Menu

By Shafik G. Punja

Introduction

Hello fellow digital forensic colleagues! This a brief review of the BEC product, but
let me preface this first, by stating that anything stated herein is a reflection of my
own thought processes and is not representative of my employer or has NOT been
influenced by the Belkasoft. My second prefacing statement: I use a wide variety
of tools for analyzing data. I find leveraging this pluralistic diversity of using a
variety different tools an asset in that it allows me to view the same data from
different perspectives. No software is perfect, our collective use and subsequent
reporting of any issues greatly helps improve any product.
My first interest in the Belkasoft products was specifically for parsing Instant
Messenger (IM) chat communications. I have been watching the Belkasoft
products evolve for well over 5 years, with more features and being added to assist
examiners.
Belkasoft Front Matter
If you are not familiar with the Belkasoft products you can check out their website:
https://belkasoft.com/.
A most excellent resource for the reader is also their blog:
https://belkasoft.wordpress.com/. The blog contains news as well as excellent
articles, which provide a great deal of information. All articles are also available at
https://belkasoft.com/articles.
The intent of this review is to provide an overview of the Belkasoft Evidence Center
Ultimate (BEC) 8.0.1762. I will not be examining every intimate detail of BEC,
which is beyond the scope of this article. I strongly urge you to obtain a trial
version and explore the product.
In addition to BEC, there are two FREE, companion standalone tools, which
Belkasoft provides: Belkasoft Acquisition Tool (called BelkaImager), and Belkasoft
Live RAM Capturer. A really quick overview of BelkaImager product can be found
at: http://www.weare4n6.com/imaging-drives-and-mobile-devices-withbelkaimager/.
BelkaImager is also integrated into BEC and is found under the
Tools->Acquisition. The BelkaImager product can be used for acquiring data from
traditional computers, laptops and also mobile devices. Interesting feature of the
imager is an ability to download cloud data. Google Drive, Google Plus and iCloud
are currently supported.
Starting BEC & Case Setup
Like other forensic acquisition and analysis products that you may have been
exposed to, BEC is a GUI based interface tool.
When starting the product, there seems to be some delay on my examination
computer, which I first observed a few releases ago pre version 8. The case setup
is consistent regardless of what type of device/file/image/data you are examining.
In order to configure BEC options you will need to create a case first. In this
product overview an Android image will be used to demonstrate basic product
features. During the case creation process please remember to select the
appropriate time zone settings and any case description that you feel is necessary.
Open Case Dialog – New Case
Make sure, that after you create your case, and before you press ‘OK’, that you
select Options, which is found on the right side of the ‘Open Case’ window. This is
not necessary, but can be useful for example to assign temporary folder (in case C
drive is small SSD drive, it makes sense to assign another, bigger magnetic drive to
store BEC temporary data). Otherwise default options will work well without any
further adjustments.
Within the ‘Open Case Dialog’ window there are 4 tabs: General, Picture, Video
and Hashes.
Open Case Dialog – Options and Tab Options
The tab layout is shown in the screenshots below with default settings.
Note in the Video tab the ability to extract frames automatically.
The default settings are used which are already checked.
Add data source Window – Step 1: What sources would you like to analyze?
After you select your options, BEC will prepare the case and then prompt you to
add a data source through the ‘Add data source’ window. From this window you
can choose one type or multiple types of data sources. In this case, BEC is used to
analyse a ‘DumpData.bin’ file. This is a physical Image of Android Samsung SMG900W8,
running Android OS 5.1.1, device acquired with UFED 4PC 5.3. The
screenshot below provides a view of the ‘Add data source Dialog’ window.
Add data source Dialog – Data sources: Take note of the various type of data
sources that can be added for ingestion into BEC.
The ‘Run hashset analysis’ allows an examiner to import hashsets which BEC can
leverage in order to perform hash value matches of content.
Add data source Window – Step 2: What would you like to search for?
In this window the examiner will hopefully be quite informed about the type of
content that is to be searched. As you can see data type categories are shown in
the left pane, with the app types supported relative to each operating system. As a
humble suggestion, please take the time to really target what you are looking for
and try NOT to select everything as shown in the screenshot below.
The more artifacts you select, the longer will be the initial analysis. For example, if
you are looking inside Android phone, there is no sense to look for Windows
artifacts. However, if you are investigating Windows computer, it makes sense to
have Android artifacts selected just in case an Android backup is found on the
computer. Encrypted files detection can take a good amount of time so if a user is
not interested in encryption search, unchecking ‘Encrypted files’ will speed up the
analysis without.
Analyze: Take a moment to review which partition areas you want to look at.
This specific Android operating system image has numerous partitions, and in this
case, only partition structures which might prove of use are selected for
examination.
If you want to pursue data carving you can check ‘Carve’ and again specify the
partitions, allocated and/or unallocated space.
When you have finished optimizing the data searches, for your specific needs, then
press the Finish button. Another window will appear asking whether you want to
add another data source.
If ‘Yes’ was selected, then ‘Add data source Dialog – Data sources’ dialog window
would appear. In this case, ‘No’ was selected and this initiates the processing of
the data source along with specified search selections.
BEC Interface
The main BEC interface window will present with 3 main areas, which is much like
most GUI based digital forensic products:
Above the tri-pane interface, please note the product toolbar which consists of
both icons and text based menu driven interface. Under ‘Help’ there is an offline
and online help documentation.
If you find the tri pane interface too congested, you have the option of customizing
the display of the windows using the floatable, auto-hide, tab, or hide features.
Left Pane: Consists of 3 tabs: Overview, Case Explorer and File System. The tab you
select in this area also drives the right upper pane to different view. Clicking
actions taken by the user in any of the tabs drive the right upper pane to display
certain data source items depending on the tab you are in and type of data being
viewed.
• Overview tab (left tab in left pane): This tab will provide a breakdown of the
various types of data sorted into categories.
• Case Explorer tab (middle tab, in left pane): This tab provides access to view
Timeline data, and data sources. Here you can see that it also shows the
partition structures that are contained within the binary dump. If you recall
earlier, I only selected to have three partitions ingested for data parsing. It
would be nice to have an option to exclude the unselected partitions, from
being viewed in this tab.
Within the Case Explorer tab, data is broken down into data type categories:
Browsers, Cloud services, Instant Messengers etc.
• File System tab (right tab, in left pane): This tab shows all the data sources
ingested by BEC. If the data source contains partitions/volumes which
contain file systems that BEC can understand, they will appear here. This is
a refined view from the Case Explorer tab. However, I still have to dig to
identify the various partitions/volumes, as they are named with ‘vol_xxxxxx’
where xxxxx is the offset value in decimal of the start of the volume. As
indicated previously, I am only interested in three partitions. It would be
nice if in future BEC releases the actual volume (partition) name was
provided, and only volumes selected for analysis were listed, with the option
to view unselected volumes if an examiner needs.
Right Upper Pane: This is the data examination area where you can review the
parsed data or analyze data structures. The user can add or remove tabs in this
area through the ‘View’ function on the toolbar.
Right Lower Pane: This pane consists of 4 tabs: Task Manager, Item Properties, Hex
Viewer and Search Results.
• Task Manager: Here you can observe any tasks that are running, scheduled,
or completed.
Item Properties: Here you can inspect the properties of a single item that
has been selected from a parsed data source in the Case explorer (left pane)
and viewed within a correlated tab in the right upper pane. An example is
shown in the following screenshot, following the arrows, with review of the
touch.db file (Case Explorer in the left pane), the database structure viewed
in the right pane upper pane, in SQLite viewer, and examination of a specific
record, Item Properties (right lower pane) in the touch.db file,
experience_members table. The actual database (.db) file is identified in the
‘Current file’ information bar.
• Hex Viewer: This is located in the lower right pane, Hex Viewer tab. From
the previous example, highlighting a record (row) in the SQLite database file,
Data tab, locates that data in the Hex Viewer showing the offset it is located
at. There is also a ‘Type Converter’ which assists with data decoding.
• Search Results: This tab displays the search results. To initiate a search
access the search function from the search icon in the toolbar.
Then select what you would like to search, data source(s) and the profiles to
search in:
Data Filtering
The ability to filter data is important when trying to sift through any amount of
information. The filter window is automatically invoked by BEC when you are
either in the Case Explorer tab, or Overview tab, looking at a specific category of
data.
Select ‘Add Filter’.
Then select one or more of the filter criteria. The filter criteria change based upon
the type of data being viewed: Pictures, Videos, Browsers, Instant Messengers,
Mailboxes, etc.
For examination of a SQLite database, I can use the SQLite Viewer tab (upper right
pane) to examine each table and the columns within a table. BEC very nicely
displays the number of database records and the number of journaled records
(which are part of the number of records count).
The colouring of the rows is done by BEC to visually assist with identification of
data:
• journaled records – light blue coloured row
• examiner selected record – dark blue coloured row
• actual database records – white coloured row
• deleted records – red coloured row
However, what I do note is that, I cannot easily search/filter any table columns,
which would be a useful feature. I cannot invoke the Filter window, whilst in the
SQLite viewer tab. I must go back to the Message List tab. I would like to see the
ability to filter any item of data from any column.
I can quickly convert the time stamps by right clicking on the
‘experience_comment_creation_timestamp’ column and drilling down to ‘Choose
type’ and selecting UTC Unix time.
Results
During my analysis of the parsed binary file, I was able to exclude the Touch app
(touch.db) for any data of interest, other than verifying the Touch account user
identification information. The date filtering feature, allowed for a quick review of
messages for a specific time period. The Timeline view provided me with a nice
overview of the activities that occurred on the device in the time period of
interest. The SQLite viewer tool, in conjunction with the Hex Viewer, proved very
useful in reviewing data that consisted of any deleted recovered artifacts,
journaled data, and live database records.
Summary
The BEC software usage information presented thus far is certainly not exhaustive,
of all the complete features of this product. Depending upon the types of data
sources you are examining, there are other areas of the product, which are not
demonstrated like those available in the View dropdown menu:
• Registry viewer and Plist Viewer data
• Connection graph functions are useful features to view communication
relationships between contacts.
Also take note of the being able to export the data from BEC to the:
• BEC evidence reader, which allow investigators to review the data
themselves
• And ‘Export to UFDR’, which exports the data in a UFDR for import into UFED
Physical Analyzer.
All the numerous benefits of BEC can be reviewed at these links:
• https://belkasoft.com/bec/en/evidence_center.asp
• https://belkasoft.com/bec/en/Evidence_Center_Features.asp
However, as a user of this product one of the key benefits for me is the ability of
this product to ingest multiple data sources, with the ability to review data from
various types of apps on smart phone platforms.
As noted at the start of this review, software products can be improved with user
input to the developer. If you encounter a situation where the data you are
examining is not being parsed correctly, missed, and/or you note an issue with the
software, then please make the time to contact Belkasoft so they can provide
assistance. When I have contacted Yuri, I have received timely a reply, (usually
within 24-48 hours) from Yuri acknowledging any issues. And they (Yuri and his
team) have been very responsive, in providing fixes.
In closing, I hope you take the time to review this product on your own and test it
for your own needs.
About the Reviewer
Shafik is a digital forensic examiner for a law enforcement agency, currently assigned to the
Digital Forensics Team (Cyber/Forensic Unit), and has been working in in this area since 2003.

