DFIR Training Blog

   


 

I took Belkasoft Evidence Center for a spin around the block

TL:DR

Belkasoft Evidence Center lives up to its tagline of “forensics made easier”.  For a near complete automated case work, it works. An intuitive interface and automated processes make processing practically user-error free.

The review

I took Belkasoft Evidence Center (BEC) for a test drive, ran it across several images, and validated what I saw with a different forensic suite.  Everything that I tested, worked. Plus, it did a few things that my other tools do not.

At this point of digital forensics software development, especially with name brand companies such as Belkasoft, I am not going to get into the things that every forensic suite should be able to do, such as; adding images or imaging or data carving or creating bookmarks of items, unless there is something substantially different.  If a tool cannot do the basics, then I don’t want to touch that tool or let it touch my evidence.

With that, this is my opinion of the Belkasoft Evidence Center, which is not an instruction manual, but rather the cool things that I like, and the differences from other tools that I see. Negatives? Of course, because no one tool will ever satisfy me as no single tool does everything exactly the way that I (as in, just me) like it.

Overall, I like it.

Top 4 positive bullet points of my test run:

1-Easy to set up

2-Processes data quickly

3-Intuitive GUI

4-Gives a clear visual of the evidence

I’ll get into negatives later. 

What’s different  (or easier)

Top 4 things that caught my attention:

1-SQLite forensics

2-Live RAM processing and memory carving

3-VSC support (and snapshots are in the same place as the current drive state)

4-APFS support

The Dashboard

Dashboards are a thing, at least in most tools. Some tools have nothing closely related to a dashboard, and that’s fine too.  Figure 1 shows the BEC dashboard, and you can probably tell why I like it. it is organized and clean :)

The tabs (#1) make it easy to switch views of the data, and the tabs are visibly constant (and moveable) in the application.  The Data sources section (#2) cleanly delineates the data by categories and double clicking any category takes you to that location.  There are a few Predefined search icons (#3), which is a time saver with the work already being done.  The remainder of the dashboard (#4 and more below) are nice visuals to perhaps show in court or to a client, but not necessarily important to me in an analysis.

Figure 1: Dashboard

Going through a few tabs of interest, the Case Explorer tab seen in Figure 2 is nicely done.   Clicking on a file type in the left window (#1) brings up the contents (#2), with properties and hex values below (#3).  This is where I find the BEC tagline to be totally accurate in making forensics easy, because if you are manually carving data in your cases with other tools, BEC does it for you.

Figure 2 Case Explorer Tab

Another example in Case Explorer is seen in Figure 3. 

Another thing that I liked – Easy switching through a choice of views (File system, overview, explorer)

The File System tab is the common Microsoft Explorer-type view of the data, by evidence item (#1 and #2) seen in Figure 3.  This is a must have for any forensic suite, where you can see the layout of the data as it exists on the storage media. I’m not mentioning this as a special feature of Belkasoft, but rather to show two other related tabs that are well done.

Figure 3 File System Tab

The Overview tab compiles all evidence items into one screen, with the data separated into categories.  You can see in Figure 4 that in this view, you can look at the data for all evidence items, like browsers (#1), pictures (#2), or system info such as network connections (#3).  Each item is identified by file path, so any item of importance can be tied to its respective device when viewing.

Figure 4 Overview tab

This brings us to the Case Explorer tab . Figure 5 shows that instead of combining all data from all evidence items in the Overview tab, the Case Explorer shows the data separated by device, but still in categories.  Figure 5 shows two evidence items (#1 and #2), with the respective data for each evidence item categorized below each evidence item.

Figure 5 Case explorer tab

This is why I liked the layout of these three tabs: being able to view the data as it sits on the media (File System), separated by evidence item but files sorted by category (Case Explorer), and a compilation of all evidence items but files sorted by category (Overview) as seen in Figure 6.  Sometimes seeing data presented with different visuals will help you find what you need faster, and being able to see one category of file across all evidence items is helpful. These tabs are not unlike filters in other respective tools, but it is certainly cleaner than I see elsewhere.

