product help in PDF format
Belkasoft
Web: http://belkasoft.com
Email: [email protected]
Belkasoft Evidence Center 2014 Help
Contents
Belkasoft Evidence Center 2014 at a glance ................................................................................................. 4
Major features of Belkasoft Evidence Center ............................................................................................... 4
Product versions and editions ....................................................................................................................... 5
Recommended hardware.............................................................................................................................. 6
Installing Evidence Center 2014 .................................................................................................................... 6
Installing Belkasoft Evidence Center Enterprise ........................................................................................... 9
Quick start ...................................................................................................................................................10
Forensically sound software .......................................................................................................................10
Running the product ...................................................................................................................................11
Logging in (Enterprise only).........................................................................................................................12
Case Management ......................................................................................................................................13
Opening a case ............................................................................................................................................13
Managing cases ...........................................................................................................................................15
Product windows.........................................................................................................................................16
Case Explorer...........................................................................................................................................18
Case, data source, profile and bookmark properties ..............................................................................20
Item List ...................................................................................................................................................22
Item Properties .......................................................................................................................................24
Task Manager ..........................................................................................................................................25
Search Results .........................................................................................................................................26
SQLite Viewer ..........................................................................................................................................27
Registry Viewer .......................................................................................................................................29
Graphical Timeline ..................................................................................................................................30
Grid (Textual) Timeline ............................................................................................................................32
Picture and Document Viewer ................................................................................................................34
Hex Viewer ..............................................................................................................................................35
Web Browser ...........................................................................................................................................36
Searching for evidence ................................................................................................................................38
Extracting evidence .....................................................................................................................................42
Extracting QQ 2009-2013 history ................................................................................................................44
Option 1...............................................................................................................................................45
How to test option 1?..........................................................................................................................46
Option 2...............................................................................................................................................46
How to test option 2?..........................................................................................................................47
Option 3...............................................................................................................................................47
Searching for keyword ................................................................................................................................48
Bookmarking ...............................................................................................................................................49
Creating reports ..........................................................................................................................................51
Advanced report options ............................................................................................................................53
Export to Evidence Reader ..........................................................................................................................59
Carving and Live RAM analysis ....................................................................................................................60
What is Carving ...................................................................................................................................60
How to Start Carving ...........................................................................................................................61
BelkaCarving™ .............................................................................................................................................64
Analyzing hibernation and page files ..........................................................................................................66
Analyzing mobile devices ............................................................................................................................67
Analyzing documents ..................................................................................................................................69
Registry "low hanging fruits" analysis .........................................................................................................72
Analyzing system files .................................................................................................................................73
Analyzing SQLite databases.........................................................................................................................73
Resolving MSN name...................................................................................................................................75
User management (Enterprise only) ...........................................................................................................76
Network traffic analyzer..............................................................................................................................76
Detecting encrypted files ............................................................................................................................76
Information extracted from Web browsers ................................................................................................77
Browser passwords .....................................................................................................................................78
Hash calculation ..........................................................................................................................................78
Encoding ......................................................................................................................................................79
Timestamps .................................................................................................................................................80
Time zones ..................................................................................................................................................81
Sorting .........................................................................................................................................................82
Picture-specific analysis ..............................................................................................................................83
Detecting faces ........................................................................................................................................85
Detecting text ..........................................................................................................................................87
Detecting pornography ...........................................................................................................................89
Detecting altered photos ........................................................................................................................90
Removing incorrectly detected faces ..........................................................................................................93
Storing pictures and documents in database..............................................................................................94
Picture-specific operations..........................................................................................................................95
Copying files to a folder ..............................................................................................................................95
Copying embedded files and attachments to folder...................................................................................96
Filters ...........................................................................................................................................................98
Managing filters ..........................................................................................................................................98
Editing filter properties ...............................................................................................................................99
Video-specific analysis...............................................................................................................................101
Error window .............................................................................................................................................103
Options ......................................................................................................................................................104
General options .....................................................................................................................................105
Picture options ......................................................................................................................................105
Video options ........................................................................................................................................108
Changing CaseData folder .....................................................................................................................108
Mounting disk or mobile device images ...................................................................................................109
Checking updates ......................................................................................................................................110
Available features......................................................................................................................................110
Demo mode limitations.............................................................................................................................111
Registering product ...................................................................................................................................112
Hardware ID ......................................................................................................................................112
After the purchase ............................................................................................................................112
License types .............................................................................................................................................115
Why choose floating? ........................................................................................................................115
Belkasoft Evidence Center 2014 at a glance
Belkasoft Evidence Center is Belkasoft’s flagship digital forensic suite. The product makes it easy for an
investigator to search, analyze and share digital evidence located in desktop and laptop computers,
forensic images, volatile memory, virtual machines and in mobile devices. Evidence Center enables fulltext search among the hundreds of various evidence types and offers a fully visual timeline, allowing
investigators to analyze all user and system activities occurring over a certain period of time.
Belkasoft Evidence Center is designed to collect as many types of evidence as possible in a forensically
sound way. Supported evidence types include office documents, email client mailboxes, mobile device
applications and usage history, system and registry files, picture and video files, SQLite databases, social
networking communications, instant messenger histories, Internet browsing sessions, webmail, P2P
application data, cloud applications, MMORPG chats, encrypted files, and so on.
The product is a part of Belkasoft Acquisition & Analysis Suite family. It can be purchased standalone or
as a part of the suite.
Major features of Belkasoft Evidence Center
Besides many others, the product offers the following forensically important features:























Office documents, including Microsoft Office, OpenOffice, PDF and RTF files: plain text,
metadata and embedded objects are extracted and analyzed.
Mobile device backups and UFED images for Android, iPhone, iPad and Blackberry are analyzed
for calls, SMS/iMessages and data collected from multiple mobile applications.
All major email clients are supported including Outlook, Outlook Express, Mozilla Thunderbird,
Windows Live Mail, The Bat etc.
Pictures and video files scanned and analyzed for EXIF data, pornography, faces, scanned text
and signs of image alteration/modification. More than 90 image formats are supported,
including many RAW camera formats.
All major Web browsers are supported including all versions or IE, Mozilla Firefox, Chrome,
Opera, Safari etc.
All major instant messengers are supported including Skype, MSN, Yahoo Messenger, ICQ, and
many more. Over 80 messenger applications for Windows, Mac OS X and Linux are supported.
More than 150 types of encrypted files can be identified.
System files such as Windows Event Logs, thumbnails, thumb cache, registries and jumplists are
supported.
Full-text search through all types of collected evidence.
Native support for SQLite databases allows recovering badly damaged and partially overwritten
databases.
Proprietary SQLite Viewer helps viewing SQLite database without third party applications.
SQLite freelist, WAL and journal file analysis extracts destroyed evidence and displays deleted
information such as deleted iPhone SMS messages and cleaned Skype chats.
Native support for Windows registry files allows recovering badly damaged and partially
overwritten registries.
Proprietary Registry Viewer helps viewing Windows registries without third party applications.
Deleted history retrieval (carving) supported in allocated, unallocated or entire disk space.
Live memory (volatile RAM) analysis enables the extraction of social networking remnants (e.g.
Facebook, Twitter), Web-based emails (e.g. Gmail, Hotmail), cloud application data (e.g.
Dropbox, Flickr) and so on.
Refined BelkaCarving™ analysis thoroughly defragments Live RAM dumps for accurate results.
Text-based and fully visual versions of the timeline provide the ability to display and filter all
user activities and system events in a single aggregated view.
Reports in text, HTML, XML, CSV, PDF, RTF, EML, Excel and Word formats with powerful
reporting components.
Free Evidence Reader tool allows sharing your findings with your colleagues with or without
Belkasoft Evidence Center installed.
EnCase (e01 and ex01), AFF, X-Ways, SMART, UFED and DD images can be mounted, including
Windows, Mac OS X and Linux drives, Android phones as well as VMWare and Virtual PC files.
Guidance Software approved EnCase v.7 integration via a free downloadable script is available,
allowing to import data from Belkasoft back to EnCase.
Huge cases (e.g. containing several 10Gb mailboxes) supported.
Product versions and editions
The product exists in the following versions:



Standalone. This is a single -user version, it should be installed on a computer or laptop.
Portable. This version is also one-user, but can be run from a thumb drive.
Enterprise. This is a multi-user version, supporting collaborative work of multiple investigators.
It should be installed on a server and a number of client machines.
The following editions are available for Standalone version:

Chat Analyzer



Chat & Social Analyzer
Professional
Ultimate
See also:
Comparison chart for products and editions
Product brochure
A demo version and sample histories
Online user’s manual
Recommended hardware
If you plan working with small or medium sized cases or deal with chats or Web browsers only, and if
the amount of extracted data is relatively small, you can use your regular workstation to work with the
product. There are no special hardware requirements. The software has been tested on regular
computers, and it can handle cases of up to 10G of extracted evidence.
If you plan working with large cases, or if you are using the Enterprise version, we recommend
upgrading the hardware to match or exceed the following specifications:



More RAM, the better. We recommend at least 4 GB of RAM.
Fast CPU. A multi-core processor or a multi-processor PC is recommended.
A dedicated SSD drive is preferred for SQL Server (or a fully dedicated physical hard drive).
Installing Evidence Center 2014
To install Belkasoft Evidence Center, unpack the archive you have downloaded from the Belkasoft site,
and run the executable file. The installation wizard will guide you through the installation steps.
Make sure that the verified publisher name is Belkasoft OOO and answer Yes to the User Access Control
question:
Case Management
The following sub-section only applies to you if your Belkasoft Evidence Center comes with the Case
Management component. Otherwise, your setup is now complete, and you may proceed to using the
product.
Requirements
Although the installation package will try to do everything automatically, some steps may not be
permitted in some circumstances, depending on a computer and operating system configuration. In this
case, you will have to make sure that the following prerequisites are met:
http://belkasoft.com/bec/en/Evidence_Center_Installation.asp
Installing Case Management
If your version of Belkasoft Evidence Center comes with Case Management support, you can opt to
install either SQLite or Microsoft SQL Server database. While Microsoft SQL Server can contain more
data and is generally more powerful, it is much a more complicated database to install and to maintain.
After accepting the license agreement and selecting the proper installation folder, you will be prompted
to install a database. There are two options currently available:


SQLite database
The easiest to install (recommended, no tuning required)
MS SQL Server
Select for huge cases and in case you are installing Enterprise version of the product.
Please select your setup to figure out how to install SQL Server database:





Internet connection, no SQL Server installed
Internet connection, non-English Windows
NO Internet connection and NO SQL Server installed
SQL Server already installed
You are planning to work with huge cases (larger than 10Gb)
If you have any problems with automatic installation of SQL Server database, inspect its installation file
that is placed under your folder at C:\Users\YOUR NAME HERE\AppData\Local\Temp\SqlSetup.log (for
subsequent installation it will be C:\Users\YOUR NAME\AppData\Local\Temp\SqlSetup_1.log).
If you need assistance installing and using the product, please let email [email protected], and we
will be happy to assist you.
Creating an SQL Server Database
On this page you will be prompted to select a database instance to work with.
Click Next. If you selected MS SQL Server, the following screen will appear. Select any available instance
from those shown in the list and click Install.
The product will create a database named "Case" in your selected instance. The product will be
configured to work with that particular instance and that particular database.
Installing Belkasoft Evidence Center Enterprise
The installation of the Enterprise version is similar to the installation of standalone version, with only a
few minor differences.
At the beginning of the installation, you will be asked to choose whether to install the Server or the
Client part of the product:
The Client part will not install a local MS SQL Server database, but will install some SQL Server libraries
for the product to connect to the Server. Therefore, if you are installing to a computer without Internet
access, you will have to put the same Microsoft installation files into the installation folder as described
at http://belkasoft.com/bec/en/Evidence_Center_Installation.asp, except for the SQL Server installation
file.
On the database configuration screen, you will be prompted to select a SQL Server instance available in
your local network. Choose the instance that you installed during the Server installation (for this reason
we recommend installing the Server beforehand).
If you are installing the Client first, you will have to manually write the computer and instance name in
the instance text box as shown in the following picture:
You can install both Client and the Server onto the same machine; note, however, you will need a
separate license for this client (Server license will not work for the Client installation even if the Client is
on the same machine).
Quick start
After installation, start working with the product with three simple steps:



Create a new case.
Search data inside product's sample histories folder at C:\Program Files (x86)\Belkasoft
Evidence Center\samples.
See what the product extracts for you.
Forensically sound software
Belkasoft is doing its best to create a product that follows the rules of a forensic investigation.






