Belkasoft Forensic Studio Features

Please note, that this is outdated version of the product. Please go to Evidence Center page to get up-to-date information.

Search a seized drive for histories There is a seized hard drive in your lab, and you want to find all history files contained there. You do not know which means of online communication the suspect has been using. The product allows you to search the whole hard drive for all supported types of histories: Instant Messenger chats, Browser URLs history and cookies, various mailboxes: All drives or particular ones may be selected You can select a particular folder to search through Histories to be looked for may be limited to a particular type (e.g. Skype files only) You can search a drive connected via Encase It is possible to manually select a history to analyze

Download product brochure

Analyze found histories

The product does all the analysis with two mouse clicks:

• No password required
• You do not have to be logged under a history owner
• No write access required. The product works with write-blocking devices

Explore extracted histories

The product shows extracted messages in a user-friendly form:

Within the user interface you can:

• See all available histories and their extraction status
• See all contacts belonging to a profile
• See all conversations with a selected contact
• Sort by time, message direction, message text
• Apply filtering
• Search history. Do simple searches through history and advanced searches using a file with a set of words to look for. Experienced users can benefit from searching by regular expressions, which is very useful while searching for templates or phrases with fuzzy structure

Export history

After completing your investigation, you need to export histories of interest in a readable form. The product allows you to:

• Export histories to plain text, HTML and XML. IM Analyzer can also export to CSV format which is ideal for exploring data within powerful Microsoft Excel product
• Limit exported histories to selected dates and contacts
• Split huge histories into separate files, broken by contact

The resulting report is independent of your computer, so you can burned it onto a CD and give it away.

Instant Messengers supported

The following IMs are supported:

• ICQ (all versions from 97a to ICQ 7)
• Microsoft MSN/LiveMessenger
• Skype versions 2, 3, 4, 5
• Skype chatsync recovery (Professional and Ultimate editions only)
• Yahoo! Messenger
• MySpace IM
• &RQ
• Miranda
• SIM
• QIP
• QIP Infium
• Google Hello
• Trillian
• QQ 2008 and earlier
• Digsby
• Rambler Virtus
• Mail.Ru Agent
• Pidgin
• AIM (search history files only)

Note: QQ 2009, 2010, 2011 is temporary not supported due to the protocol change by Tencent. We are working on this issue.

You can search against a real drive as well as a drive image such as an Encase image, SMART or a DD image.

Deleted history carving support (Ultimate edition only):

• Skype 3
• Skype 4, 5
• Digsby
• ICQ Lite
• ICQ 7
• Miranda IM
• Windows Live Messenger
• QIP Infium/2010
• SIM
• AIM
• Virtus
• Pidgin
• Trillian
• Mail.ru Agent 5
• Gajim
• Emesene
• Yahoo! Messenger

You can carve both a real drive and a drive image, such as an Encase image, SMART or a DD image.

Live memory images carving (Ultimate edition only):

• AIM
• AIM Express
• ICQ 7
• Yahoo! Messenger
• Skype
• Gmail
• MSN
• Meebo
• Google Talk
• Facebook (personal messages)
• Vkontakte.ru (personal messages)
• e-Buddy
• YaOnline

Browsers supported

The following browsers are supported:

• Microsoft Internet Explorer including IE version 8
• Mozilla Firefox versions 2 and 3
• Opera
• Google Chrome
• Apple Safari

Mailboxes supported

The following mailbox types are supported:

• Microsoft Outlook 2003 and 2007
• Microsoft Outlook Express
• RITLabs The Bat! (beta version)

Product editions

The product is available in a number of editions:

• Standard — this edition is the basic version for organizational users. It contains Standard versions of Belkasoft Forensic IM Analyzer and Belkasoft Browser Analyzer
• Professional — this edition contains Professional versions of Belkasoft Forensic IM Analyzer and Belkasoft Browser Analyzer. Belkasoft Forensic IM Analyzer Professional adds up support for mounting drive images, extraction of Skype chatsync and QQ 2009/2010. Belkasoft Browser Analyzer Professional adds up support for stored passwords extraction.
• Ultimate — this edition contains Ultimate versions of Belkasoft Forensic IM Analyzer and Belkasoft Browser Analyzer. Belkasoft Forensic IM Analyzer Ultimate features support for carving (retrieving) leftover data of deleted Instant Messengers and data in live RAM. Belkasoft Browser Analyzer Ultimate features cache visualization and cached images export.