Belkasoft - forensic and system software tools. Office Documents, Instant Messengers, Browsers, Mailboxes, Pictures and Videos search, analysis and extraction. Find Digital Evidence quickly!

Belkasoft Forensic IM Analyzer Encase Integration

Overview
Users of Guidance Software's powerful Encase product can take advantage of the BelkasoftDataImport script which allows importing Instant Messenger chats, extracted by Belkasoft Forensic IM Analyzer, to EnCase. BelkasoftDataImport is an Encase package, available for FREE.

Download script
Works starting Belkasoft Forensic IM Analyzer version 2.0 build 157 and later.

Prerequisites
In order to use BelkasoftDataImport package, you should install the following products to your computer:

EnCase 6.xx (the package was tested with version 6.18)
Belkasoft Forensic IM Analyzer, any edition

Installation

Copy BelkasoftDataImport.EnPack file to your EnCase script folder. By default, it is this:
"<Encase installation directory>\EnScript", e.g. "C:\Program Files\EnCase6\EnScript"

BelkasoftDataImport package file under the scripts Encase folder

Copy the script license file BFIAU.EnLicense to your EnCase license folder. By default, it is this:
"<Encase installation directory>\License", e.g. "C:\Program Files\EnCase6\License\"

Belkasoft license file under the licenses Encase folder

Usage guide
Open an EnCase case. In the EnScript view, find a script with the name BelkasoftDataImport and execute it.

Script location

Belkasoft Forensic IM Analyzer will start.

Images in EnCase Tree which will be passed to Belkasoft Forensic IM Analyzer

In Belkasoft Forensic IM Analyzer, search for instant messengers or carve images that are attached to your case.

"Search IMs on this computer" window with an Encase image to be searched against

If you do not remember the full paths to these images, you can find this information in the Console view. It looks like this:

Files:
C:\Cases\images\Skype3+Miranda.E01;
C:\Cases\images\Skype3History.E01;

After you have extracted some chats, export profile or device contents to any folder as an XML file as shown below:

Exporting an ICQ profile from Belkasoft Forensic IM Analyzer

Export options: choose XML target format and One file option

You can export chats for a profile (as shown on the picture above), a profile's contact or a device.

When all the images of interest are analyzed and exported to XML files, close Belkasoft Forensic IM Analyzer and return to EnCase.
Switch to the Records view. Under the device nodes you will see IM Analyzer data record folder with the information that has been imported from Belkasoft Forensic IM Analyzer:

Encase Record view with chats imported from Belkasoft Forensic IM Analyzer

Error messaging
All the steps are logged to the Encase Console view:

Log information for the script execution

Should any problem occur with this script, it will be very helpful if you send us this log.

How to: video
See the video below which shows all the steps described in this article. If your browser crops the video, right click on it and select Show All item.

Belkasoft Forensic IM Analyzer Encase Integration

Products

Purchase

Support

Resources

Partners

About us