The software never attempts to write on a media being investigated. It is fully compatible with
write-blocking devices and image files.
To make sure that data being investigated is not changed, hashes are calculated for every
profile added to a case. You can compare the original profile hash value with the current one at
any time.
The software does not ask you for any passwords or other profile owner's data. All extraction
and decryption is performed without knowing the user's original credentials.
The software works under the investigator's account on the investigator's machine and does not
require any client applications used by the suspect being investigated. For example, it is not
required to have Microsoft Outlook installed to retrieve Outlook history.
The software never connects to the Internet and remains fully operational on offline
computers. There are only a few documented exceptions to these rules, namely:
o When the software starts, Windows automatically checks its code-sign certificate and
tries to make a standard OCSP call to detect whether the X.509 certificate is revoked.
This is made by Windows, not by the software, and caused by the fact that software is
signed with known publisher certificate. If you block this connection, nothing will go
wrong.
o QQ 2009-2013 chats extraction.
o Showing photos on Google Maps.
o Checks for updates are only performed per your explicit request.
The extraction results are 100% repeatable. You always have an option to re-extract data to
make sure the results are absolutely the same.
Running the product
Select the product from the Start menu folder where you have chosen to install it.
When prompted by Windows User Access Control for permission to run the product, accept to continue.
The first screen for Standalone version of the product will be the Open Case screen.
The first screen for the Enterprise version will be the Login screen. To login to the Server for the first
time, use the caseadmin user with the same password (caseadmin). In the User Management window
that opens when you are logged in to a server, you should create users who then will be able to log in
from client computers.
If you are not the one who installed the server, you will be logging in as a client. If this is the case, use
the login and password information supplied by the person who administrated the server installation.
Logging in (Enterprise only)
When you run the product, it will ask you for your credentials in order to secure the data. You should
have a relevant user name and password in order to access case data. You will see only those cases that
you are granted access to.
Enter your user name and password and click OK.
The default credentials are: user – caseadmin, password – caseadmin.
Case Management
Case Management is an optional module, which enables you to





Reliably store all information in database (SQLite or Microsoft SQL Server at your choice)
Group evidence by cases
Work with multiple cases at a time
Work with extracted data sets totaling larger than 2Gb
Delete older cases when you do not need them
If you do not have Case Management module, all data, which you extracted during current session, will
be lost when you close the product, and will not be available on the next product run. Before exiting the
tool, you have to generate a report to avoid extraction of the same data again or select Export to
Evidence Reader option of the main menu. With Case Management, this is no longer an issue.
It is strongly recommended to have Case Management to those users, who have to review evidence
multiple times, store evidence for longer periods and for working on cases with more than 2Gb data.
Opening a case
If you have Case Management module you should select a case to work with once the product is started.
Standalone version: In the Open Case window, you will see all cases existing in the database.
Enterprise version: In the Open Case window, you will see only the cases you have access to.
You can either open an existing case or create a new one. If you click Cancel, the product will exit.
If you like the product to open the last case you worked with, you can select Always open last case and
do not show this dialog at the Open Case screen.
To create a case, click the New button. The following window will appear:
In this window you can assign a name to the case, type your name into the "Investigator" field, and
assign a description. Important: make sure you specify the correct default time zone for the case.
Certain applications store date/time stamps in local time, while other applications store this data in UTC.
It is vital to know the local time zone to align all events. You can override this setting for a specific data
source or a profile. You can also modify case time zone later.
If you want to change the case you are working with, you can click Open Case on the product toolbar:
You can also click New Case to create a new blank case.
Managing cases
If you have Case Management module, you can manage cases using Open Case window. In this window
you can:



Create a new case by clicking New button
Rename a selected case by clicking Rename button, pressing F2 or clicking on the selected item
for the second time
Delete one or several selected cases
Note that you cannot delete a case that you are currently working with. It is possible to delete all cases
at the time the product starts up and before opening any case.
Enterprise: You cannot delete a case if a different user is working with it (e.g. if data extraction is
performed within that case).
Delete button will be disabled for cases that cannot be deleted at the moment.
Product windows
When you open a case, the main window is shown. The main window consists of several parts. All child
windows of the main window are highly customizable. You can move them around, show or hide them,
dock them to any part of the screen, arrange in any order, group with other windows, or make them
auto-hidden or floating.
Belkasoft Evidence Center supports multiple display configurations. If you have a computer with
multiple displays, it is possible to create one or more product windows on other monitors, thus making
it easier to work with large amounts of data.
Docking hints: You can dock a window anywhere within the product interface.
Floating windows: you can make any part of user interface floating; particularly, it is possible to place
the Item List to another monitor.
Case Explorer
Case Explorer displays the contents of the case. It organizes case information in the form of a tree. The
top-level node represents the case itself. Under the case node, there are subnodes for data sources. A
data source corresponds to a single drive, drive image, memory dump, phone or other mobile device
dump, virtual machine file, or a folder. Each data source contains evidence types subnodes, e.g. all
Instant Messenger-related information will be grouped under case subnode called Instant Messengers.
Evidence types currently supported are:








Browsers
Carved data
Encrypted files
Instant messengers
Mailboxes
Mobile device backups
Network traffic
Office documents





Pictures
Registry files
SQLite databases
System files
Videos
One special subnode is called Bookmarks and contains all items you find interesting. See "Bookmarking"
for more details. Another special subnode is Timeline, containing all events within your case.
Under evidence type nodes there are profile nodes. A "profile" is a piece of information specific to a
certain user and a certain program. For example, an Outlook profile is a .PST file containing one of the
user's mailboxes. A Skype profile is a folder with some Skype files inside, and so on.
There are filters available to display pictures, videos, documents, applications for mobile backups and so
on.
Profile nodes may contain child subnodes that are specific to a certain type of history. For example,
instant messenger profiles contain contacts ("friends" of the owner of that profile); email profiles
contain mail folders belonging to the mailbox of the profile; picture, video and document profiles
contain filters, and so on.
You can run all operations with the case by selecting a node and selecting items from the main menu,
context menu or the toolbar. Some of the available operations are:






Extract data
Create report
Search profiles
Carve device
Search keyword
Delete profile
The following operations are specific to Email profiles only:

Copy attachments to folder (copies all attachments from all emails to a single folder, taking care
on the same-named files, renaming them so that they won't be overwritten)
The following operations are specific to Document profiles only:



Copy files to folder (copies all documents found inside a data source to a single folder, easing
further review with a third-party tool)
Copy embedded files to folder (copies all files embedded into all found documents, such as
pictures, easing further review with a third-party tool)
Filters (helps to filter found documents using various criteria, such as e.g. metadata)
The following operations are specific to Picture and Video profiles only:



Analyze pictures (analyzes pictures or video keyframes for porn, faces, text, forgery)
Copy files to folders (copies all found pictures to a single folder, easing further review with a
third-party tool; not available for videos)
Filters (helps to filter found pictures or videos using various criteria, such as e.g. EXIF metadata)
The following operations are specific to Encrypted files only:

Decrypt (Decrypts all found encrypted files, available only if you have Passware Kit Forensic
installed)
The following operations are specific to Mobile device backups only:

Unpack backup (Unpacks all files from a backup to a folder; available for iPhone/iPad only)
The following operations are specific to Instant Messenger and Network Traffic profiles only:




Select encoding for a profile (Chooses another encoding for a chats; other than messengerdefault)
Hide/Unhide contacts without history
Sort contacts by various criteria
Copy contact UIN or SN
Case, data source, profile and bookmark properties
The Properties window shows the properties of an item, selected in the Case Explorer. This window is
displayed for a case, data source, profiles and bookmarks.
For a case and a bookmark you can edit name and description. For a profile you can edit name and
comments. For a case, a profile and a data source you can edit time zone. This is particularly useful,
when you have several data sources from different time zones, for example, a hard drive from one
suspect from USA and a phone image from another suspect from Europe.
After you changed any of these fields, the changes will be saved automatically when you select any
other field or node in the Case Explorer.
After you changed any of these fields, the changes will be saved automatically when you select any
other field or node in the Case Explorer.
Data sources have additional properties. If a data source is hard drive, logical drive or drive image, its
partitions and file systems are shown on the properties page:
Item List
The Item List window displays the list of items belonging to a node selected in the Case Explorer. Item
lists are shown for all browser data such as sites, cookies, passwords, etc, mail folders of mailbox
profiles, picture and video profiles, Instant Messenger contacts, bookmarks, etc. The nodes may be
named differently for various sources. For example, for instant messengers the node is called "Message
List", picture node is called "Picture List", and so on.
By selecting an item in the item list, you can inspect the item properties in Item Properties window. You
can also copy item text or bookmark it, create report for all or selected items and do some other
actions, specific to this or that particular evidence type (e.g. show selected pictures, having GPS
coordinates, on Google Maps).
Item List supports sorting in ascending and descending order. It remembers the last applied sorting
mode.
The list allows you to change column widths and remembers your last preferences.
Chat messages, sorted by text alphabetically
When you select picture, video or document profile, item list shows previews of profile items rather
than a table view:
You can sort items by selecting a criterion inside Sort by dropdown box:
It is possible to change thumbnail size by using the slider control to the right of Sort by.
You can select multiple items inside both types of lists using Shift or Control keys along with cursor keys.
To select all items, press Ctrl-A combination.
Item Properties
The Item Properties window allows you to inspect selected item properties in case there is only one
item selected.
The Item text tab displays the current item's text. If you wish to copy this text, select any part of the text
with the mouse and press Ctrl-C. To select the whole text, press Ctrl-A.
The Properties tab displays all available details about the item. You can copy values from this tab using
context menu items.
Task Manager
The Task Manager window displays the status of tasks run by the investigator such as searching profiles,
extracting or exporting history, searching in history, deleting a profile, and so on.
Task Manager allows stopping selected tasks by clicking Cancel task button. You can stop all currently
running tasks by clicking Cancel all button. You can see the log of completed tasks by clicking View task
log button or double-clicking on any task inside the task list. You can cancel multiple tasks and open log
files for multiple tasks using multiple selection (use Shift or Ctrl while selecting items with the mouse or
keyboard). After canceling a task, wait a few seconds until it terminates.
There are following tabs in the Task Manager:



Running. Here you can see all tasks currently performed by the product.
Scheduled. This page contains all tasks which are waiting to be executed. The product runs only
a limited amount of tasks at a time, trying to take the most out of current hardware
configuration (e.g. amount of CPUs and hyperthreading). This is done to speedup the
processing. While available CPUs are busy with running tasks, all other tasks are waiting in the
queue.
Completed. All completed tasks are displayed in this page. You can filter these tasks by their
status by ticking checkboxes Success, Errors, Failed or Canceled.
Task Manager displays the following fields for a task:





Name of the task (Task column)
Task progress (% completed)
Current task status (Status)
Task start time (Time)
Time elapsed since the task started (Elapsed)
You can adjust column widths in this window. Your preferences will be stored.
See also:
Extracting evidence
Search Results
The Search Results window shows you all items found during the latest search operation. This is a plain
list of all items matching the search criteria. The Search Results displays:





Icon for an item profile type (for example, Skype icon)
Item text (Text column)
Name of a field, in which search term was found (Field name column)
Profile name
Source (data source containing profile where a search term was found)
By using the Search Results window, you can create report or bookmark selected items. To do so, select
items of interest using mouse and Ctrl or Shift keyboard key and click on corresponding context menu
item.
You can adjust column widths in this window. Your preferences will be saved. You can sort Search
Results by Field name, Profile name or Source columns ascending or descending by clicking on the
column header.
See also:
Creating reports
Bookmarking
SQLite Viewer
The SQLite Viewer window allows you to review SQLite databases. To inspect a database, you can do
one of the following:

In Case Explorer select a profile, which stores its data in an SQLite database. For example, when
you select a Skype profile, SQLite Viewer will be automatically populated with data from the
corresponding SQLite database for the selected Skype profile (main.db)
Skype profile is selected in Case Explorer, SQLite Viewer shows selected Skype database


