By Shafik G. Punja
Introduction
Hello fellow digital forensic colleagues! This a brief review of the BEC product, but let me preface this first, by stating that anything stated herein is a reflection of my own thought processes and is not representative of my employer or has NOT been influenced by the Belkasoft. My second prefacing statement: I use a wide variety of tools for analyzing data. I find leveraging this pluralistic diversity of using a variety different tools an asset in that it allows me to view the same data from different perspectives. No software is perfect, our collective use and subsequent
reporting of any issues greatly helps improve any product.
My first interest in the Belkasoft products was specifically for parsing Instant Messenger (IM) chat communications. I have been watching the Belkasoft products evolve for well over 5 years, with more features and being added to assist examiners.
Belkasoft Front Matter
If you are not familiar with the Belkasoft products you can check out their website: https://belkasoft.com/.
A most excellent resource for the reader is also their blog:
https://belkasoft.wordpress.com/. The blog contains news as well as excellent articles, which provide a great deal of information. All articles are also available at
https://belkasoft.com/articles.
The intent of this review is to provide an overview of the Belkasoft Evidence Center Ultimate (BEC) 8.0.1762. I will not be examining every intimate detail of BEC,
which is beyond the scope of this article. I strongly urge you to obtain a trial version and explore the product. In addition to BEC, there are two FREE, companion standalone tools, which
Belkasoft provides: Belkasoft Acquisition Tool (called BelkaImager), and Belkasoft Live RAM Capturer. A really quick overview of BelkaImager product can be found at: http://www.weare4n6.com/imaging-drives-and-mobile-devices-withbelkaimager/. BelkaImager is also integrated into BEC and is found under the Tools->Acquisition. The BelkaImager product can be used for acquiring data from traditional computers, laptops and also mobile devices. Interesting feature of the imager is an ability to download cloud data. Google Drive, Google Plus and iCloud
are currently supported.
Starting BEC & Case Setup
Like other forensic acquisition and analysis products that you may have been exposed to, BEC is a GUI based interface tool. When starting the product, there seems to be some delay on my examination computer, which I first observed a few releases ago pre version 8. The case setup is consistent regardless of what type of device/file/image/data you are examining.
In order to configure BEC options you will need to create a case first. In this product overview an Android image will be used to demonstrate basic product features. During the case creation process please remember to select the appropriate time zone settings and any case description that you feel is necessary.
Open Case Dialog – New Case
Make sure, that after you create your case, and before you press ‘OK’, that you
select Options, which is found on the right side of the ‘Open Case’ window. This is
not necessary, but can be useful for example to assign temporary folder (in case C
drive is small SSD drive, it makes sense to assign another, bigger magnetic drive to
store BEC temporary data). Otherwise default options will work well without any
further adjustments.
Within the ‘Open Case Dialog’ window there are 4 tabs: General, Picture, Video
and Hashes.
Open Case Dialog – Options and Tab Options
The tab layout is shown in the screenshots below with default settings.
Note in the Video tab the ability to extract frames automatically.
The default settings are used which are already checked.
Add data source Window – Step 1: What sources would you like to analyze?
After you select your options, BEC will prepare the case and then prompt you to
add a data source through the ‘Add data source’ window. From this window you
can choose one type or multiple types of data sources. In this case, BEC is used to
analyse a ‘DumpData.bin’ file. This is a physical Image of Android Samsung SMG900W8,
running Android OS 5.1.1, device acquired with UFED 4PC 5.3. The
screenshot below provides a view of the ‘Add data source Dialog’ window.
Add data source Dialog – Data sources: Take note of the various type of data
sources that can be added for ingestion into BEC.
The ‘Run hashset analysis’ allows an examiner to import hashsets which BEC can
leverage in order to perform hash value matches of content.
Add data source Window – Step 2: What would you like to search for?
In this window the examiner will hopefully be quite informed about the type of
content that is to be searched. As you can see data type categories are shown in
the left pane, with the app types supported relative to each operating system. As a
humble suggestion, please take the time to really target what you are looking for
and try NOT to select everything as shown in the screenshot below.
The more artifacts you select, the longer will be the initial analysis. For example, if
you are looking inside Android phone, there is no sense to look for Windows
artifacts. However, if you are investigating Windows computer, it makes sense to
have Android artifacts selected just in case an Android backup is found on the
computer. Encrypted files detection can take a good amount of time so if a user is
not interested in encryption search, unchecking ‘Encrypted files’ will speed up the
analysis without.
Analyze: Take a moment to review which partition areas you want to look at.
This specific Android operating system image has numerous partitions, and in this
case, only partition structures which might prove of use are selected for
examination.
If you want to pursue data carving you can check ‘Carve’ and again specify the
partitions, allocated and/or unallocated space.
When you have finished optimizing the data searches, for your specific needs, then
press the Finish button. Another window will appear asking whether you want to
add another data source.
If ‘Yes’ was selected, then ‘Add data source Dialog – Data sources’ dialog window
would appear. In this case, ‘No’ was selected and this initiates the processing of
the data source along with specified search selections.
BEC Interface
The main BEC interface window will present with 3 main areas, which is much like
most GUI based digital forensic products:
Above the tri-pane interface, please note the product toolbar which consists of
both icons and text based menu driven interface. Under ‘Help’ there is an offline
and online help documentation.
If you find the tri pane interface too congested, you have the option of customizing
the display of the windows using the floatable, auto-hide, tab, or hide features.
Left Pane: Consists of 3 tabs: Overview, Case Explorer and File System. The tab you
select in this area also drives the right upper pane to different view. Clicking
actions taken by the user in any of the tabs drive the right upper pane to display
certain data source items depending on the tab you are in and type of data being
viewed.