Figure 6 Three views of evidence items and sorted file types

Picture analysis with BEC is a cool feature that I liked. The Overview tab (#1) from Figure 7 shows the options for pictures by right clicking Pictures (#2), and gives quite a few choices in detecting faces, skin, and others (#4).  I did have false positives with the types of pictures to be analyzed (faces, skin, etc...) in this analysis feature, but no more than other tools that I use or have used.

 

Figure 7 Picture analysis

What I did find to be really convenient is how BEC will plot every picture that contains GPS coordinates in EXIF to either Open Street Maps or Google Earth (or export to Google Earth) with one click (Figure 8 and 9).  Considering that all pictures from all evidence items (or just one picture) can be plotted on a map in seconds makes for quick work for geolocation data searching.

Figure 8 Mapping pictures

Figure 9 Mapping pictures

More neat things

Any forensic suite will have more features than a review can do justice (that's the reason manuals are hundreds of pages long…).  But to give a mention to some of the things that I found unique, there are a few good features such as a viewer for the registry (of course, all tools should have this!); but it also has a SQLite viewer and a Plist viewer , both of which will be regularly used features. Other neat things are cryptocurrency analysis, smartphone analysis, and cloud acquisition, a timeline tab, connection graph, and incident investigation function, all of which deserve a second look.

I do appreciate that BEC is easy to install and run, without needing extensive hardware beyond what most examiners already have for workstations.

The basic things

You can bookmark files, copy the files out of the case, look at the files in hex view, and add files to a report that can be output to a number of formats (csv, pdf, txt, xlsx, docx, and more).  All of these functions work as you see them in BEC, much like any of the competitive suites.

My negatives

Not actually a negative for BEC, but there is less granularity than I expected. For example, the Search data in BEC is very easy to use, but no granularity that I prefer to have in a search. However, for BEC, the search function works as an easy method to match the overall ease of use. Regular expression search is nice to have (Figure 10). 

BEC does provide user custom work with being able to edit file carver signatures and use “Belkascripts”. 

Figure 10 Search data

The price

The price for BEC is toward the lower end of the digital forensic suites pricing spectrum. Not the lowest price, but far from the most expensive tools. For the price and capabilities, BEC is a good value for the money.

Bottom line

Here is one method that I use for most every case: I run a tool across everything to pull out what I am looking for, and then deep dive into the data. I also run a tool across the same data that does everything for me, much like Belkasoft Evidence Center. The odds of missing an important evidence item is much less as it is easy to miss something if you only look at the hex level, and easy to miss something if you only look at a high level.

BEC does a really good job at running across data, putting everything into its own category, and creating an easy view of the entire case. There is some deep dive analysis use, and some user control, but the strength lies in the ease of laying out the data in a manner that practically anyone can see and understand. It does make it easy and working a case is faster when the data is organized in this fashion.

I would also consider BEC an easy-to-start in forensic suite for an introduction in forensics with a tool that can also be used by the most experienced examiners.

More reviews:

For the “how-to” use BEC, there are plenty of videos and articles online. You can even download a trial of BEC and give it a test run. I strongly suggest a trial Belkasoft Evidence Center , just to see for yourself. 

[REVIEW] Belkasoft Evidence Center https://fwhibbit.es/en/review-belkasoft-evidence-center

Belkasoft YouTube channel https://www.youtube.com/channel/UCCC9kAGh2SNQEyvGgr9Kyzw/videos

Belkasoft Articles https://belkasoft.com/articles

Want a chance to win a license for Belkasoft Evidence Center?

 

I’m drawing a winner on Tuesday, August 13, 2019.   To enter, submit your name and email at the link below.  Be sure that you use an email that you will check regularly (and check your spam on Monday, August 12) because if the first winner doesn’t answer up, it will be the runner up that gets the license!

Enter the drawing

 

 

Written by :Brett Shavers

{rscomments option="com_rsblog" id="75"}