If you carved some data source and found some SQLite databases, they are displayed in
the SQLite Databases list under Carved Data node in the. To inspect any of carved SQLite
databases, select SQLite Databases node in the Case Explorer and in the shown Data List select
a database of interest. The database will be shown in the SQLite Viewer.
You can open an arbitrary SQLite database by clicking Open button inside SQLite
Viewer window and specifying a path to the database.
Current database textbox shows a path to SQLite database currently displayed. Open button allows
opening an arbitrary database. Table name dropdown box allows seeing all database tables and
selecting a table to review. At the bottom of SQLite Viewer you can see a number of records found
inside the selected table.
One of the major features of Belkasoft SQLite Viewer vs. non-forensic third-party SQLite viewers is its
ability to show special SQLite areas, for example, freelists, WAL and journal files. Freelist contains data
deleted by a user and is of course extremely important in a forensic investigation. Data from freelists are
highlighted by the red background:
SQLite database uses transaction mechanism and part of data is stored in special RollbackJournal
(before SQLite v.3.7) or WAL (write-ahread log) files (after SQLite v.3.7). Before data go to the main
database file, they are temporarily stored inside WAL, what means that this file may store the most
actual version of data. Thus it is very important to be able to review WAL contents. SQLite
Viewer automatically locates both types of journal files and combines data from main SQLite database
file with data from these journal files. Such data are highlighted in with cyan:
Registry Viewer
The Registry Viewer window allows you to review Windows registry file contents. This viewer looks like
standard Microsoft's regedit tool, but has one major benefit, extremely important in a course of forensic
investigation: Belkasoft Registry Viewer can show even badly damaged or overwritten registries. When
working with carved registries you will find almost all of them already corrupted. Such files will not be
shown by regedit, but will be perfectly shown by Belkasoft Registry Viewer:
See also:
Registry "low hanging fruits" analysis
Graphical Timeline
The Graphical Timeline window visualizes all events happened inside a data source being investigated.
In single graphical representation the product combines all browser events, chats, file times like
creation/modification/access times, system events (e.g. IP address assignment), email and EXIF times
and so on. All events are grouped by the following types:






Browser events, for example, URL first and last visit, download start and finish time, cookie
expiration etc.
Chat events, for example, chat message received or sent, SMS received or sent.
File events, for example, file accessed, created or modified, picture stored (EXIF time) etc.
Mail events, such as email sent or received.
System events, for example, last login, last computer shutdown time, software installation time,
wireless network connection time etc.
Unknown event, for all other event types.
Graphical timeline looks like the following:
On the picture above the zoom is 1 month so each bar represents a number of events of a given type,
occurred within 1 month. You can zoom in or out using buttons "+" and "–". Buttons "<<" and ">>"
shows very first or very last events in the case. Buttons "<" and ">" pan timeline left or right.
You can also change current zoo, using mouse wheel or clicking left mouse button and dragging the
mouse to select period of time to be zoomed:
Finally, button "<>" synchronizes current selection to the grid (textual) timeline. When you click this
button, the grid timeline will be filtered by currently selected period of time in the graphical timeline,
thus reflecting only events occurred within this period. By synchronizing graphical and grid timelines you
can narrow your search when looking for some unusual things, e.g. spikes in chat communications or
WiFi connections.
The grid timeline is synchronized with the graphical timeline automatically, so you can increase or
decrease amount of data inside the graphical timeline by filtering events in the grid timeline.
See also:
Grid timeline
Grid (Textual) Timeline
The Grid Timeline (or Textual Timeline or just Timeline) greatly improves Evidence Center usability by
displaying all user activities and system events in a single aggregated view. By using the timeline,
investigators can quickly glance at user activities over a certain time period or scrutinize a particular
period of time with ease.
The timeline window combines all events happened inside a case being investigated in a grid view.
Example of events can be sending or receiving a message, creating or opening a file, cookie expiration
and so on. Note: a single data item may have a lot of various connected activities in the timeline. For
example, a Word document may have at least 3 timeline items: file created, file modified, file last
accessed. A picture can have similar events plus some dates from EXIF metadata (e.g. time digitized or
GPS coordinate issued). Thus, in total there are more items in the timeline than items in the case itself.
Every event in the system will reflect in a separate line in the timeline, including datetime stamp, type of
event, data source, event type and description. Each event has both UTC and local time. One of these
times is calculated given the timezone you specified when creating a case (or, if overridden, using
timezone for a data source or a profile). For example, if a mail client stores email sending time in UTC,
the local time, shown inside the grid, will be calculated using stored time and local timezone offset.
The timeline is based on the time zone specified for the case, its data sources and profiles. If an
application stored its date/time stamp in local time, UTC time is calculated using the specified time
zone. If UTC time was used for some data, the local time column is populated by calculated time, which
is based on a time zone.
The grid timeline looks like the following:
The first column displays an icon of an item type (e.g. chat, picture, URL, etc). Second and third columns
display local and UTC time. Fourth column shows a data source, where this or that event came from (for
example, a hard drive or mobile device). Fifth column displays event type, for example, file modification
time, cookie expiration time, last login time or time when a chat message is sent or received. Finally,
sixth column displays a text describing an item, for example, chat message, file path or email body.
By clicking on any of column you can sort the grid by this or that column. Clicking on the same column
twice will change the order to the opposite (ascending to descending and vice versa).
A typical case will have too many items to review inside the timeline. That's why Evidence Center allows
filtering items by any column. To do so, click on the filter (funnel) icon at the column header and edit
filter value in the shown window:
You can filter by UTC or local time, by event type, data source and text. Filtering by Time allows you to
hide empty dates such as 1753, 0000, 1900 and others known "empty" dates.
You can combine these filters together to narrow your search. To see all events unfiltered again, click
on Clear filter button inside the Create timeline filter window. When timeline is filtered by this or that
column, the corresponding column's filter icon becomes green as on the picture above. The product
status bar shows a message like "516 item(s) found; Applied filter: Time (UTC) from 01.01.2000 to
31.12.2039, Some event types are not shown".
The grid timeline is synchronized with the graphical timeline automatically. When you applied a new
filter (or cleared filters) you can switch to the Graphical Timeline window and see how your filter affects
totals there.
See also:
Graphical Timeline
Time zones
Timestamps
Searching for evidence
Picture and Document Viewer
The Picture Viewer window can show you a preview of a picture, video keyframe or document,
currently selected in the Item List. In order to see a full-size picture, document or keyframe, double click
on an item of interest. The following window will be open:
At the right you can review metadata of selected document or picture, such as EXIF properties or
document properties. If you selected a multi-page document, you can navigate through all pages of the
document using PgDown/PgUp keys or using mouse buttons or wheel:
Multi-page PDF document
Hex Viewer
The Hex Viewer window allows you to inspect binary data. Currently it works for carved data only. In
order to review binary carved data, select any carved item in Data List window and it will be shown
inside Hex Viewer window:
See also:
Carving and Live RAM analysis
Web Browser
If any pictures contain GPS properties (such as those taken with an iPhone), the Web Browser window
will map the pictures on Google Maps. In order to do so, select pictures of interest in Picture List, and
select the Show pictures on Google Maps item from the context menu:
In a few seconds, the product will display locations where these pictures were taken on Google Maps
within the Web Browser window:
If you hover the mouse over a pin (e.g. over the red "A" pin), the product will show you information
about the picture that was taken at that location.
Important Note: In order to function properly, this feature needs an active Internet connection. Without
the Internet connection, the feature will not work. In order to protect your data, you can configure your
firewall to allow the product access http://maps.google.com only.
If you have an Internet connection, you can even explore Google Street View in order to see the place
where a photo was taken:
Another Note: If you do not have an Internet connection, you can use your connected machine to
download Google Earth product. This tool does not require an Internet connection, so you can install it
onto your investigation machine and use Show selected items on Google Earth item of context menu.
Finally, you can save all locations of interest by selecting Export selected items to Google Earth format
command of context menu. Then you can review the resulting kml file inside Google Earth on another
machine. No suspect’s data is placed to the kml file, only coordinates.
See also:
Forensically sound software
Picture-specific operations
Searching for evidence
The product allows you to search for information in various places:







Physical and logical drives
Drive images
Mobile phone and other mobile device images
Memory dumps
System files such as hibernation or page files
SQLite databases
Selected disk folders
To start searching, you can do one of the following:

Press Ctrl-Shift-F

Click Search Profiles on the toolbar


Select Search Profiles from the Edit menu
Select Search Profiles... item from the context menu in Case Explorer
After that, the Search profiles window will appear. The first screen allows selecting a data source:
The following options are available:



Selected folder. Use this option when you know for sure that the evidence is located in a certain
folder. This option is fast, and is perfect for work under time pressure. If this is the case, you can
quickly inspect a single folder containing user account information, which usually contains most
of the data.
Logical drive and Physical drive. This option will engage a search through the entire hard drive
attached to your computer (including external drives and network devices).
Drive image file. This option works with forensic drive images made with other forensic tools.
The following formats are supported:
o Atola images (.img).
o EnCase images (E01 or Ex01).
o FTK images (AFF, AFM, AFD).
o X-Ways containers.
o SMART images (S01).
o DD images.
At this time, Windows, Mac OS X, Android and *nix file systems are supported inside image files.
See "Mounting Images" for more information.


Mobile device image. You can add Cellebrite's UFED physical dump containing Android device
information. The product also supports analysis of chip-off mobile device dumps.
Virtual machine file. The product supports investigation of Virtual PC and VMWare files (.vmdk
and .vdi)

Live RAM image file. Use this option to investigate a captured image of the computer’s volatile
memory set (RAM dump or memory dump), hibernation or page file.
The Add all found profiles option specifies whether to start data extraction immediately for all
identified profiles or run the extraction manually afterwards. You can also opt to calculate hash values
for identified profiles. This operation takes additional time, so unselect this option if you are handling
hashes by another software or hardware.
When you click Next, you will be prompted to select what types of evidence to look for:
You can select everything by clicking Select all button or specifying particular types of histories; for
example, you can search for Registries and Outlook mailboxes.
When you click Next, you will be presented with another window asking which profiles to carve (please
refer to the "Carving" chapter for more details). This selection will not be used if you are analyzing a
folder (unless inside a hibernation, pagefile or virtual machine file are found) as it is not possible to
carve a folder.
Select types of evidence to carve and click Finish. The search will start.
Tuning the product for HFS/HFS+ and ext* file systems
If you are routinely investigating devices with Mac OS X or *nix file systems, please contact Belkasoft
support for additional instructions of how to increase scanning performance.
See also:
Log search folders option
Extracting evidence
The product allows you to extract various types of evidence from a data source, such as drive image or
mobile phone dump, without any prerequisites (with the single exception of QQ messenger 2009-2013).
You do not have to:




know the password of a profile owner for applications asking for a password.
be logged in as a profile owner.
have a particular program for this or that data format installed (e.g. you do not have to have
Microsoft Office or Outlook to extract office files or emails)
have write access to a drive containing the profile (the product works perfectly with writeblocking devices).
There are a number of options to extract the data:


Automatically extract evidence by selecting Start extraction for found profiles when searching
for profiles.
Select any profile and click Extract data from the toolbar, or select the Extract data item in a
profile's context menu in either Case Explorer or Edit main menu.

Select Extract data for all profiles from the context menu of the case, data source or evidence
type nodes in Case Explorer.

Finally, you can re-extract data for profiles that are already processed (e.g. if the first extraction
attempt failed).
When you start the extraction, Task Manager will show you a separate extraction task for every profile.
When the extraction finishes, Task Manager will indicate extraction status and allow you to examine the
extraction log.
The status icon to the left of the profile in Case Explorer displays the current extraction status:



Grey circle: data extraction was not ever run for this profile.
Green circle: data has been extracted without any errors.
Red circle: fatal error preventing data extraction (no data extracted).