• Overview tab (left tab in left pane): This tab will provide a breakdown of the
various types of data sorted into categories.
• Case Explorer tab (middle tab, in left pane): This tab provides access to view
Timeline data, and data sources. Here you can see that it also shows the
partition structures that are contained within the binary dump. If you recall
earlier, I only selected to have three partitions ingested for data parsing. It
would be nice to have an option to exclude the unselected partitions, from
being viewed in this tab.
Within the Case Explorer tab, data is broken down into data type categories:
Browsers, Cloud services, Instant Messengers etc.
• File System tab (right tab, in left pane): This tab shows all the data sources
ingested by BEC. If the data source contains partitions/volumes which
contain file systems that BEC can understand, they will appear here. This is
a refined view from the Case Explorer tab. However, I still have to dig to
identify the various partitions/volumes, as they are named with ‘vol_xxxxxx’
where xxxxx is the offset value in decimal of the start of the volume. As
indicated previously, I am only interested in three partitions. It would be
nice if in future BEC releases the actual volume (partition) name was
provided, and only volumes selected for analysis were listed, with the option
to view unselected volumes if an examiner needs.
Right Upper Pane: This is the data examination area where you can review the
parsed data or analyze data structures. The user can add or remove tabs in this
area through the ‘View’ function on the toolbar.
Right Lower Pane: This pane consists of 4 tabs: Task Manager, Item Properties, Hex
Viewer and Search Results.
• Task Manager: Here you can observe any tasks that are running, scheduled,
or completed.
Item Properties: Here you can inspect the properties of a single item that
has been selected from a parsed data source in the Case explorer (left pane)
and viewed within a correlated tab in the right upper pane. An example is
shown in the following screenshot, following the arrows, with review of the
touch.db file (Case Explorer in the left pane), the database structure viewed
in the right pane upper pane, in SQLite viewer, and examination of a specific
record, Item Properties (right lower pane) in the touch.db file,
experience_members table. The actual database (.db) file is identified in the
‘Current file’ information bar.
• Hex Viewer: This is located in the lower right pane, Hex Viewer tab. From
the previous example, highlighting a record (row) in the SQLite database file,
Data tab, locates that data in the Hex Viewer showing the offset it is located
at. There is also a ‘Type Converter’ which assists with data decoding.
• Search Results: This tab displays the search results. To initiate a search
access the search function from the search icon in the toolbar.
Then select what you would like to search, data source(s) and the profiles to
search in:
Data Filtering
The ability to filter data is important when trying to sift through any amount of
information. The filter window is automatically invoked by BEC when you are
either in the Case Explorer tab, or Overview tab, looking at a specific category of
data.
Select ‘Add Filter’.
Then select one or more of the filter criteria. The filter criteria change based upon
the type of data being viewed: Pictures, Videos, Browsers, Instant Messengers,
Mailboxes, etc.
For examination of a SQLite database, I can use the SQLite Viewer tab (upper right
pane) to examine each table and the columns within a table. BEC very nicely
displays the number of database records and the number of journaled records
(which are part of the number of records count).
The colouring of the rows is done by BEC to visually assist with identification of
data:
• journaled records – light blue coloured row
• examiner selected record – dark blue coloured row
• actual database records – white coloured row
• deleted records – red coloured row
However, what I do note is that, I cannot easily search/filter any table columns,
which would be a useful feature. I cannot invoke the Filter window, whilst in the
SQLite viewer tab. I must go back to the Message List tab. I would like to see the
ability to filter any item of data from any column.
I can quickly convert the time stamps by right clicking on the
‘experience_comment_creation_timestamp’ column and drilling down to ‘Choose
type’ and selecting UTC Unix time.
Results
During my analysis of the parsed binary file, I was able to exclude the Touch app
(touch.db) for any data of interest, other than verifying the Touch account user
identification information. The date filtering feature, allowed for a quick review of
messages for a specific time period. The Timeline view provided me with a nice
overview of the activities that occurred on the device in the time period of
interest. The SQLite viewer tool, in conjunction with the Hex Viewer, proved very
useful in reviewing data that consisted of any deleted recovered artifacts,
journaled data, and live database records.
Summary
The BEC software usage information presented thus far is certainly not exhaustive,
of all the complete features of this product. Depending upon the types of data
sources you are examining, there are other areas of the product, which are not
demonstrated like those available in the View dropdown menu:
• Registry viewer and Plist Viewer data
• Connection graph functions are useful features to view communication
relationships between contacts.
Also take note of the being able to export the data from BEC to the:
• BEC evidence reader, which allow investigators to review the data
themselves
• And ‘Export to UFDR’, which exports the data in a UFDR for import into UFED
Physical Analyzer.
All the numerous benefits of BEC can be reviewed at these links:
• https://belkasoft.com/bec/en/evidence_center.asp
• https://belkasoft.com/bec/en/Evidence_Center_Features.asp
However, as a user of this product one of the key benefits for me is the ability of
this product to ingest multiple data sources, with the ability to review data from
various types of apps on smart phone platforms.
As noted at the start of this review, software products can be improved with user
input to the developer. If you encounter a situation where the data you are
examining is not being parsed correctly, missed, and/or you note an issue with the
software, then please make the time to contact Belkasoft so they can provide
assistance. When I have contacted Yuri, I have received timely a reply, (usually
within 24-48 hours) from Yuri acknowledging any issues. And they (Yuri and his
team) have been very responsive, in providing fixes.
In closing, I hope you take the time to review this product on your own and test it
for your own needs.
About the Reviewer
Shafik is a digital forensic examiner for a law enforcement agency, currently assigned to the
Digital Forensics Team (Cyber/Forensic Unit), and has been working in in this area since 2003.