditiontoBEC,therearetwoFREE,companionstandalonetools,which
Belkasoftprovides:BelkasoftAcquisitionTool(calledBelkaImager),andBelkasoft
LiveRAMCapturer.AreallyquickoverviewofBelkaImagerproductcanbefound
at:http://www.weare4n6.com/imaging-drives-and-mobile-devices-withbelkaimager/.BelkaImagerisalsointegratedintoBECandisfoundunderthe
Tools->Acquisition.TheBelkaImagerproductcanbeusedforacquiringdatafrom
traditionalcomputers,laptopsandalsomobiledevices.Interestingfeatureofthe
imagerisanabilitytodownloadclouddata.GoogleDrive,GooglePlusandiCloud
arecurrentlysupported.
StartingBEC&CaseSetup
Likeotherforensicacquisitionandanalysisproductsthatyoumayhavebeen
exposedto,BECisaGUIbasedinterfacetool.
Whenstartingtheproduct,thereseemstobesomedelayonmyexamination
computer,whichIfirstobservedafewreleasesagopreversion8.Thecasesetup
isconsistentregardlessofwhattypeofdevice/file/image/datayouareexamining.
InordertoconfigureBECoptionsyouwillneedtocreateacasefirst.Inthis
productoverviewanAndroidimagewillbeusedtodemonstratebasicproduct
features.Duringthecasecreationprocesspleaseremembertoselectthe
appropriatetimezonesettingsandanycasedescriptionthatyoufeelisnecessary.
OpenCaseDialog–NewCase
Makesure,thatafteryoucreateyourcase,andbeforeyoupress'OK',thatyou
selectOptions,whichisfoundontherightsideofthe'OpenCase'window.Thisis
notnecessary,butcanbeusefulforexampletoassigntemporaryfolder(incaseC
driveissmallSSDdrive,itmakessensetoassignanother,biggermagneticdriveto
storeBECtemporarydata).Otherwisedefaultoptionswillworkwellwithoutany
furtheradjustments.
Withinthe‘OpenCaseDialog’windowthereare4tabs:General,Picture,Video
andHashes.
OpenCaseDialog–OptionsandTabOptions
Thetablayoutisshowninthescreenshotsbelowwithdefaultsettings.
NoteintheVideotabtheabilitytoextractframesautomatically.
Thedefaultsettingsareusedwhicharealreadychecked.
AdddatasourceWindow–Step1:Whatsourceswouldyouliketoanalyze?
Afteryouselectyouroptions,BECwillpreparethecaseandthenpromptyouto
addadatasourcethroughthe'Adddatasource'window.Fromthiswindowyou
canchooseonetypeormultipletypesofdatasources.Inthiscase,BECisusedto
analysea'DumpData.bin'file.ThisisaphysicalImageofAndroidSamsungSMG900W8,runningAndroidOS5.1.1,deviceacquiredwithUFED4PC5.3.The
screenshotbelowprovidesaviewofthe‘AdddatasourceDialog’window.
AdddatasourceDialog–Datasources:Takenoteofthevarioustypeofdata
sourcesthatcanbeaddedforingestionintoBEC.
The'Runhashsetanalysis'allowsanexaminertoimporthashsetswhichBECcan
leverageinordertoperformhashvaluematchesofcontent.
AdddatasourceWindow–Step2:Whatwouldyouliketosearchfor?
Inthiswindowtheexaminerwillhopefullybequiteinformedaboutthetypeof
contentthatistobesearched.Asyoucanseedatatypecategoriesareshownin
theleftpane,withtheapptypessupportedrelativetoeachoperatingsystem.Asa
humblesuggestion,pleasetakethetimetoreallytargetwhatyouarelookingfor
andtryNOTtoselecteverythingasshowninthescreenshotbelow.
Themoreartifactsyouselect,thelongerwillbetheinitialanalysis.Forexample,if
youarelookinginsideAndroidphone,thereisnosensetolookforWindows
artifacts.However,ifyouareinvestigatingWindowscomputer,itmakessenseto
haveAndroidartifactsselectedjustincaseanAndroidbackupisfoundonthe
computer.Encryptedfilesdetectioncantakeagoodamountoftimesoifauseris
notinterestedinencryptionsearch,unchecking‘Encryptedfiles’willspeedupthe
analysiswithout.
Analyze:Takeamomenttoreviewwhichpartitionareasyouwanttolookat.
ThisspecificAndroidoperatingsystemimagehasnumerouspartitions,andinthis
case,onlypartitionstructureswhichmightproveofuseareselectedfor
examination.