Yellow circle: although there have been some errors during the data extraction, some history
profiles have been extracted and are available to review.
The main causes for not extracting data are:



Some process has locked the data file. This frequently occurs when you test the product on a
live system, e.g. on an open Firefox profile, Outlook mailbox or Skype history. If so, close these
applications and try again.
The file is corrupted.
The file has been incorrectly determined to be a profile of a particular type, so an attempt to
analyze this file by using that format specification cannot succeed.
Configuration with Case Management: When data is successfully extracted, it is immediately stored in
the database. It is safe to close the product at this point.
Configuration without Case Management: When data is successfully extracted and you are about to
exit the product, you will be prompted to export data to Evidence Reader (if you haven't done so
before). Otherwise, information about extracted evidence will be lost.
You can re-extract data for profiles that were already processed. This comes handy if a profile was
changed (typical on a live system or test profiles as a suspect profiles will never change). Please note
that after re-extraction all bookmarked items belonging to this profile will be removed from
corresponding bookmarks.
Extracting QQ 2009-2013 history
QQ Messenger histories are unique. What sets QQ history apart from other history types is that the
extracting of QQ versions 2009-2013 requires additional information.
The latest versions of QQ messenger are very cryptic. Unlike many other messengers, QQ 2009-2013
make it impossible to extract any history if all you have is a history file.
The following list shows, which bits you must have to successfully extract QQ 2009-2013 history:

The suspect’s hard drive where QQ was initially installed and where Windows was initially
installed, and access to the Internet;

Result of Belkasoft's tool output, called QqDiagnostics, run at the suspect’s PC (live box analysis)
while it was connected to the Internet (the tool should be requested from Belkasoft);
or
or

The original QQ profile password and Internet access.
It is impossible to extract QQ history unless you fulfill one of these prerequisites. Particularly, you
cannot extract history without an active Internet connection, which is required on an investigator's PC
for options 1 and 3, or on user's PC for option 2.
Finally, conversation extraction is possible if the user saved their password (i.e. ticked the “Remember
my password” checkbox) before you seized the computer in question, or if you know the user's
password. Please note that stored password data expires in some time after the user last logged in, so
even with “Remember my password” option you will not be able to recover history if the last login was
performed too long ago.
Option 1
You will need to indicate the following in the software:




A drive letter for Windows installation of the user's computer. For example, if you connected
the user's drive to your computer, and you now have drives M, N and O for this user's logical
drives, you probably should select M drive if M:\Windows exists there (or maybe N:\Windows or
O:\Windows)
A drive letter for QQ installation. Usually, this is the same drive as for Windows installation, but
some users may install their QQ messenger to another drive
Registry.db file must exist next to Msg2.0.db
A path to the user's registry (Software branch). This file is usually stored at a path like the
following: C:\Windows\System32\config\SOFTWARE. Do not forget: it is the user's registry, not
yours. If you use the drive letters above, it will probably be
M:\Windows\System32\config\SOFTWARE
When you have supplied all this data, the product will attempt to connect to the Internet. This is
required in order to connect to a QQ server. You will have to allow such connection in your firewall or
antivirus tool. In order to protect your computer, you can restrict IP addresses to only QQ server
addresses. The full list or these IPs can be obtained from Belkasoft by request.
How to test option 1?
To test the option 1, you have to create your own chat history as a sample history from another
computer (the testing will not work on your own PC). Do the following:




Install the latest QQ, do some chats.
Close QQ Messenger (otherwise it will lock the history).
Copy your SOFTWARE registry hive file using HoboCopy, e.g.
hobocopy c:\windows\system32\config c:\Temp\Test software
where c:\Temp\Test is an existing folder
Run our tool, locate the history and fill out the required fields described above, using a copy of
the original SOFTWARE file, as the original file is locked by Windows.
Option 2
You will need to enter a path to QqDiagnostics tool output while it is running on the source machine:
How to test option 2?
 Install the latest version of QQ at any machine, do some chats.
 Close QQ Messenger (otherwise it will lock the history) and copy Msg2.0.db to your main
machine.
 At the source machine, make sure Internet is accessible and run QqDiagnostics tool provided by
Belkasoft. Copy its output, named qq.dat, to your main machine.
 At your main machine run Belkasoft Evidence Center, locate the history file msg2.0.db and enter
a path to qq.dat when prompted.
Option 3
For option 3, all you need is the user's Msg.2.0 file, user's password and connection to the Internet:
When you have supplied all this data, the product will attempt to connect to the Internet. This is
required in order to connect to a QQ server. You will have to allow such connection in your firewall or
antivirus tool. In order to protect your computer, you can restrict IP addresses to only QQ server
addresses. The full list or these IPs can be obtained from Belkasoft by request.
If everything is set up correctly, the product will be able to decrypt the history.
Searching for keyword
The product allows you to perform various types of search within the case data. To start the search, you
can press Ctrl-F, click Search toolbar button, choose Search… item of Edit main menu or Case Explorer
context menu.
Once you did that, the Search data window will appear.
The following search options are available:

Looking for a word or phrase. Choose this option to find all data containing a certain word or
phrase. The search disregards spaces and looks for substrings, meaning that if you search for the
word "the", the word "there" will also be found. The search is not case sensitive.



Looking for words from a file. Choose this option when you have a reference file listing all words
of interest. Having a reference file saves a lot of time with thousands "suspicious" words. Using
a reference file allows performing a single search instead of doing a thousand searches for a
particular suspicious word.
Looking for a regular expression. Regular expressions are a powerful means for performing
complicated searches. Choose this option when you do not know exactly what you are looking
for, for example, while searching for emails or credit cards when you do not yet know an exact
address or a card number. You can use regular expressions to fulfill the task: enter "\d{4}-\d{4}\d{4}-\d{4}" to find all credit card numbers, if any.
Predefined search. If you are not familiar with regular expressions, the product offers you to use
one of a few predefined searches, such as emails, SSNs, human names (for USA, Spain,
Germany, Russia and China), sexual words and so on. Some of these searches are customizable.
You can find them under the product folder (e.g. C:\Program Files (x86)\Belkasoft Evidence
Center\Resources\Search\Names\AmericanNames.txt") and edit as you like.
You can search through all case data, specify a single or multiple data sources, a particular profile,
bookmark and so on.
Once you click OK, the search will start. Its progress will be presented in the Task Manager window, and
the results will be shown in the Search Results window.
Bookmarking
The product allows you to mark interesting pieces of information with bookmarks. A bookmark is an
entity with a name and description, and is shown under Bookmarks node of Case Explorer. A bookmark
may refer to any number of evidence such as documents, emails, mobile device app data, encrypted
files, URLs, emails, and so on. An evidence item can belong to any number of bookmarks.
A bookmark called "Chat and email evidence" contains IM and email items
Bookmarked item is highlighted with a cyan color, so you will not miss it in the item list:
Bookmarked chats are highlighted with cyan
To add a single item or multiple items to a bookmark, select one or more items, right-click on them and
select the Bookmark selected items menu item. You will have an option to create a new bookmark or
add items to one of the existing bookmarks.
Alternatively, you can drag and drop selected items to the Bookmarks node of Case Explorer (to create
a new bookmark) or any existing bookmark (to add items to that bookmark).
Drag and drop selected items to an existing bookmark to add items
The context menu for a bookmarked item contains the option Go to bookmark that will select a
corresponding bookmark in the Case Explorer:
The context menu for an item in a bookmark contains Go to original item option that will select the item
in the original profile.
You can search in bookmarks, create report basing on the bookmark contents, and bookmark items
from the Search Results window.
Creating reports
The product allows you to create a report from almost all parts of the user interface. Reporting is
available in numerous formats such as HTML or PDF. To generate a report, select one of the following:











Case node in Case Explorer.
Data source node in Case Explorer.
Evidence type node: Browsers, Carved Data, Documents, Encrypted Files, Instant Messengers,
Mailboxes, Network Traffic, Pictures, Registries, System Files, Video.
Timeline or Bookmarks node.
Single profile (for example, Skype profile).
Single bookmark.
One or several items in an item list, such as Document List, URLs or Bookmarks list.
One or several items in the Search Results window.
Filter.
Instant Messenger contact.
etc.
After that, you can either click Create Report button on the toolbar, select Create Report menu item
from the Edit main menu, or from the Case Explorer context menu.
If you are creating report for selected items from an item list, you can choose Create report for all items
or Create report for selected items from the item list's context menu.
The Create Report window will appear.
At this window you should specify a target format and a path to the report. Currently, the following
formats are supported:









CSV
DOCX
EML (for emails only)
HTML
PDF
Plain text
RTF
XLSX
XML
The checkbox Open report when done allows opening the report results with a default application. For
example, if you export to HTML format, your default Web browser will open the resulting file.
PDF report is opened in the default PDF viewer
If you export to multiple files using Split/Group from Advanced options, the HTML summary file will be
opened in your default browser, enabling you to manually select any of these files for examination.
You can fine tune a number of various options to customize the report. To do so, click on Advanced
options button.
See also:
Advanced report options
Advanced report options
You can customize report look and feel by adjusting advanced report options. To do so, click on
Advanced options button at Create report window.
At Formatting page of Advanced report options window you can specify the following options:






Encoding. This option will define target encoding for Plain text or CSV reports. For example, for
exporting Chinese chats, you may want to use UTF8 or Chinese Simplified.
Item sorting. You can sort items by date and time ascending or descending (whether earlier
items goes first or last).
Header and Footer text. This text will appear at the beginning and at the bottom of every page
in a PDF report. For other report types, these fields are disabled.
Date and Time formats. There are a number of predefined formats, used in different countries.
Orientation. This option is available for all Office formats and specifies whether your report is
Landscape or Portrait.
Report generated by. This option allows you to specify the name of user, which generates the
report. In the situation when the report creator is different than the case creator, you can
override this name.
At Style page you can specify the following options:


Default/Custom logo. By default Belkasoft logo will be inserted to the generated report,
however you can browse for your organization logo.
Font. Using standard font selection dialog you can specify font type (e.g. Arial), style (e.g.
regular or Italic), font size, font effects (e.g. underline), font color and so on.
Split/Group page allows you to specify the number of files to be generated. The following options are
available:





One file. Choose this option when the amount of evidence you are exporting is small. Too big of
a file may cause significant delays in its examination. For example, a 10 MB HTML file may cause
your browser to hang for a long time and consume a lot of memory.
One file per profile/data type. When generating a report for a case, data source or evidence
type, you can opt to generate separate file for each profile inside the case, data source or
evidence type.
Separate file for every contact or mail folder. Choose this option when you are exporting
instant messenger or email history (this option is ignored for other types of data). A dedicated
file will be created, and it will contain only the events for a particular chat recipient or a
particular email folder.
Split by items count. Choose this option to break the report into multiple files of a given size.
For example, when you have a lot of chats, you may want to generate a predictably big file with
no more than 1000 messages inside. In this case you may get a lot of files, but they will not
cause your viewer performance to degrade.
One file per each date. This is the daily option. Choose this option when it is important for you
to see which data occurred on which date.
The same page allows you to select a grouping type. The following options are available:


Do not group. In this case you will see all events in a row, sorted by date and time. For example,
for an instant messenger profile, you will see all chat conversations in a row. This is handy when
you are trying to see the timeline of all the conversations of a user.
Group by contact or mail folder. In this case all events will be grouped. For example, for instant
messengers, all chats with a particular recipient will be presented, sorted by date and time; then
another recipient history will go and so on. This proves handy while you are examining chats
with a certain contact. This option is ignored for other evidence types.
Please note that some of these options are ignored for certain formats. For example, it is not possible to
group anything in the CSV format, so this option does not influence what the resulting CSV will look like.
At Time Period page allows you to select a time period to limit the export to:
Contacts page is available for reporting of instant messengers only. At this page you can select which
contacts to generate: all available, only contacts having history within specified dates or only specified
contacts.
Pictures page is available for reporting of pictures and videos only. At this page you can opt to blur
pictures detected as “pornography” and specify thumbnail size of a picture inside the report file. Please
note that if you haven’t run Detect porn analysis, no pictures will be blurred whether they are explicit or
not.
At Columns page you can specify which data columns to include to a report and what is desired order of
these columns. This is particularly useful for types of evidence, which have multiple attributes, for
example, pictures, which may have up to hundred various EXIF properties. You can select only the most
important properties not to mess the resulting report.
Folders page allows you to opt to create subfolders for report files inside the target folder, chosen at
the Create Report window.
If you tick Create subfolders checkbox, the product will create a number of subfolders under the
destination folder. The According to the profile path option specifies that subfolders will reflect the
original profile paths; for example, if the original profile was found in the folder named
C:\Users\John\AppData\Roaming\ICQ, the report for that profile will be saved at the following path:
D:\Cases\Case001\Reports\C\Users\John\AppData\Roaming\ICQ\12345678.pdf
The According to the case tree option specifies that subfolder names should repeat the path to a profile
in Case Explorer tree, e.g.:
D:\Cases\Case001\Image.e01\Instant Messengers\Icq6Lite\12345678\12345678.html
Note that the tool will create a subfolder within the target folder, named with a profile name, case tree
path or original profile path. If a folder with the same name already exists, a number will be appended
to the folder name to make it unique. Previously exported results are never overwritten.
The Advanced report options window will remember all preferences. The next time you may just click
OK in the Create Report window to generate a new report using the same advanced report preferences.
Export to Evidence Reader
Export to Evidence Reader function allows you to share all your findings with anyone, even if they do not
have Belkasoft Evidence Center license. Evidence Reader is a free product, which can see exported cases
in read-only mode. This feature is particularly useful for those, who do not have Case
Management component. In this case be sure to use it before you exit the tool not to lose your data.
Alternatively, create a report in any supported format, such as, for example, HTML or PDF.
In order to export case data to Evidence Reader format, select Export to Evidence Reader item
of Tools main menu or click on the Export to Evidence Reader toolbar button:
The following window will open, which allows you to select profiles to export. You can export the whole
case or only selected profiles:
After you click on Next, you will be asked for a target folder to export the case and the export process
will begin.
Carving and Live RAM analysis
The product allows you to perform a highly sophisticated analysis called "carving".
What is Carving
Carving is a bit-precise sequential search of the drive for various artifacts. While carving, the product
does not rely on the file system, and does not make use of “files” as they may have been deleted.
Instead, it looks for particular sequences of bytes, or characteristic signatures specific to certain types of
evidence. For example, Skype version 3 inserts the "l33l" signature before every chat message, so if this
sequence is encountered on the disk, there is a high probability that a Skype chat message follows.
l33l signature precedes an actual Skype 3 chat message showт by HexViewer window
Carving is an indispensable technique while searching for deleted data and looking for destroyed
evidence.
Please note that, unlike parsing existing files, carving is not a "precise" technique. Carving may return
incomplete results (for example, data will not be found for a chat message) or "false-positive" hits. False
positive results are possible when a signature is discovered that does not actually precede the data of
interest. This may happen, for example, if you save a file with "l33l" text inside; the file will be
incorrectly identified as a Skype message.
The product goes through the entire device (hard drive or drive image), and not just unallocated space,
so some results may duplicate those you have already obtained by using regular file analysis.
How to Start Carving
To start carving, you can do either of the following:


Run profile search for a physical or logical drive, drive or mobile image, virtual machine, UFED
dump or Live RAM image. If you select anything on the Select what to carve page, the product
will carve selected data source along with regular (existing) file analysis.
Click Carve Device on the toolbar.

Select Carve Device from the Edit menu or the Case Explorer context menu of the case or data
source node.
Once you did so, the Search profiles window will be open. The first page you can choose a data source
to carve. This screen is similar to the first screen of Search Profiles wizard with the only difference
that Selected folder option is disabled, because it does not have sense to carve a folder:
The following options are available:

Logical drive. These are your logical hard drives with the names like "C:\". Each hard drive may have
one or multiple logical drives presented in the combo box.

Physical drive. These are your physical hard drives with the names like "\\.\PHYSICALDRIVE1". Each
hard drive is presented by a single item in the combo box.
 Drive image file, virtual machine, UFED image or chip-off mobile device dump. You can carve any
image of the following types:
o Atola image (.img)
o EnCase image (.e01 and ex01)
o FTK image (.aff, .afd, .afm)
o UFED physical image of Android devices
o X-Ways container (.ctr)
o DD
o SMART (.s01)
o Virtual machine file (.vmdk, .vdi)
o Chip-off dump in any format
o etc.
The file systems inside an image can be any Windows, Mac OS X, Android and *nix ones: all FAT
versions, NTFS, HFS/HFS+, ext2/ext3/ext4, YAFFS.
 Live RAM image file. You can carve a raw image of the computer's volatile memory (.mem). There
are a number of tools you can use to capture live memory from a computer including Belkasoft Live
RAM Capturer, which is free and is able to work in kernel mode. This product is included with
Belkasoft Evidence Center package. Evidence Center accepts output of any program that creates a
raw memory dump.
 Besides a RAM image file, you can also specify a path to hibernation or page files
(hiberfil.sys and pagefile.sys). These two kinds of files may contain Live RAM data saved onto the
hard drive as part of Windows functioning. They are important source of RAM artifacts because the
RAM contents may survive powering down the computer.
There are also options what kinds of clusters to search within. You can decrease the time required to do
analysis by searching only unallocated clusters (e.g. if you are looking for intentionally hidden data).
However, sometimes carving for allocated clusters also gives good results, for example, if trails of data
are kept in existing but corrupted file. It may not be possible to extract data from such file using regular
history extraction because of corruption but carving may solve this problem. This is why the product
allows you to choose where to carve: Unallocated only, Allocated only or both using options
under What clusters to analyze?
Note: carving network drives/shares is not supported at this time. This applies to VMWare shared
folders as well.
If the Start extraction for found profiles check box is selected, the carving will start right after you close
the wizard by clicking Finish. If you leave this check box unchecked, the selected data source (a drive or
an image) will be added to the case node of Case Explorer, but information will not be extracted. You
can extract the information from this source later on by clicking Extract data… in the context menu of
the corresponding node or Extract data… in the Edit menu.
On the second page you can select evidence types to look for:
Click Finish button to start carving. The results of the carving are presented in the process of carving, so
you can navigate to already retrieved results and examine their properties using Item List and Item
Properties.
See also:
Belkasoft Live RAM Capturer
Hex Viewer
BelkaCarving™
The BelkaCarving™ option helps combat Live RAM fragmentation. Information in the computer's volatile
memory (RAM) is fragmented, just like the data on a hard drive. While so called “naïve” carving works
well for smaller data chunks such as instant messenger chats or browser URLs, it does not work all that
well for data chunks of larger size, e.g. pictures.
Below you can see a typical result of naive carving for a picture within a captured memory dump:
You can clearly see that, past a few lines that we were able to obtain initially, the rest of the picture is
corrupted.
This is what BelkaCarving can help you with. Belkasoft Evidence Center allows you run a smart RAM
carving by selecting the BelkaCarving option as shown below:
Analyzing the very same memory dump now returns the entire picture despite the fact it was scattered
around the memory dump:
Why do we have this as an option and not just use it by default? The reason is speed. BelkaCarving is a
highly computation intensive process, requiring a lot of CPU cycles and taking a good deal of time to
correctly reconstruct processes' memory sets. If you are not targeting larger data sets such as picture
files, you can skip this option and save considerable time.
Note: At this time, BelkaCarving is only available for memory dumps captured on computers running the
following operating systems:






Windows 7 32-bit
Windows 7 64-bit
*nix (Unix/Linux/etc) 32-bit
*nix (Unix/Linux/etc) 64-bit
*nix (Unix/Linux/etc) PAE
Linux ARM
See also:
Belkasoft Live RAM Capturer
Analyzing hibernation and page files
Belkasoft Evidence Center allows you extract information from two important Windows files:
hibernation file and swap (page) files. These files are the only exception when volatile memory contents
may survive powering down the PC. Both files may contain volatile artifacts. While the hibernation file is
mostly used on laptops, paging file is used on most computers as it represents the computer's virtual
memory.
To extract information from these files, run Carve Device wizard and choose Live RAM image file:
Then specify a path to the hibernation or swap file of interest. After clicking Next, you will be presented
with the list of evidence types to carve. Having selected them, click Finish; the specified file will be
carved for any Live RAM artifacts it may contain. Do not expect a huge amount of evidence discovered
this way: volatile memory contains only the most recent data used by various programs. Even this data
may be overwritten with other information quickly. However, even a small amount of recent data is
better than nothing.
You can download sample hibernation and page files from Belkasoft Web site.
See also:
BelkaCarving
Analyzing mobile devices
The product allows analyzing of all major mobile smartphone and tablet devices such as iPhone or
Android.
It is possible to analyze a backup file for major mobile devices. Backups are stored on a computer during
the synchronization of a mobile device with stationary PC.
It is also possible to analyze UFED dumps for Android phones and chip-off dumps.
Supported mobile data sources include:







Android backups
Chip-off dump
iPhone backups
iPad backups
Blackberry backups (ipd)
Blackberry backups (bbb)
UFED physical dump for Android devices
To find and analyze backups, tick the Mobile device backups checkbox at the second page of the Search
profiles wizard. To analyze UFED or chip-off dump, add it as a data source at the first page of Search
profiles wizard.
After the data extraction is finished, a number of system and application items will be displayed under
the mobile profile node in Case Explorer. Depending on the device type, you will see some of the
following:





Contacts
Calls
Safari or other browsers history
SMSes
Gmail
and many other application-specific items. The full list of supported applications for each backup type
can be found at http://belkasoft.com/. To review each application or system data, select it in the Case
Explorer and explore the Mobile Application Data List:
Please note that encrypted iPhone/iPad backups are not yet supported.
You can unpack iPhone or iPad backup to a local folder by using the Unpack backup... context menu in
Case Explorer:
Analyzing documents
The product can find, analyze and carve all major office document types such as:





Microsoft Office 1997-2003 (doc, ppt, xls)
Microsoft Office 2007-2012 (docx, pptx, xslx)
OpenOffice (odt, odp, ods)
PDF
RTF
For each data source, a single Documents node is created combining all documents inside all folders
within that data source:
By default, the following filters are created for a document profile:




Corrupted documents. These are documents that begin with valid data but at some point are no
longer readable. You can read information extracted from those, but this information is not
complete.
Invalid documents. These documents failed the consistency check completely. Most possibly,
they are badly damaged, encrypted or renamed (e.g. when Pic.jpg is renamed to Pic.doc). Many
results of document carving will get to this filter.
Valid documents. These documents are completely OK and can be opened without issues.
Documents with embedded files. These documents contain one or more embedded files that
can be viewed within the product.
For each document the, the following information is extracted:


Plain text. For spreadsheets, it is combined from all cells and all pages in a spreadsheet. For
presentations, text is gathered from all slides, thus simplifying reviewing and searching.
Metadata. Metadata such as document creator, various date/time stamps etc. are vital for
many investigations

Embedded files. Office documents may contain multiple files of arbitrary types. Most often
these are pictures, but it is possible to insert another document, chart, script, archive etc.
When you select a document profile, you will see some document previews in the Document List
window:
Currently the product shows first page preview for PDF documents; for other types of documents an
icon is shown. To preview a full-size document, double click on a document of interest, Picture Viewer
window will open (currently supports viewing of PDF documents only).
To examine metadata, click on a document and review its properties in the Item Properties window:
To view the list of files embedded into selected document, click on the Embedded files tab:
All embedded pictures’ previews will be shown; embedded files of other types are presented with
system-default icon.
You can open embedded files other than pictures in their default application or save them to a disk. To
do so, select embedded files, right click on them and select corresponding context menu item.
See also:
Picture and Documents viewer
Copying embedded files and attachments to folder
Registry "low hanging fruits" analysis
The product can find and analyze Windows Registry files. Windows Registry is an important source of
information about the usage of the system and applications. The Registry contains thousands of entries,
and Belkasoft Evidence Center analyzes the most important ones such as:







Most recent files, opened by various applications, such as Microsoft Office (so called "MRUs")
UserAssists
Program startup data
List of USB devices, ever connected to the system
Network cards
Wireless profiles
Timezone
and many other records.
To find all registry hive files, tick the Registry checkbox in the Search profiles wizard. The results will be
added into the Registry sub node under the data source node in Case Explorer.
To explore extracted data, click on it in Case Explorer:
The most important Windows registry artifacts will be shown in the Item List at the right. If you need to
inspect other data inside a registry file, select this file inside Case Explorer and open Registry Viewer
screen.
See also:
Registry Viewer
Analyzing system files
The product helps finding and analyzing various system files. Supported system file types include:




Jumplists
Thumbnails
Thumb cache
Windows Event Logs
To find jumplists, thumbnails (including Thumb cache) and Windows event logs select them in the
System Files checkbox within the Search profiles wizard. The product supports carving for deleted Event
Logs and Thumb cache. To find them, select Files on the last page of Search profiles wizard (evidence
types to carve).
Select an item inside System File List to review various significant properties of a file. For example,
jumplists contain forensically important evidence such as file size, name, drive label, where
correspondent file was open from (this information is stored even if a file was open from a removable
drive!), MAC address of the computer at the time of opening that file and even last boot time of that
computer before the file was open!
Jumplist for PowerPoint files shows history of opening of 145.pptx file
Analyzing SQLite databases
The product supports comprehensive analysis and visualization of SQLite databases. SQLite databases
are very important in a course of digital forensic investigation, because SQLite is very popular format for
storing data. Thousands of different desktop applications chose SQLite, including Skype, Firefox, Chrome
etc. SQLite is a standard de-facto for storing data in mobile applications. This is why you need a tool to
investigate data in SQLite format.
The following types of analysis are available with Belkasoft Evidence Center:






Automatic analysis of SQLite databases for various desktop applications such as SQLite, Firefox,
Chrome, and multiple mobile applications, such as WhatsApp.
Carving deleted SQLite databases.
Opening arbitrary SQLite databases, chosen by a user.
SQLite freelist analysis.
SQLite RollbackJournal analysis.
SQLite WAL-file analysis.
Belkasoft Evidence Center does not use any third-party SQLite libraries, enabling fully native SQLite
parsing. This feature allows Evidence Center users parse even badly damaged, fragmented and
incomplete databases such as those resulting from a carving attempt. This is an important difference of
Evidence Center vs. non-forensic third-party applications, such as e.g. SQLite Database Browser, which
will fail when attempting to open a damaged SQLite file.
Analyzing SQLite freelist
Information deleted from SQLite databases is not wiped immediately. Instead, it is transferred into a socalled "freelist", special area inside SQLite file which stores deleted data. Freelists are not accessible
with standard SQLite parsing tools. Thanks to native SQLite parsing, Belkasoft Evidence Center enables
the recovery of deleted information stored in SQLite freelists.
Data from freelist is marked “True” under the "Is Deleted" variable, like Skype messages below:
Freelist data is marked with red background inside SQLite Viewer.
Analyzing SQLite transaction files
SQLite database uses transaction mechanism and part of data is stored in special RollbackJournal
(before SQLite v.3.7) or WAL (write-ahread log) files (after SQLite v.3.7). Before data go to the main
database file, they are temporarily stored inside WAL, what means that this file may store the most
actual version of data. Thus it is very important to be able to review WAL contents. SQLite
Viewer automatically locates both types of journal files and combines data from main SQLite database
file with data from these journal files.
Data from transaction files are highlighted with cyan.
See also:
SQLite Viewer
Resolving MSN name
Microsoft MSN/Live Messenger stores its history in folders named like this: john.smith2462261469. The
number after the user name represents a hash value of the user's email, and you might be interested in
this email address in plain text (e.g. [email protected]) rather than the number.
The product makes it possible to recover this plain-text email with a brute force algorithm using a set of
known email services. In most cases, the list of most popular email services will be enough to recover
the user's email. The product uses a list of almost 7000 services stored in the “mailservers.txt” file that is
placed in the same folder as the main product. If you like to extend the list of email services, just add
additional entries to that file.
User management (Enterprise only)
User management window is the main window of Server part of Belkasoft Evidence Center Enterprise
edition. This window is shown to you after the login to the product. Using User management you can
create and delete users, assign or revoke rights to them, create and edit roles in the system.
Network traffic analyzer
Belkasoft Evidence Center allows you to open and analyze files containing intercepted network traffic.
There are a lot of available tools ("sniffers") over the Internet to capture network traffic, e.g. WireShark.
Such tools can produce PCAP files with the record of network activity in a local network. PCAP files can
be analyzed by our tool.
To locate a PCAP file, perform a search using the "Search histories" wizard as explained in "Searching
profiles". Check "Network Traffic" node at the first wizard screen, and select the location of a file or files
on the second screen.
Currently, the product supports the following protocols:


Oscar (the one used, for example, by ICQ)
XMPP (the one used, for example, by Jabber or Facebook)
The extracting, viewing and exporting of available information can be performed similar to all other
kinds of items.
Detecting encrypted files
Belkasoft Evidence Center can discover and analyze more than 150 types of encrypted files. The list of
supported file formats includes:




Adobe Acrobat PDF
Lotus Notes
Microsoft Access, OneNote, Outlook, PowerPoint, Word
Zip and 7-zip
and many more encrypted file types. Please refer to http://belkasoft.com for the complete list.
To discover encrypted files, check the "Encrypted files" checkbox in the Search profiles wizard. The
results will be placed into the Encrypted files sub node under the data source node in Case Explorer.
Please note that encryption detection is a time-consuming operation, so it makes sense to search for
other artifact types first and run encryption detection afterwards. Under some circumstances, two
separate analysis threads can be faster than a single one.
To analyze encrypted files, select Found encrypted files node in Case Explorer. The product will present
these files in the Encrypted File List:
The most important columns are Complexity and Protection features. The first one shows how difficult
it is to decrypt the file. For Instant and FastBruteForce complexities you may be able to retrieve the
password quickly. However, MeduimBruteForce and SlowBruteForce may take days, weeks or even
billions of years to decrypt. With strong encryption, you may need special hardware to decrypt the files,
and even then it may not be possible to decrypt them in reasonable time.
Protection features shows how a file is protected. Open Password means that you cannot open the
document and see its contents without knowing the password. There are, however, other types of
protection, for example, on the screenshot above the PDF file can be opened but cannot be printed
without patching.
To allow the user decrypt files, Belkasoft Evidence Center is integrated with Passware Kit Forensic. If you
have both tools, it is possible to decrypt files right within Evidence Center user interface. Select one or
more files in the Encrypted Files List, right click and select Decrypt:
If you do not have Passware Kit Forensic, the menu item will be disabled.
You can also decrypt all discovered encrypted files by selecting Decrypt from the Case Explorer context
menu.
Please note that decryption is a time-consuming operation and there are no guarantees it will succeed
for strong encryption types.
Information extracted from Web browsers
Web browser analysis recovers the following types of artifacts:

Sites visited by a suspect







Cookies
Passwords, entered on various login screens (except for IE and Safari)
Form values filled in various web-forms
Downloaded files
Favorite links
Typed URLs (URLs that were entered by the user directly in the browser address box)
Cache (files stored locally to increase the speed of subsequent site loading, for example,
pictures)
For Internet Explorer Typed URLs, you will need access to a user's registry.
Browser passwords
Evidence Center can extract passwords entered by the user on various login screens using a Web
browser. However, there are some restrictions:



The analysis works in Firefox, Chrome and Opera only. Safari and Internet Explorer are not
supported.
If the user did not select to store their passwords, there is no way to extract them using browser
analysis.
For Opera, it is not possible to determine which of the saved fields was a login and which was a
password, so the product will guess, and it may guess incorrectly. The reason for that is that
Opera stores its passwords in random order and uses the site contents to determine which
stored value should go to which field.
Hash calculation
Every profile can have two hash values associated with it. These are the original hash value and current
hash value.
Hash values are calculated to ensure that the profile was not altered during the investigation, and to be
able to prove it to a third party. If you are about to create hash values, check the Calculate profile hash
value box on Search profiles window. Please note that calculating hash values may take a while,
especially for large profiles such as Outlook PST files or a browser folder with multiple files inside. So if
you are not going to use the hash value, you can uncheck the box to speed up the process of adding
profiles to the case.
The product uses a standard MD5 algorithm to calculate hash values. If the profile is a folder, the hash is
calculated for all files and subfolders within that folder, then their hashes are put in a string for which
the resulting hash is calculated. If even one file inside the profile folder is changed, the whole hash value
will change, too. For a picture profile that contains files from different folders, the hash is a combination
of all hash values of hashes of picture files belonging to the profile.
To make sure the profile remains the same, select it in the Case Explorer. On the profile properties page
two hash values will be presented:
Click Recalculate button to instruct the product to calculate the hash value of a current profile. If the
new hash value is the same as original, the profile has not been changed.
Under some circumstances, the product may fail to calculate hash. This may occur, for example, when
one of the profile files is locked. Such situation may be encountered while you are testing the product
on your own live system where many files are naturally locked, such as your registry file, your Skype or
Firefox files.
Another common problem arises when you copy another user’s profile to your hard drive, and some
paths became too long, exceeding the Windows limit of maximum file path. In this case hash calculation
will also fail, and the product will show you a message "Failed to calculate hash" in the Current hash
field of Profile Properties.
If you have already detached the drive with a profile or moved this profile to a different place, the
product will not be able to calculate the current hash value either.
Encoding
Some types of evidence, for example, Jumplists or Instant Messengers may store their histories in
national encodings rather than in UTF. For these kinds of data, the product will extract information by
using the system default encoding. However, this may give incorrect results if your system default is not
the same as encoding used for a particular piece of evidence, for example, a chat was performed using
Chinese Simplified encoding while you are in Germany and have German locale by default.
To instruct the product to use proper encoding, right click on a profile of interest, click
on Encoding menu item and then choose required encoding. The product will offer to re-extract data
since the encoding has been changed:
You can also specify the default encoding for the product. See “Options” for more details.
Timestamps
While extracting and presenting data extracted from various application and system files, the product
preserves timestamps as they were stored by an application or the system. The Date/time column
header explains which time it is: Local or UTC. Thus, you may need to recalculate time to your time zone.
For example, the user of an Instant Messenger profile from UTC+3 time zone sent a message at 11:00
am. You are investigating the profile in UTC+2. For your time zone the message was sent at 10:00 am.
Carved Chrome data stored in Local time
The Timeline helps to automatically recalculate all local times to UTC and vice versa.
See also:
Timeline
Time zones
Time zones
Data in a case can come from different time zones. Some events are stored with UTC time, other events
can use local time. In order to help you correctly interpret various times, time zone can be specified
separately for the following items:



Case.
Data source.
Profile.
You will be prompted for a time zone when creating a new case. Make sure to specify the suspect’s
time zone and not yours. The time zone specified will be the default time zone for all date/time stamps,
stored in local time.
However, in one case you can have some data sources from another time zone. For example, if you have
several drives, and all but one came from a single country while that last one originated from a different
country with a different time zone. While the default case time zone is OK with most drives, you would
want to override the time zone for the special one. This can be done on the Data source parameters
page displayed when you select a data source in Case Explorer:
Similarly, you can change the time zone for a particular profile. The default time for the case can also be
modified on the Case Properties page.
The priority of time zones is as follows:
Profile.
Data source.
3. Case.
1.
2.
This means that profile time zone, if overridden, has higher priority than data source or case time zone,
and will be used for calculations. Data source time zone is has priority over the case time zone.
The time zone is used to calculate accurate time for Timeline view only. No conversion is made for other
data views (e.g. no local  UTC conversion).
Time zone setting is also used in reporting, when one of time types is not known, it is calculated using
specified time zone and the second time.
See also:
Timeline
Timestamps
Sorting
The Item List supports the sorting of items it contains. You can search by any column in the grid. To do
so, click on the column header.
Items sorted by date
Items sorted by item type (Skype calls first, chats next)
Doing this twice will change sorting order (ascending to descending and vice versa). Your sorting
preferences will be remembered by the product, so you will have the same sorting order the next time
you run it.
Picture-specific analysis
The product supports the following kinds of analysis specific to pictures:



Face detection
Text detection
Pornography detection

Forgery detection (paid plugin to the product)
These types of analysis can be performed on picture profiles and on video profiles with their key frames
extracted. To run a certain type of analysis, right-click on a picture or video profile and select the
corresponding menu in the Analyze pictures context menu:
Note: original media with pictures should still be connected to the computer because the product does
not store pictures in the database by default. Alternatively, you can store selected pictures in the case. If
you did that, the product will first check the case database and only then attempt to access the original
path for the picture.
The analysis results will be kept under the following sub nodes of the Analysis results node:




Pictures with faces
Pictures with text
Porn pictures
Forged pictures
All kinds of analysis except forgery detection are using neural networks in order to detect the content of
the corresponding type. At this time, it is not technically possible to create an algorithm that does such
analysis 100% correctly without any false positives and false negatives.
See also:
Storing pictures in database
Detecting faces
Detecting pornography
Detecting text
Detecting altered photos
Detecting faces
The product allows you to detect faces in picture and video profiles. In order to detect face, select
picture or video profile of interest, right click it, choose Analyze pictures context menu item and
then Detect face. The analysis will start.
After the analysis the filter Pictures with faces under Analysis results profile subnode in Case
Explorer will be filled with the pictures with faces detected. The total number of pictures with faces will
be indicated in the filter node:
4 pictures with faces detected
The analysis is designed to work with clear frontal and profile faces. The best results can be achieved on
frontal faces. Other kinds of faces, e.g. turned halfway, might not be detected as there is no robust
algorithm existing so far. The following obstacles may prevent successful face detection:



Face significantly turned from frontal or profile position
Something covers a major area on the face (e.g. sunglasses, scarf or hand)
Poor lighting conditions
Face detection uses neural networks in order to find faces. False negative and false positive detections
are to be expected. For example, the algorithm frequently incorrectly detects knees area as face. To
reduce false positives, the product performs a number of additional types of analysis such as:




Skin detection
Nose detection
Eyes detection
Mouth detection
To get rid of false positives you can filter faces that only contain all of those features. Note: false
positives and false negatives counts depend on each other. If you decrease the number of false
positives, more false negatives will appear (so you may miss some pictures with faces).
To see which features are detected for a face, you can inspect the Analysis properties section in the
Item Properties window:
For each face discovered, a separate record is created with all the details such as face bounds and
additional features such as nose, mouth, skin and eyes detected.
Each face is surrounded with a green box inside Picture List and Picture Viewer windows, in case
correspondent option is set in Picture Options. The product can successfully detect not only real faces
but also faces within a drawing or even a cartoon!
Note: for face extraction from video file, you should extract key frames first.
See also:
Picture options
Video-specific analysis
Detecting text
The product allows you to detect text in picture and video profiles.
In order to detect text, select a picture or video profile of interest, right click on it, click Analyze pictures
and then Detect text. The analysis will start.
After the analysis completes, the filter Pictures with text under the Analysis results node in Case
Explorer will be filled with pictures with text detected. The total number of pictures with text will be
indicated in the filter node:
2 pictures with text detected
The analysis is designed to work with clear scanned text. It might not work with arbitrary text like road
signs, subtitles, text on T-shirts etc. Example of a picture that will be processed well:
To improve the results, the product performs operations such as de-skew, resolution increase and
others. Thus, even small and skewed pictures may be processed.
There is no 100% guarantee that all text is extracted correctly. The following obstacles may prevent
successful text detection:



Significantly skewed text
Too low resolution (e.g. letters of 5 pixels high)
Hand-written marks over printed text
To see what text is detected for a picture, you can inspect the Analysis properties section in the Item
Properties window:
In order to successfully recognize text, you must specify recognition language in Options (English by
default). Multilingual recognition is not supported.
The recognized text is searchable, that is, for the picture above, you can search a keyword like "wine"
and successfully find this picture.
Note: for text extraction from video file, you should extract key frames first.
See also:
Options
Video-specific analysis
Detecting pornography
The product allows detecting pornography in picture and video profiles.
In order to detect pornographic content, select a picture or video profile of interest, right click on it, click
Analyze pictures and then Detect porn. The analysis will start.
After the analysis completes, the filter Porn pictures under the Analysis results node in Case Explorer
will be filled with pictures with porn detected. The total number of pictures with porn will be indicated
in the filter node:
2 porn pictures detected
Porn detection uses neural networks in order to find explicit pictures. 100% correct results are not
guaranteed. Both false positives and false negatives may exist. The following obstacles may prevent
successful porn detection:





Poor lighting conditions
Too few naked skin visible
Black-and-white images
Various post-processing effects like converting colors to luminescent ones in a picture editor
Dark skin is detected worse than white
To help identify more suspicious pictures, the porn probability factor is assigned to each picture. You can
sort picture list by the Porn probability column to have more suspicious pictures appear first.
Current implementation has the following qualitative characteristics: 4.96% of false negatives and
16.31% of false positives.
Note: for detection porn in a video file, you should extract key frames first.
See also:
Picture options
Picture-specific analysis
Detecting altered photos
The Forgery Detection Plugin (must be purchased separately) allows detecting JPEG pictures that have
been altered or modified after taken by a digital camera. All types of modifications count as a forged
(altered) image including re-saving with a different compression level, cropping or deliberately changing
the picture’s content (from tuning exposure to cloning picture parts).
In order to detect altered pictures, select picture profile of interest, right click on it, select Analyze
pictures and then Detect forgery. The analysis will start.
After the analysis, the filter Forged pictures under the Analysis results profile subnode in Case Explorer
will be filled with forged pictures. The total number of forged pictures will be indicated in the filter node.
After the analysis you can create a special Forgery detection report. In order to do so, select Forged
pictures filter in the Case Explorer, within the Picture List select all pictures or just pictures of interest,
right click and select the Create forgery analysis report...:
A forgery analysis report will be created:
Forgery detection uses a number of empirics based on data obtained from more than 3000 different
digital camera models. The algorithm analyzes EXIF data, quantization tables, various picture artifacts,
specific to this or that camera, and the picture itself.
Forgery detection is a paid plugin to Belkasoft Evidence Center Ultimate. You should purchase it
separately.
See also:
How forgery detection works
Picture-specific analysis
Removing incorrectly detected faces
If the product detects a face incorrectly, you can remove it using Picture List window. Just right click on
incorrect region and it will disappear:
If you remove the last detected face from a picture, it will be removed from the Pictures with faces filter
the next time you select it.
See also:
Detecting faces
Storing pictures and documents in database
A typical hard drive or mobile device contains thousands of pictures; some contain hundreds of
thousands. Most of these images represent no particular interest for an investigation; some of them,
however, may present more interest than others. The total size of unneeded pictures may exceed
gigabytes. Due to this reason, pictures are not stored in the database by default. Only original paths and
properties are stored. This is why you are not able to preview a picture or run an analysis on it in case
you removed a media containing the original picture from your computer.
For the same reason found documents are also not stored in the database by default, only paths and
metadata go to the database.
However, you may want to store some pictures or documents of interest for a longer period than you
have the original media. In this case, you can select pictures or documents of interest and save them to
the database by selecting Save selected items to database:
Having done so, all subsequent operations with saved items will be done on a file copy from the
database, so you can run picture or document analysis with original media detached.
See also:
Picture-specific operations
Picture-specific operations
Besides standard context menu of any item in Item List, pictures have additional operations available:






Show selected items on Google Maps. If any of the selected pictures contain GPS coordinates,
this option is enabled. Using this feature you can see all points on the map where selected
photos were taken. For more details see "Web Browser".
Show selected items on Google Earth. If you do not have an Internet connection on your
computer, this option may be perfect to see the same GPS coordinates on a map. All you need is
to install Google Earth that does not require an Internet connection to display location.
Export selected items to Google Earth format. If you have neither Internet connection nor
Google Earth installed on your computer, this option will enable you to see desired locations.
When this option is chosen, the product will create a file in Google Earth format (kml-file) that
can be copied to another computer with Google Earth installed and be reviewed there.
Copy picture. To copy selected pictures (rather than to copy path to pictures, which is the
standard behavior of the “Copy item text” command), select this context menu item.
Save selected items in database. This menu item permanently stores selected pictures in the
database. For more details see "Storing pictures in database".
Open in folder. You can choose one or several pictures and select this menu item. A separate
Explorer window will open for every unique folder containing the original picture (so if you have
three pictures in two different folders, two Explorer windows will open).
There are also two picture-specific operations available through picture profile node in Case Explorer:


Copy files to folder. Choose this menu item to copy all pictures inside a profile or a filter to a
single folder. For more details see "Copying pictures to folder".
Filters. This item allows seeing and editing picture or video profile filters. For more details see
"Filters".
Copying files to a folder
You can copy all files belonging to a profile, such as picture, video or document profile, or filter to a
selected folder. This function is very handy to gather all files of a given type to the same folder, for
example, if you would like to review all pictures from a mobile phone one by one, it is convenient to
combine them from all subfolders of the phone to a single one.
To do so, choose Copy files to folder… context menu in Case Explorer:
Set target options window will open allowing you to select a destination folder and open Windows
Explorer afterwards:
Select any existing folder and click on OK to start copying files.
See also:
Copying embedded files and attachments to folder
Picture-specific operations
Copying embedded files and attachments to folder
The product helps you to gather various embedded files in a single folder. In particular, you can gather
all attachments for an email profile and all files, embedded to all documents inside a data source. This
can be helpful, for example, when you are investigating all pictures inside all Word documents or, say it,
all Excel documents, attached to emails inside an Outlook profile. Reviewing such files one by one will
take enormous amount of time, while having all of them inside a single folder will speedup the
investigation significantly.
To copy files embedded inside documents to a folder, right click on a document profile node or a filter
under document profile in Case Explorer and select Copy embedded files to folder… menu item. You
will be prompted to select a folder to copy files to.
To copy attachments from an email profile to a folder, right click on an email profile node or an email
folder under email profile in Case Explorer and select Copy attachments to folder… menu item. You will
be prompted to select a folder to copy attachments to:
See also:
Copying files to folder
Filters
The product supports comprehensive filtering for pictures in picture and video profiles. For example, if
you like to group only pictures having GPS coordinates or only images with pornographic content, the
product allows you to do so.
There are a few predefined filters available:








Pictures with faces
Pictures with text
Porn pictures
Forged pictures (if you have Forgery Detection plugin)
Pictures with GPS data
Pictures with metadata
Large pictures
Valid/Invalid/Corrupted documents
Every profile has default filters right after creation
Filters grouped under the Analysis results node will only be filled after the corresponding analysis is
complete (see "Picture-specific analysis"). Other filters will be filled right after a profile creation so that
you can, for example, review all large pictures immediately.
Should you like to edit default filters or create your own filter, you can do so by right clicking a picture or
video profile and selecting the Filters… context menu:
See also:
Managing filters
Picture-specific analysis
Picture-specific operations
Managing filters
Using Filter Manager you can inspect, edit or delete default and custom filters:
Click New filter to create a custom filter, Edit filter to edit a selected single filter, and Delete filter to
delete one or more selected filters.
See also:
Editing filter properties
Editing filter properties
Using the Edit Filter Properties window you can edit existing filter properties and create new custom
filters.
For example, if you like to toughen the threshold for porn pictures, you can select a predefined filter
called "Porn pictures" in Filter Manager and click Edit filter. In open Edit Filter Properties window you
can adjust the value for the threshold:
For example, you can set Porn detection probability to be greater than or equal to 0.8 to decrease the
number of false positives. Note: doing so you will also increase the number of false negatives.
In this window you can set a filter name and add one or more criteria.
Condition is a condition containing three parts:



