"Belkasoft Evidence Center makes it easy for an investigator to search, analyze, store and share digital evidence found inside computer and mobile devices. The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps. Evidence Center will automatically analyze the data source and lay out the most forensically important artifacts for investigator to review, examine more closely or add to report."
Mobile and Computer Acquisition. The product allows you to acquire data from a computer, a laptop or a mobile device. Hard and removable drives are acquired into DD and E01 formats with optional hash calculation and verification. For mobile devices running iOS BEC acquires iTunes backup and for Android devices there are multiple formats: standard ADB or agent-based backup, EDL and physical backup for rooted devices.
Mobile and Computer Device Examination. Supporting all major desktop and mobile operating systems, Belkasoft Evidence Center is suitable for mobile and computer forensics. It can parse real and logical drives and drive images, virtual machines, mobile device backups, UFED and OFB images, JTAG and chip-off dumps.
Smart and Comprehensive Analysis. The product looks everywhere on the device completely automatically and can successfully identify over 1000 types of digital artifacts. Convenient Evidence Search feature helps to narrow down the findings using filters, pre-defined search, or other options.
Powerful Carving. Data carving allows you to locate evidence that was deleted, destroyed, or never stored on the hard drive at all (page file, hibernation file, RAM contents). Custom carving is supported as well, including support for Scalpel and FTK sets. In addition, advanced carving mode called BelkaCarving™ is available, making it possible to reconstruct fragmented chunks into contiguous pieces of information that would otherwise not be accessible at all.
Native SQLite Parsing. Recovers corrupted and incomplete SQLite databases, restores deleted records and cleared history files. Processes freelists, write-ahead logs and journal files, and SQLite unallocated space.
Live RAM Analysis. Evidence Center can extract potentially crucial information from volatile memory, such as: in-private browsing and cleared browser histories, online chats and social networks, cloud service usage history, and much more. Belkasoft Live RAM Capturer is a powerful tool for creating memory dumps, and it is complimentary.
Remote Acquisition. Remote Acquisition module allows you to perform acquisition of various data sources from remote locations. Available data source types include hard or removable drives, RAM memory&
Belkasoft Evidence Center lives up to its tagline of “forensics made easier”. For a near complete automated case work, it works. An intuitive interface and automated processes make processing practically user-error free.
I took Belkasoft Evidence Center (BEC) for a test drive, ran it across several images, and validated what I saw with a different forensic suite. Everything that I tested, worked. Plus, it did a few things that my other tools do not.
At this point of digital forensics software development, especially with name brand companies such as Belkasoft, I am not going to get into the things that every forensic suite should be able to do, such as; adding images or imaging or data carving or creating bookmarks of items, unless there is something substantially different. If a tool cannot do the basics, then I don’t want to touch that tool or let it touch my evidence.
With that, this is my opinion of the Belkasoft Evidence Center, which is not an instruction manual, but rather the cool things that I like, and the differences from other tools that I see. Negatives? Of course, because no one tool will ever satisfy me as no single tool does everything exactly the way that I (as in, just me) like it.
Overall, I like it.
Top 4 positive bullet points of my test run:
1-Easy to set up
2-Processes data quickly
4-Gives a clear visual of the evidence
I’ll get into negatives later.
What’s different (or easier)
Top 4 things that caught my attention:
2-Live RAM processing and memory carving
3-VSC support (and snapshots are in the same place as the current drive state)