Ifyouwanttopursuedatacarvingyoucancheck'Carve'andagainspecifythe
partitions,allocatedand/orunallocatedspace.
Whenyouhavefinishedoptimizingthedatasearches,foryourspecificneeds,then
presstheFinishbutton.Anotherwindowwillappearaskingwhetheryouwantto
addanotherdatasource.
If'Yes'wasselected,then'AdddatasourceDialog–Datasources'dialogwindow
wouldappear.Inthiscase,'No'wasselectedandthisinitiatestheprocessingof
thedatasourcealongwithspecifiedsearchselections.
BECInterface
ThemainBECinterfacewindowwillpresentwith3mainareas,whichismuchlike
mostGUIbaseddigitalforensicproducts:
Abovethetri-paneinterface,pleasenotetheproducttoolbarwhichconsistsof
bothiconsandtextbasedmenudriveninterface.Under'Help'thereisanoffline
andonlinehelpdocumentation.
Ifyoufindthetripaneinterfacetoocongested,youhavetheoptionofcustomizing
thedisplayofthewindowsusingthefloatable,auto-hide,tab,orhidefeatures.
LeftPane:Consistsof3tabs:Overview,CaseExplorerandFileSystem.Thetabyou
selectinthisareaalsodrivestherightupperpanetodifferentview.Clicking
actionstakenbytheuserinanyofthetabsdrivetherightupperpanetodisplay
certaindatasourceitemsdependingonthetabyouareinandtypeofdatabeing
viewed.
• Overviewtab(lefttabinleftpane):Thistabwillprovideabreakdownofthe
varioustypesofdatasortedintocategories.
• CaseExplorertab(middletab,inleftpane):Thistabprovidesaccesstoview
Timelinedata,anddatasources.Hereyoucanseethatitalsoshowsthe
partitionstructuresthatarecontainedwithinthebinarydump.Ifyourecall
earlier,Ionlyselectedtohavethreepartitionsingestedfordataparsing.It
wouldbenicetohaveanoptiontoexcludetheunselectedpartitions,from
beingviewedinthistab.
WithintheCaseExplorertab,dataisbrokendownintodatatypecategories:
Browsers,Cloudservices,InstantMessengersetc.
• FileSystemtab(righttab,inleftpane):Thistabshowsallthedatasources
ingestedbyBEC.Ifthedatasourcecontainspartitions/volumeswhich
containfilesystemsthatBECcanunderstand,theywillappearhere.Thisis
arefinedviewfromtheCaseExplorertab.However,Istillhavetodigto
identifythevariouspartitions/volumes,astheyarenamedwith'vol_xxxxxx'
wherexxxxxistheoffsetvalueindecimalofthestartofthevolume.As
indicatedpreviously,Iamonlyinterestedinthreepartitions.Itwouldbe
niceifinfutureBECreleasestheactualvolume(partition)namewas
provided,andonlyvolumesselectedforanalysiswerelisted,withtheoption
toviewunselectedvolumesifanexaminerneeds.
RightUpperPane:Thisisthedataexaminationareawhereyoucanreviewthe
parseddataoranalyzedatastructures.Theusercanaddorremovetabsinthis
areathroughthe'View'functiononthetoolbar.
RightLowerPane:Thispaneconsistsof4tabs:TaskManager,ItemProperties,Hex
ViewerandSearchResults.
• TaskManager:Hereyoucanobserveanytasksthatarerunning,scheduled,
orcompleted.
ItemProperties:Hereyoucaninspectthepropertiesofasingleitemthat
hasbeenselectedfromaparseddatasourceintheCaseexplorer(leftpane)
andviewedwithinacorrelatedtabintherightupperpane.Anexampleis
showninthefollowingscreenshot,followingthearrows,withreviewofthe
touch.dbfile(CaseExplorerintheleftpane),thedatabasestructureviewed
intherightpaneupperpane,inSQLiteviewer,andexaminationofaspecific
record,ItemProperties(rightlowerpane)inthetouch.dbfile,
experience_memberstable.Theactualdatabase(.db)fileisidentifiedinthe
‘Currentfile’informationbar.
• HexViewer:Thisislocatedinthelowerrightpane,HexViewertab.From
thepreviousexample,highlightingarecord(row)intheSQLitedatabasefile,
Datatab,locatesthatdataintheHexViewershowingtheoffsetitislocated
at.Thereisalsoa'TypeConverter'whichassistswithdatadecoding.
• SearchResults:Thistabdisplaysthesearchresults.Toinitiateasearch
accessthesearchfunctionfromthesearchiconinthetoolbar.