The left part, which is one of predefined properties, such as EXIF properties, file properties,
picture properties, Office metadata or general item properties. You can select any of the
available properties from the All properties list. To find a property by the name, you can enter a
substring in Find properties by substring text box.
The right part, which is a value you enter manually. This may be a string, integer, real or
Boolean value. You can enter this value in the Value text box.
Operation, which can be one of predefined logical operations, such as ">=" for numbers,
"contains" for strings, "=" for Booleans and so on. You can select an operation in Operation
combo box.
There is a possibility to invert a condition by selecting the Logical NOT checkbox. This is particularly
useful for string expressions, for example, condition "NOT Manufacturer EQUALS Canon" will filter all
pictures made by cameras assembled by any manufacturer but Canon.
You can combine several conditions by logical conjunctions such as "AND" and "OR" by using Combine
with existing rules as: combo box.
On the example below there is a filter with the name "Path contains "xxx", which is a filter with a single
condition that path to a picture file contains "xxx" substring somewhere in between:
Note that filters are working per profile scope, which means that every profile has its own set of filters.
Thus, if you change the "Porn pictures" filter for one profile, the corresponding filter in other profiles
will not change.
Video-specific analysis
The product allows you to break a video into a set of key frames. A key frame is a frame that differs
significantly from the previous frame. For example, quick movement or complete scene change will be
considered to be significant difference.
To save time, you can review key frames only, because other frames will be similar. Thus, you only
review series of pictures instead of watching the entire movie. This will greatly increase the speed and
efficiency of the analysis.
To extract key frames, specify extraction options at the Video tab in the Options dialog. Then right-click
on a video profile and select Extract key frames:
Key frame extraction will start. During the extraction, you will be presented with already extracted
frames under the Key frames sub node of a profile node:
When key frame extraction is completed, you can do the same picture-specific analysis with extracted
key frames as for regular still pictures.
The Key frames filter shows all keyframes extracted from all videos in the data source. If you like to
review keyframes belonging to a particular video, select it in the Picture List and inspect Pictures tab
inside Item Properties window:
Note: key frames are not saved in the database during the extraction. Instead, they are extracted to the
Case Data folder. You may want to delete key frames later, when you finished working on a case, to free
hard drive space. If you need to save some selected frames, you may save them to database like you do
with usual pictures.
See also:
Video options
Storing pictures in database
Changing CaseData folder
Error window
If the product meets an unexpected issue, it will display an Error occurred window containing detailed
technical information about the crash.
Click Details button to see detailed information about the crash. By using this window, you can send an
error report to Belkasoft. To do so, click Copy, then Send to support. Your default email client will open;
a new email will be created. Paste the details there and send us an email. We appreciate your help!
If you do not have access to email on the computer where you are working with the product, you can
save the crash details to a file using Save button. Attach the resulting file to an email sent from another
machine to let us know about the problem.
Apart from the details from Error occurred window some additional technical information might be
required for Belkasoft staff to fix the issue. If you saw an issue, please send us log files from the
corresponding case folder. The Logs folder is stored under CaseData folder for the case. By default the
path can look like the following:
C:\Users\[YOUR ACCOUNT]\AppData\Roaming\Belkasoft\Evidence Center Ultimate\CaseData\[CASE
NAME])\Logs\2013.10.27_22.09.27.04.Extract history.txt
Another log folder is stored directly inside CaseData:
C:\Users\[YOUR ACCOUNT]\AppData\Roaming\Belkasoft\Evidence Center Ultimate\CaseData\Logs
This folder stores logs which are not related to current case and relate to the product in general. These
logs are also of particular interest when fixing an issue, so please include them to your email to our
support.
Hopefully, this will not be a frequent operation for you to perform.
Options
The product has a number of options available by clicking the Tools menu item and selecting Options.
Depending on a tool configuration you have, the Options window may contain one or more tabs,
including General, Picture and Video options.
General options
The General options tab contains the following options:





Language. English is the default language. Other options will be available once the product is
translated into other languages.
Default encoding. If you are frequently working with histories of the same encoding which is not
your system default, you can save your time to select default product encoding here. For
example, if you have German default locale and working with Chinese Simplified, you can set
Chinese Simplified as a default encoding. This will save you the trouble of having to choose
encoding for every particular profile while extracting evidence.
Always open the last case. When this option is checked, the product will not ask you which case
to open at the start. The last case will always be open.
Log profile search folders. If you suspect that the product does not go through all folders
available on a device of interest, you can select this option. When checked, the product will save
all those folders, which have been traversed while looking for profiles, into a task log file. This
file can be reviewed by using Task Manager after the search is over. Please note that the log file
may become quite big because there may be thousands and tens of thousands folders on a
drive.
Folder to store case data. If your system drive is not big, you can select another drive to store
you case data. After you changed case data folder, rerun the product to apply this change.
Please note, that existing cases are not moved to the new place so you will see blank case list. If
you like to keep all your cases, you can move them to the new place manually. Changing the
case data folder back to the older one will return older cases back to the case list.
Note: you shouldn't carve the same drive as you selected for your Case Data otherwise the
process will loop, because it will carve newly created files again and again.
Picture options
The Picture options tab contains the following options:


Blur pictures detected as porn. When this option is checked, porn pictures will be blurred in the
Picture Preview window so that you can present your analysis results without too much details:
Note, however, that before the porn detection analysis task is completed, all pictures will be
shown as is, as the tool does not know yet which ones in fact contain explicit content. Also note
that the Picture Viewer window will always show the original picture (that is, not blurred
regardless of whether it is porn or not).
Show recognized faces bounds. After you run face detection analysis and it has found some
faces, it is possible to highlight those faces on each relevant picture:
Detected faces are highlighted with a green rectangle




Do not blur recognized faces. When you run both porn and face detection, you may preview
porn pictures blurred except for a face areas:
Porn pictures is blurred but face is shown as is
Text recognition language. In order to obtain correct results from the text detection, it is
required to specify a language to detect. Currently the following languages are supported:
o English
o Russian
Additional languages can be added by request. Please note, that multilingual recognition is not
supported
Face recognition mode. There are three predefined modes:
o Less false positives. In this mode you will get less incorrectly detected faces, but also
less correctly detected faces (less true positives). Select this more when it is important
for you to get as few incorrect results as possible and you do not care if you miss some
true faces.
o Medium false positives.
o More false positives. In this mode you will get more false positives, but also maximum
amount of correctly detected faces (more true positives). Select this option when it is
important for you to get maximum faces and you do not care about too many results.
Ignore small pictures. Every computer contains thousands of small pictures used for many
different reasons e.g. icons, "spacers" or blank pictures for HTML pages and so on. Such pictures
do not have any forensic meaning in 99% cases, so it is better to skip them. You can specify a
minimum size for a picture to be added to your case. Smaller pictures will be silently ignored.
See also:
Detecting faces
Detecting text
Detecting pornography
Picture-specific analysis
Video options
The Video options tab contains the options regarding key frames extraction:


Frames per second. If you’d like to extract key frames quickly, you can instruct the product to
take one frame per 10 seconds (leftmost value of this option is 0.1 frames per second). The
range available is 0.1 FPS to 50 FPS. For most videos 50 FPS will be equivalent to analyzing each
frame. This gives more accurate results, but will take much longer
Frames similarity. A key frame is a frame that differs significantly from the previous frame. For
example, quick movement or complete scene change will be considered to be significant
difference. You may tune this parameter to get more or less resulting frames. The range
available is 0 to 100, however, the number does not have any natural meaning and is for a
reference only
See also:
Video-specific analysis
Changing CaseData folder
The product stores significant amount of data inside special folder called CaseData. Main case database
is stored there. Besides, various temporary data is put to CaseData folder, such as carved files and
databases, extracted keyframes, thumbnails for quick picture preview, task logs and error logs and so
on. This is why this folder can occupy several gigabytes of data.
By default CaseData folder is stored on your system drive inside your User folder. Sometimes, however,
system drives are small so you would like the product to store its data on some other drive. To assign
CaseData to another drive, change the Folder to store case data option inside General tab
of Options window:
Exit the product. You are now safe to re-open Evidence Center. Your new cases and relevant data will be
stored in the new case folder.
Note: if you need to move your existing cases to the new location, just copy all the CaseData folder
contents from the default location to the new one before re-running the product.
Mounting disk or mobile device images
The product supports mounting drive, mobile device and Live RAM images in the following forensic
formats:








EnCase evidence files, both E01s and Ex01s for new EnCase v.7.
FTK AFF and other AF* images.
X-Ways containers.
UFED physical images for Android devices.
Atola .img images.
DD raw images.
SMART images.
Live RAM images, created by Belkasoft Live RAM Capturer and other memory dumping tools.
Multi-part images are supported; the number of files is not limited.
The following file systems are currently supported:


All Windows: all FAT*, exFAT, NTFS.
Mac OS X: HFS, HFS+.


*nix (Unix/Linux): ext2, ext3, ext4.
Android YAFFS filesystem.
Checking updates
If you have an Internet connection, you can check whether there is a new version available on Belkasoft
website. To do so, go to Help main menu and select Check updates item. The following window will be
shown:
In a few seconds the software will show whether a new version is there or not:
In most setups investigator cannot have an Internet connection on their workstation with Belkasoft
software installed. In this case it is possible to login to the Customer Portal and check availability of new
versions there.
Available features
Some features described in this manual may not be available depending on the configuration you
have purchased. The list of currently supported features is as follows:















Browser Analysis
Deleted Information Retrieval (Carving)
Document Analysis
Email Analysis
Encryption Detection
Instant Messenger Analysis
Live RAM Dump Analysis
Mobile Device Backups analysis
Mounting Drive Images such as EnCase evidence files, AFF, UFED, X-Ways, SMART, DD
(Windows, Mac OS X, Linux and Android file systems)
Network Traffic Analysis for chats artifacts
Picture Analysis: porn, text and face detection
Picture Analysis: forgery detection
Registry Analysis
System File Analysis
Video analysis: key frames extraction; porn, text and face detection
Features available in your purchased configuration are shown in the About screen:
Click About under the Help menu to open this list.
Please see product versions and editions comparison table on our Web site at http://belkasoft.com to
figure out which features are included in which version and edition of the product.
You can always upgrade your purchased configuration to a more powerful one at a discount.
Demo mode limitations
The product runs in a restricted demo-mode until you purchase it. The demo-mode limitations are the
following:



Product works within 10 days from the first run
Only small part of history (no more than 20 items) is extracted per a contact/mail
folder/browser/image/video/network traffic profile
QQ 2009-2012 is not supported
To make your copy fully functional, please purchase the product. Law Enforcement, Government and
Academic organizations may appy for the trial fully functional license.
Registering product
The product runs in a restricted demo mode until you purchase a license. You can do this directly on our
Web site or through Belkasoft resellers.
Hardware ID
If you opted to purchase a fixed license, you will be requested to supply a Hardware ID for the computer
you’re about to use with the product. In order to obtain this ID, please install the product on your target
machine and inspect the License information window available in the Help main menu:
Click Copy ID to copy your Hardware ID.
After the purchase
When your purchase is complete, you will receive a link to your Customer Portal along with instructions
on how to log in. You should download the non-demo product installation file and your license file from
the Customer Portal, install the product and unpack the downloaded license file "features.xml.zip" to
the product folder. The archive file contains a single file "features.xml" which you should place to the
product folder as shown below:
Once you unpacked the license file to the product folder, all purchased features will be available on the
next product launch.
If you purchased a floating license, you will also receive a USB key that you should insert into a USB port
on your computer before running the product. Allow some time for Windows to recognize the USB key.
Don't forget to copy your license file, it is still needed even though you are using a dongle-based license.
You can check if it is registered correctly by selecting About menu item of Help main menu. If everything
is OK, the About window will contain your organization name in the This product is registered to area:
In some cases your license code will be required in order to provide customer support. To obtain your
license code, select License information from the Help menu. The following screen will be shown:
You can copy the key by clicking Copy license button.
License types
There are two kinds of product usage with various licensing:

Fixed license. This license is tied to a single computer. It allows you to use the software only at
one computer that was specified during the purchase. You cannot use the software on other
computers. This kind of a license is less expensive than Floating. To purchase this license, you
will have to indicate your target computer Hardware ID shown in the License
information window. If you re-install the system or add any hardware (including virtual
hardware), your hardware ID may change. In this case you will have to request a new key from
Belkasoft. Your old key will be disabled.
You should purchase a license per every workstation you would like to install software to.

Floating license. This license allows you to use the software on any computer that has a product
USB key (dongle) inserted. Your license key is not tied to any particular computer; however, the
program will not run without a dongle. Nor will it allow you to perform operations if you get the
dongle out of your computer while the program is running. This license is more expensive than
the fixed one, but it gives you much more flexibility, particularly, to freely change your hardware
configuration.
Why choose floating?
If you need more flexibility (e.g. you are going to use the software on different computers), you can
choose the floating license. For example, if you have 6 investigators and each investigator has 2
workstations and a laptop, instead of purchasing 18 fixed licenses you can purchase 6 floating licenses
and save money. Please note that, unlike the fixed license that is available to you almost immediately
after the purchase, the floating license requires USB keys to be delivered to you, and your keys may take
a while to arrive. We will be happy to supply a temporary fixed license to enable you use the product
right away.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement