By Shafik G. Punja
Hello fellow digital forensic colleagues! This a brief review of the BEC product, but
let me preface this first, by stating that anything stated herein is a reflection of my
own thought processes and is not representative of my employer or has NOT been
influenced by the Belkasoft. My second prefacing statement: I use a wide variety
of tools for analyzing data. I find leveraging this pluralistic diversity of using a
variety different tools an asset in that it allows me to view the same data from
different perspectives. No software is perfect, our collective use and subsequent
reporting of any issues greatly helps improve any product.
My first interest in the Belkasoft products was specifically for parsing Instant
Messenger (IM) chat communications. I have been watching the Belkasoft
products evolve for well over 5 years, with more features and being added to assist
Belkasoft Front Matter
If you are not familiar with the Belkasoft products you can check out their website:
https://belkasoft.com. A most excellent resource for the reader is also their blog:
https://belkasoft.wordpress.com. The blog contains news as well as excellent
articles, which provide a great deal of information. All articles are also available at
The intent of this review is to provide an overview of the Belkasoft Evidence Center
Ultimate (BEC) 8.0.1762. I will not be examining every intimate detail of BEC,
which is beyond the scope of this article. I strongly urge you to obtain a trial
version and explore the product.
In addition to BEC, there are two FREE, companion standalone tools, which
Belkasoft provides: Belkasoft Acquisition Tool (called BelkaImager), and Belkasoft
Live RAM Capturer. A really quick overview of BelkaImager product can be found
BelkaImager is also integrated into BEC and is found under the
Tools->Acquisition. The BelkaImager product can be used for acquiring data from
traditional computers, laptops and also mobile devices. Interesting feature of the
imager is an ability to download cloud data. Google Drive, Google Plus and iCloud
are currently supported.
Starting BEC & Case Setup
Like other forensic acquisition and analysis products that you may have been
exposed to, BEC is a GUI based interface tool.
When starting the product, there seems to be some delay on my examination
computer, which I first observed a few releases ago pre version 8. The case setup
is consistent regardless of what type of device/file/image/data you are examining.
In order to configure BEC options you will need to create a case first. In this
product overview an Android image will be used to demonstrate basic product
features. During the case creation process please remember to select the
appropriate time zone settings and any case description that you feel is necessary.
Open Case Dialog – New Case
Make sure, that after you create your case, and before you press ‘OK’, that you
select Options, which is found on the right side of the ‘Open Case’ window. This is
not necessary, but can be useful for example to assign temporary folder (in case C
drive is small SSD drive, it makes sense to assign another, bigger magnetic drive to
store BEC temporary data). Otherwise default options will work well without any
Within the ‘Open Case Dialog’ window there are 4 tabs: General, Picture, Video
Open Case Dialog – Options and Tab Options
The tab layout is shown in the screenshots below with default settings.
Note in the Video tab the ability to extract frames automatically.
The default settings are used which are already checked.
Add data source Window – Step 1: What sources would you like to analyze?
After you select your options, BEC will prepare the case and then prompt you to
add a data source through the ‘Add data source’ window. From this window you
can choose one type or multiple types of data sources. In this case, BEC is used to
analyse a ‘DumpData.bin’ file. This is a physical Image of Android Samsung SMG900W8,
running Android OS 5.1.1, device acquired with UFED 4PC 5.3. The
screenshot below provides a view of the ‘Add data source Dialog’ window.
Add data source Dialog – Data sources:
Take note of the various type of data
sources that can be added for ingestion into BEC.
The ‘Run hashset analysis’ allows an examiner to import hashsets which BEC can
leverage in order to perform hash value matches of content.
Add data source Window – Step 2: What would you like to search for?
In this window the examiner will hopefully be quite informed about the type of
content that is to be searched. As you can see data type categories are shown in
the left pane, with the app types supported relative to each operating system. As a
humble suggestion, please take the time to really target what you are looking for
and try NOT to select everything as shown in the screenshot below.
The more artifacts you select, the longer will be the initial analysis. For example, if
you are looking inside Android phone, there is no sense to look for Windows
artifacts. However, if you are investigating Windows computer, it makes sense to
have Android artifacts selected just in case an Android backup is found on the
computer. Encrypted files detection can take a good amount of time so if a user is
not interested in encryption search, unchecking ‘Encrypted files’ will speed up the
Analyze: Take a moment to review which partition areas you want to look at.
This specific Android operating system image has numerous partitions, and in this
case, only partition structures which might prove of use are selected for
If you want to pursue data carving you can check ‘Carve‘ and again specify the
partitions, allocated and/or unallocated space.
When you have finished optimizing the data searches, for your specific needs, then
press the Finish button. Another window will appear asking whether you want to
add another data source.
If ‘Yes’ was selected, then ‘Add data source Dialog – Data sources’ dialog window
would appear. In this case, ‘No’ was selected and this initiates the processing of
the data source along with specified search selections.
The main BEC interface window will present with 3 main areas, which is much like
most GUI based digital forensic products:
Above the tri-pane interface, please note the product toolbar which consists of
both icons and text based menu driven interface. Under ‘Help’ there is an offline
and online help documentation.
If you find the tri pane interface too congested, you have the option of customizing
the display of the windows using the floatable, auto-hide, tab, or hide features.
Left Pane: Consists of 3 tabs: Overview, Case Explorer and File System. The tab you
select in this area also drives the right upper pane to different view. Clicking
actions taken by the user in any of the tabs drive the right upper pane to display
certain data source items depending on the tab you are in and type of data being
Left tab in left pane. This tab will provide a breakdown of the various types of data sorted into categories.[/vc_column_text][vc_single_image image=”4724″ img_size=”medium”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]
Middle tab, in left pane. This tab provides access to view
Timeline data, and data sources. Here you can see that it also shows the
partition structures that are contained within the binary dump. If you recall
earlier, I only selected to have three partitions ingested for data parsing. It
would be nice to have an option to exclude the unselected partitions, from
being viewed in this tab.[/vc_column_text][vc_single_image image=”4725″ img_size=”medium”][vc_column_text]Within the Case Explorer tab, data is broken down into data type categories: Browsers, Cloud services, Instant Messengers etc.[/vc_column_text][vc_single_image image=”4726″ img_size=”medium”][vc_column_text]
File System tab
Right tab, in left pane. This tab shows all the data sources ingested by BEC. If the data source contains partitions/volumes which contain file systems that BEC can understand, they will appear here. This is a refined view from the Case Explorer tab. However, I still have to dig to identify the various partitions/volumes, as they are named with ‘vol_xxxxxx’ where xxxxx is the offset value in decimal of the start of the volume. As indicated previously, I am only interested in three partitions. It would be nice if in future BEC releases the actual volume (partition) name was provided, and only volumes selected for analysis were listed, with the option to view unselected volumes if an examiner needs.[/vc_column_text][vc_single_image image=”4727″ img_size=”medium”][vc_column_text]Right Upper Pane: This is the data examination area where you can review the parsed data or analyze data structures. The user can add or remove tabs in this area through the ‘View’ function on the toolbar.[/vc_column_text][vc_single_image image=”4728″ img_size=”medium”][vc_column_text]Right Lower Pane: This pane consists of 4 tabs: Task Manager, Item Properties, Hex Viewer and Search Results.[/vc_column_text][vc_column_text]
Here you can observe any tasks that are running, scheduled, or completed.[/vc_column_text][vc_single_image image=”4729″ img_size=”medium”][vc_column_text]
Here you can inspect the properties of a single item that has been selected from a parsed data source in the Case explorer (left pane) and viewed within a correlated tab in the right upper pane. An example is shown in the following screenshot, following the arrows, with review of the touch.db file (Case Explorer in the left pane), the database structure viewed in the right pane upper pane, in SQLite viewer, and examination of a specific record, Item Properties (right lower pane) in the touch.db file, experience_members table. The actual database (.db) file is identified in the ‘Current file’ information bar.[/vc_column_text][vc_single_image image=”4730″ img_size=”medium”][vc_column_text]
This is located in the lower right pane, Hex Viewer tab. From the previous example, highlighting a record (row) in the SQLite database file, Data tab, locates that data in the Hex Viewer showing the offset it is located at. There is also a ‘Type Converter’ which assists with data decoding.[/vc_column_text][vc_single_image image=”4731″ img_size=”medium”][vc_column_text]
This tab displays the search results. To initiate a search access the search function from the search icon in the toolbar.[/vc_column_text][vc_single_image image=”4732″ img_size=”medium”][vc_column_text]Then select what you would like to search, data source(s) and the profiles to search in:[/vc_column_text][vc_single_image image=”4733″ img_size=”medium”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]
The ability to filter data is important when trying to sift through any amount of information. The filter window is automatically invoked by BEC when you are either in the Case Explorer tab, or Overview tab, looking at a specific category of data.[/vc_column_text][vc_single_image image=”4734″ img_size=”large”][vc_column_text]Select ‘Add Filter’.[/vc_column_text][vc_single_image image=”4735″ img_size=”large” alignment=”center”][vc_column_text]Then select one or more of the filter criteria. The filter criteria change based upon the type of data being viewed: Pictures, Videos, Browsers, Instant Messengers, Mailboxes, etc.[/vc_column_text][vc_single_image image=”4736″ img_size=”large” alignment=”center”][vc_column_text]For examination of a SQLite database, I can use the SQLite Viewer tab (upper right pane) to examine each table and the columns within a table. BEC very nicely displays the number of database records and the number of journaled records (which are part of the number of records count).[/vc_column_text][vc_single_image image=”4737″ img_size=”large”][vc_column_text]The colouring of the rows is done by BEC to visually assist with identification of data:
- journaled records – light blue coloured row
- examiner selected record – dark blue coloured row
- actual database records – white coloured row
- deleted records – red coloured row
However, what I do note is that, I cannot easily search/filter any table columns,
which would be a useful feature. I cannot invoke the Filter window, whilst in the
SQLite viewer tab. I must go back to the Message List tab. I would like to see the
ability to filter any item of data from any column.
I can quickly convert the time stamps by right clicking on the
‘experience_comment_creation_timestamp’ column and drilling down to ‘Choose
type’ and selecting UTC Unix time.[/vc_column_text][vc_single_image image=”4738″ img_size=”large”][vc_column_text]
During my analysis of the parsed binary file, I was able to exclude the Touch app (touch.db) for any data of interest, other than verifying the Touch account user identification information. The date filtering feature, allowed for a quick review of messages for a specific time period. The Timeline view provided me with a nice overview of the activities that occurred on the device in the time period of interest. The SQLite viewer tool, in conjunction with the Hex Viewer, proved very useful in reviewing data that consisted of any deleted recovered artifacts, journaled data, and live database records.
The BEC software usage information presented thus far is certainly not exhaustive, of all the complete features of this product. Depending upon the types of data sources you are examining, there are other areas of the product, which are not demonstrated like those available in the View dropdown menu:
- Registry viewer and Plist Viewer data
- Connection graph functions are useful features to view communication
relationships between contacts.
Also take note of the being able to export the data from BEC to the:
- BEC evidence reader, which allow investigators to review the data
- And ‘Export to UFDR’, which exports the data in a UFDR for import into UFED
All the numerous benefits of BEC can be reviewed at these links:
However, as a user of this product one of the key benefits for me is the ability of
this product to ingest multiple data sources, with the ability to review data from
various types of apps on smart phone platforms.
As noted at the start of this review, software products can be improved with user
input to the developer. If you encounter a situation where the data you are
examining is not being parsed correctly, missed, and/or you note an issue with the
software, then please make the time to contact Belkasoft so they can provide
assistance. When I have contacted Yuri, I have received timely a reply, (usually
within 24-48 hours) from Yuri acknowledging any issues. And they (Yuri and his
team) have been very responsive, in providing fixes.
In closing, I hope you take the time to review this product on your own and test it
for your own needs.
About the Reviewer
Shafik is a digital forensic examiner for a law enforcement agency, currently assigned to the Digital Forensics Team (Cyber/Forensic Unit), and has been working in in this area since 2003.[/vc_column_text][/vc_column][/vc_row]