Thenselectwhatyouwouldliketosearch,datasource(s)andtheprofilesto
searchin:
DataFiltering
Theabilitytofilterdataisimportantwhentryingtosiftthroughanyamountof
information.ThefilterwindowisautomaticallyinvokedbyBECwhenyouare
eitherintheCaseExplorertab,orOverviewtab,lookingataspecificcategoryof
data.
Select'AddFilter'.
Thenselectoneormoreofthefiltercriteria.Thefiltercriteriachangebasedupon
thetypeofdatabeingviewed:Pictures,Videos,Browsers,InstantMessengers,
Mailboxes,etc.
ForexaminationofaSQLitedatabase,IcanusetheSQLiteViewertab(upperright
pane)toexamineeachtableandthecolumnswithinatable.BECverynicely
displaysthenumberofdatabaserecordsandthenumberofjournaledrecords
(whicharepartofthenumberofrecordscount).
ThecolouringoftherowsisdonebyBECtovisuallyassistwithidentificationof
data:
•
•
•
•
journaledrecords–lightbluecolouredrow
examinerselectedrecord–darkbluecolouredrow
actualdatabaserecords–whitecolouredrow
deletedrecords–redcolouredrow
However,whatIdonoteisthat,Icannoteasilysearch/filteranytablecolumns,
whichwouldbeausefulfeature.IcannotinvoketheFilterwindow,whilstinthe
SQLiteviewertab.ImustgobacktotheMessageListtab.Iwouldliketoseethe
abilitytofilteranyitemofdatafromanycolumn.
Icanquicklyconvertthetimestampsbyrightclickingonthe
'experience_comment_creation_timestamp'columnanddrillingdownto'Choose
type'andselectingUTCUnixtime.
Results
Duringmyanalysisoftheparsedbinaryfile,IwasabletoexcludetheTouchapp
(touch.db)foranydataofinterest,otherthanverifyingtheTouchaccountuser
identificationinformation.Thedatefilteringfeature,allowedforaquickreviewof
messagesforaspecifictimeperiod.TheTimelineviewprovidedmewithanice
overviewoftheactivitiesthatoccurredonthedeviceinthetimeperiodof
interest.TheSQLiteviewertool,inconjunctionwiththeHexViewer,provedvery
usefulinreviewingdatathatconsistedofanydeletedrecoveredartifacts,
journaleddata,andlivedatabaserecords.
Summary
TheBECsoftwareusageinformationpresentedthusfariscertainlynotexhaustive,
ofallthecompletefeaturesofthisproduct.Dependinguponthetypesofdata
sourcesyouareexamining,thereareotherareasoftheproduct,whicharenot
demonstratedlikethoseavailableintheViewdropdownmenu:
• RegistryviewerandPlistViewerdata
• Connectiongraphfunctionsareusefulfeaturestoviewcommunication
relationshipsbetweencontacts.
AlsotakenoteofthebeingabletoexportthedatafromBECtothe:
• BECevidencereader,whichallowinvestigatorstoreviewthedata
themselves
• And'ExporttoUFDR',whichexportsthedatainaUFDRforimportintoUFED
PhysicalAnalyzer.
AllthenumerousbenefitsofBECcanbereviewedattheselinks:
• https://belkasoft.com/bec/en/evidence_center.asp
• https://belkasoft.com/bec/en/Evidence_Center_Features.asp
However,asauserofthisproductoneofthekeybenefitsformeistheabilityof
thisproducttoingestmultipledatasources,withtheabilitytoreviewdatafrom
varioustypesofappsonsmartphoneplatforms.
Asnotedatthestartofthisreview,softwareproductscanbeimprovedwithuser
inputtothedeveloper.Ifyouencounterasituationwherethedatayouare
examiningisnotbeingparsedcorrectly,missed,and/oryounoteanissuewiththe
software,thenpleasemakethetimetocontactBelkasoftsotheycanprovide
assistance.WhenIhavecontactedYuri,Ihavereceivedtimelyareply,(usually
within24-48hours)fromYuriacknowledginganyissues.Andthey(Yuriandhis
team)havebeenveryresponsive,inprovidingfixes.
Inclosing,Ihopeyoutakethetimetoreviewthisproductonyourownandtestit
foryourownneeds.
AbouttheReviewer
Shafikisadigitalforensicexaminerforalawenforcementagency,currentlyassignedtothe
DigitalForensicsTeam(Cyber/ForensicUnit),andhasbeenworkingininthisareasince2003.