Belkasoft Forensic IM Analyzer Features

Search a seized drive for histories There is a seized hard drive in your lab, and you want to find all history files it may contain. You do not know which means of communication the suspect in question has been using. The product allows you to search the whole hard drive for all supported types of Instant Messengers: All drives or particular ones may be selected You can select a particular folder to search through Histories to be looked for may be limited to a particular type (e.g. Skype files only) You can search against a drive image such as an Encase image, SMART or a DD image It is possible to manually select a history to analyze

Download product brochure

Analyze found histories

The product does all the analysis with two mouse clicks:

• No password required
• You do not have to be logged under a history owner
• No write access required. The product works with write-blocking devices

Explore extracted histories

The product shows extracted messages in a user-friendly form as follows:

Within the user interface you can:

• See all available histories and their extraction status
• See all contacts belonging to a profile
• See all conversations with a selected contact
• Sort by time, message direction, message text
• Apply filtering
• Search history. Do simple searches through history and advanced searches using file with a set of words to look for. Experienced users will undoubtedly take advantage of searching by regular expressions, which is ideal while searching for templates or phrases with fuzzy structure

Retrieving deleted history

If some history was deleted by a user, chances are that part of it can still be found on the drive. In order to do it, the product uses so-called 'carving' techniques which help to retrieve deleted conversations.

The following features are supported:

• Carving FAT and NTFS drives
• Carving drives attached through a write-blocking device
• Carving drive images (Encase, SMART or DD format)
• Live memory investigation (carving RAM image made in win32dd/win64dd or FTK Imager)

Note! This feature allows to retrieve conversations, deleted from a drive. It will not help you in case some history was never stored on that drive, except for RAM image carving.

Export history

After completing your investigation, you need to export a history of interest in a readable form. The product allows you to:

• Export history to plain text, HTML, XML and also to CSV format which is good for exploring data within powerful Microsoft Excel product
• Limit exported histories to selected dates and contacts
• Limit exported histories to selected chat messages
• Split huge histories into separate files, broken by contact

The report can be burned onto a CD and given away.

Instant Messengers supported

The following IMs are supported:

• ICQ (all versions from 97a to ICQ 7)
• Microsoft MSN/LiveMessenger
• Skype versions 2, 3, 4, 5 (including chatsync recovery)
• Yahoo! Messenger
• MySpace IM
• &RQ
• Miranda
• SIM
• QIP
• QIP Infium
• Google Hello
• Trillian
• QQ 2008 and earlier
• Digsby
• Rambler Virtus
• Mail.Ru Agent
• Pidgin
• AIM (search history files only)

Note: QQ 2009, 2010, 2011 is temporary not supported due to the protocol change by Tencent. We are working on this issue.

Deleted history carving support (Ultimate edition only):

• Skype 3
• Skype 4, 5
• Digsby
• ICQ Lite
• ICQ 7
• Miranda IM
• Windows Live Messenger
• QIP Infium/2010
• SIM
• AIM
• Virtus
• Pidgin
• Trillian
• Mail.ru Agent 5
• Gajim
• Emesene
• Yahoo! Messenger

Live memory images carving (Ultimate edition only):

• AIM
• AIM Express
• ICQ 7
• Yahoo! Messenger
• Skype
• Gmail
• Windows Live Messenger
• Meebo
• Google Talk
• Facebook (personal messages)
• Vkontakte.ru (personal messages)
• e-Buddy
• YaOnline

Encase integration

The product supports exporting data to the powerful Guidance Software Encase product. See more details on this page.

Product editions

The product is available in a number of editions:

• Standard — this edition is the basic version for organizational users
• Professional — this edition includes support for mounting drive images, extraction of Skype chatsync and QQ 2009/2010
• Ultimate — this edition includes support for carving (retrieving) leftover data of deleted Instant Messengers and data in live RAM.
• Intelligence — this edition is distributed as an executable file on a flash-drive which does not have to be installed on the target computer. This is useful for gathering information outside the forensic lab in an uncontrolled environment like an internet cafe. The edition is only available for police and law enforcement organizations.
  More details...