[frontpage_news widget=”3248″ name=”Blog Posts”]

First offering in Western Canada of Teel Technologies Advanced Mobile Forensics courses

In the Donald Rix Simulation Lab at Justice Institute of British Columbia, (JIBC), 10 men are deep in concentration at tables that are messy with soldering irons, tweezers, screw drivers and small square electronic boxes with gear that allows them to communicate with cell phones. Cell phones are splayed open, the shiny microchip guts of the digital technology that we use to communicate with, and that hold the revealing pathways of our personal interconnectedness, are being retrieved, mined, and even turned into reports that may end up in a courtroom.

This is the first ever offering in Western Canada of the Teel Technologies WildPCS Mobile Device Repair and JTAG Mobile Forensics Training, a five day course by Teel Technologies Canada that took place in late September. The company specializes in tools, services and training for professionals tasked with investigating wireless devices, analyzing networks, or securing communications.

Law Enforcement officers from across Canada have come to JIBC from municipal police forces and R.C.M.P. Detachments to learn how to dismantle, repair, access data and decode this data for reporting purposes.

Retired detective a ‘cop geek’

TEEL Technologies Canada is owned by Bob Elder (partnered with Bill Teel in the USA). Elder is a retired detective from Victoria Police Department and currently a Special Constable with the Saanich Police Department.

Known as CopGeek018 around the world, the nickname came from Elder’s passion for getting information from cell phones, portable storage media, and digital devices like cameras, GPS units, mass storage items and computers. It’s a relatively new field with the teaching of how to retrieve mobile data from secure devices using processes like JTAG and Chipoff.  And, it’s a field that demands constant research to keep up with ever-changing technology.  Elder says that every time a new operating system is developed, the technology challenges what he already knows.

On the third day of the course, Elder is observing Perry Kuhl, a detective with the Santa Barbara’s County Sheriff Office, who is teaching the course this time. Most of the instructors are full time police officers who teach for Teel Tech on their own time, geeks like Elder, who are passionate about this new field.

Law enforcement from across Canada

The law enforcement officers in attendance have come from Sarnia, Regina, Winnipeg, Edmonton and Vancouver. They’ll leave with software, hardware, and most importantly, the knowledge they need to return to their units and put their newly acquired skills to immediate use.

There’s no doubt that Elder and the others who work in this field have endless stories they could share — the ones we’d all most want to hear — but they’re police officers, they’re used to keeping information close to the chest. Information is incrimination.  Think gang members involved in illegal activities. Drug Dealers. Homicides. Suicides.

“Almost everyone uses a phone and that phone tells many stories,” says Elder. Sometimes the need to access a phone isn’t as much sinister as it is about finding the relatives of an individual found dead with no identification. “Those last text messages are full of useful information,” says Kuhl. “Other times, it’s the 20,000 text messages on a cell phone where 500 of those texts are proof of trafficking; proof that the one time you saw them dealing is not an isolated incident, the proof that may eventually lead to his incarceration.”

Elder came to this new and specialized focus in detective work through ongoing research and he’s keen to share what he’s learned with interested peers. He describes the ability to host courses at JIBC as a win-win partnership.

Specialized terminology

In the course of the week, the officers use terminology that’s unfamiliar to most of us: Flasher Box; JTAG (Joint Test Action Group); and Chip-off, the latest process for extracting user data from locked phones. There’s also logical data, which refers to the e-mail and text messages that are readily visible on a phone; and, physical data, or all the data including deleted data not readily accessible using typical forensic tools.

A suite of courses to be offered January 2014

This first course with JIBC as a hosting partner for Teel Technologies Canada is part of a suite of courses to be offered in the future at the New Westminster campus. Normally, the courses are taught only in the U.S.: Las Vegas, Los Angeles, Atlanta and Norwalk, Connecticut.

In some cases, agencies host the training at their training centers. The next line of courses begins at JIBC in January and includes: Cellebrite Forensic Certified Training; Advanced Chipoff Forensics; Programming for Mobile Forensics; and more.

In Canada, Teel Technologies also offers these courses at Peel Regional Police Training Bureau. TEELTechnologies was hosted by the Justice & Public Safety Division of JIBC.

Advanced Smartphone Forensics

How to get the most data from your smartphone investigations.

WE OFFER TRAINING

Teel Technologies’ mobile device forensics training provides examiners – from entry-level to expert – a comprehensive curriculum to advance their skills.


Learn More

About Teel Tech

Since our founding in 2006, Teel Technologies has outfitted lab examiners and field operatives with the best and latest mobile device forensic tools.


Learn More

SERVICES

With specialized tools for data recovery, despite device condition or security, Teel Technologies is equipped to handle challenging & damaged media


Learn More