Belkasoft Evidence Center Features

What's new in version 3.9?

Why Belkasoft Evidence Center?

• Reduced cost of investigation
• Reduced investigation time
• Less specific knowledge required for investigator
• Ideal for triage
• Simultaneous work of several analysts on the same case

Search a seized drive for histories There is a seized hard drive in your lab and you want to find all history and document files contained there. You do not know which means of online communication and software the suspect has been using. The product allows you to search the whole hard drive for all supported types of evidence: Instant Messenger chats, Browser URLs history, Mailboxes, P2P data, Multi-user Online Games, Office documents, Pictures and Videos: All drives or particular ones may be selected You can select a particular folder to search through Histories to be looked for may be limited to a particular type (e.g. Skype files only) You can search a drive connected via Encase It is possible to manually select a history to analyze After the software found history profiles for you, it is possible to select any of them and add to a case. At this point you can instruct the software to calculate the profiles' hash values to make sure they are not changed during the investigation. Besides communication histories, the product allows to locate documents, picture and video files and include them in a case for subsequent analysis.

Download product brochure Read product help

Analyze found histories

The product does all the communications analysis with two mouse clicks:

• No password required
• You do not have to be logged under a history owner
• No write access required. The product works with write-blocking devices

Analyze found images and videos

The product allows you to run complicated analysis against picture and video files, such as:

• Pornography detection
  
• Faces detection
  
• Text detection
  

For your convenience, detected results are then correspondingly grouped, for example, in an item called "Images with faces" or "Images with text".

To analyze a video file, it is broken into a series of key frames in advance. This feature, even alone, is extremely useful to lessen emotional stress of an investigator, who has to deal with video analysis of particular kinds. Instead of watching hours of unpleasant video, they can simply cut it on a hundred of key frames, which can be inspected — even without automation — very quickly without loosing any evidence.

Analyze Office documents

Retrieving deleted history

If some history was deleted by a user, chances are that part of it can still be found on the drive. In order to do it, the product uses so-called 'carving' techniques which helps to retrieve deleted conversations.
The following features are supported:

• Carving FAT, NTFS, ext2, ext3, HFS and HFS+ drives
• Carving drives attached through write-blocking device
• Carving drive images (Encase, SMART or DD format; Windows, MacOS and Linux file systems supported)
• Live memory investigation (carving RAM image made in win32dd/win64dd, FTK Imager or Encase)

Note! This feature allows to retrieve conversations, deleted from a drive. It will not help you in case some history was never stored on that drive, except for RAM image carving.

Explore extracted histories

The product shows extracted information in a user-friendly form:

Within the user interface you can:

• See all found history profiles
• See all contacts belonging to a chat profile
• See all mail folders belonging to an email profile
• See all conversations with a selected contact
• See all emails within a selected mail folder
• See a profile's original hash value and current hash value to make sure nothing has changed since the profile was added to a case
• Sort by various criteria
• Search history. Do simple searches through history and advanced searches using a file with a set of words to look for. Experienced users can benefit from searching by regular expressions, which is very useful while searching for templates or phrases with fuzzy structure, for example, credit card numbers
• View pictures included to a case
• View pictures with GPS coordinates, on Google Maps or Google Earth
  
• See all key frames for a video
• See all documents' metadata

Bookmarking

You can mark any extracted information by using named bookmarks. Bookmarks are persistent and stored in the same database as the case is. You can see all the pieces of information in a bookmark, go to the original item and, vice versa, from an item to any bookmark which contains that item. Bookmarked items are highlighted with another color, so you will not miss them on an item list.

Export history

After completing your investigation, you need to export histories of interest in a readable form. The product allows you to:

• Export histories to plain text, HTML, XML, CSV and PDF.
• Limit exported histories to selected dates and contacts
• Split huge histories into separate files, broken by contact or mail folder
• Split reports into smaller files by specifying a number of items to be included in the report, for example, 50 messages per report file

It is possible to customize report, for example, include your logo or change fonts and colors.

Case management

The product allows you to manage information for different cases. You can add information you are working with to a named case, give a name and a description to a case, create, edit and delete a case. This is handy when you work with multiple cases at a time.

Information persistence

All found information is now stored in a database. Unlike the older products, this product allows you to safely shut it down because all data is stored right after it is extracted. This enables you to work with multiple cases and handle big cases, for example, those involving multiple huge Outlook mailboxes. The product does not have a limit of 2Gb of Outlook mailbox space which the previous products have.

Integration

Belkasoft Evidence Center integrates all the work with Instant Messengers, Browsers, Emails, P2P, MMORPG, Documents, Pictures and Videos in one user interface. You can perform all operations with a piece of evidence in a uniform way: it is possible, for example, to search through all found chats, URLs and emails in a single search operation.

Multiple monitor support

The product has a number of windows showing various aspects of a case you are working with: Case Explorer, Item List, Item Properties, Task Manager and Web Browser, to name just a few. To make it more efficient to work with this number of windows, the product supports multiple monitors, so you can arrange windows and resize them as you find convenient. The product will remember your preferences and automatically restore the window positions and sizes the next time you run product.

Instant Messengers supported

The product supports regular file analysis, deleted history carving and Live RAM analysis for more than 70 Instant Messengers, including Windows, MacOS and Linux messengers. Some of them are listed below. For the complete list, please refer to this page.

• ICQ (all versions from 97a to ICQ 7)
• Microsoft MSN/LiveMessenger
• Skype versions 2, 3, 4, 5
• Yahoo! Messenger
• Miranda
• Trillian
• AIM

Note: QQ 2009, 2010, 2011 is temporary not supported due to the protocol change by Tencent. We are working on this issue.

More details on Instant Messenger support.

Browsers supported

The following browsers are supported:

• Microsoft Internet Explorer (except for password recovery)
• Mozilla Firefox starting v.2
• Opera
• Google Chrome
• Apple Safari (except for password recovery)

More details on Browser support.

Mailboxes supported

The following mailbox types are supported:

• Microsoft Outlook 2003, 2007 and 2010
• Microsoft Outlook Express
• Mozilla Thunderbird
• Gmail
  
• Yahoo! Webmail
• Hotmail
• RITLabs The Bat!
• Windows Live Mail

More details on Mailbox support.

Social Networks supported

The following social networks supported:

• Bebo
• Facebook
• Orkut
• Twitter
• Vkontakte
• Google+

More details on Social Networks support.