Belkasoft Evidence Center

belkasoft logoBelkasoft Evidence Center is an all-in-one forensic solution for locating, extracting, and analyzing digital evidence stored inside computers and mobile devices.

Overview

Comprehensive examination

Discovers more than 1000 types of the most forensically important artifacts, including over 200 mobile applications, all major document formats, browsers, email clients, dozens of picture and video formats, instant messengers, social networks, system and registry files, P2P and file transfer tools, etc. Extracts data from all major operating systems, both computer and mobile: Windows, Linux, macOS, iOS, Android, Windows Phone, Blackberry.
You can use one of the product’s powerful analytical features for low-level examinations: SQLite Viewer, Hex Viewer, Registry Viewer—to locate hard-to-access, damaged, and deleted information.

Less missed evidence

Looks for hidden and encrypted information, searches in unusual places, carves deleted and damaged data and examines files in little-known formats to discover more evidence than ever. The search includes unallocated and slack space, $MFT, $Log, Volume Shadow Copy and other special and little known areas of operating systems.

Blazing fast operation

The product allows you to perform evidence search faster than most tools as it does not index every single file found on the data source, instead searching for the most forensically significant types of artifacts. Efficient usage of СPU adds to speediness of processing, as does the code written by our team of highly qualified specialists in data analysis.

Saves your time & effort

Unlike many other forensic products, Belkasoft Evidence Center does not require your constant presence and attention. Most of the routine is automated, allowing multi-tasking and freeing up some of your valuable time.

Forensically sound

Evidence Center is designed to meet the demands of forensic experts and investigators. Workflow is simple and quick, and results are easy to convert into a report. Reports are adjustable, comprehensive, and most importantly, absolutely valid to present in a court as proven by years of user experience. One of the real life examples was a big case of child abuse in Croatia solved using Belkasoft Evidence Center. Read more…

Team work

The multi-user configuration of Evidence Center (Team Edition) provides teams with the ability to collaborate on the same cases and split the workload.
The Team Edition version allows you to store case data on a central server and access your cases remotely from the same local network. You can work on the same case with another user simultaneously and specify if other users can access your case (read-write, read-only or no access).

Fair price

Belkasoft Evidence Center offers the broadest set of tools and features for its price compared to other forensic software. All major analytical capabilities are present even in the most affordable versions of the product. Upgrades to your license can be purchased separately with no extra charges.

Flexible licensing. Usable in the field

The product has different licensing options to answer any of your needs.
For individual users, the most affordable fixed license is available. It is designed to run just on one computer.
For use in a small or medium-size company, you can buy a floating license that comes with a USB dongle. Floating license is the definition of “value for money”—one license allows to run the product on multiple machines.
Portable edition runs from a USB drive and can be plugged into any PC, laptop or desktop, with no installation or configuration required. It is perfectly suited for work in the field.
Network edition allows unlimited amount of workplace installations and certain amount of concurrent connections, through a local network as well as anywhere else.

Features

belkasoft-2017

  • Mobile and Computer Acquisition. The product allows you to acquire data from a computer, a laptop or a mobile device. Hard and removable drives are acquired into DD and E01 formats with optional hash calculation and verification. For mobile devices running iOS BEC acquires iTunes backup and for Android devices there are multiple formats: standard ADB or agent-based backup, EDL and physical backup for rooted devices.
  • Mobile and Computer Device Examination. Supporting all major desktop and mobile operating systems, Belkasoft Evidence Center is suitable for mobile and computer forensics. It can parse real and logical drives and drive images, virtual machines, mobile device backups, UFED and OFB images, JTAG and chip-off dumps.
    Smart and Comprehensive Analysis.The product looks everywhere on the device completely automatically and can successfully identify over 1000 types of digital artifacts. Convenient Evidence Search feature helps to narrow down the findings using filters, pre-defined search, or other options.
  • Powerful Carving. Data carving allows you to locate evidence that was deleted, destroyed, or never stored on the hard drive at all (page file, hibernation file, RAM contents). Custom carving is supported as well, including support for Scalpel and FTK sets. In addition, advanced carving mode called BelkaCarving™ is available, making it possible to reconstruct fragmented chunks into contiguous pieces of information that would otherwise not be accessible at all.
  • Native SQLite Parsing. Recovers corrupted and incomplete SQLite databases, restores deleted records and cleared history files. Processes freelists, write-ahead logs and journal files, and SQLite unallocated space.
  • Live RAM Analysis. Evidence Center can extract potentially crucial information from volatile memory, such as: in-private browsing and cleared browser histories, online chats and social networks, cloud service usage history, and much more. Belkasoft Live RAM Capturer is a powerful tool for creating memory dumps, and it is complimentary.
  • Remote Acquisition.Remote Acquisition module allows you to perform acquisition of various data sources from remote locations. Available data source types include hard or removable drives, RAM memory and mobile devices.
  • The acquisition is performed with the help of an agent, installed to a remote device such as a computer or a laptop.
  • Incident Investigations.Incident Investigations module is aimed to help users investigate hacking attempts of Windows-based computers. By analyzing numerous sources such as registry, event logs and memory dumps, it can find traces, which are typical to various tricks used by hackers to penetrate company’s infrastructure.
  • Cross-Case Search. Cross-Case Search module allows you to find intersections between the currently investigated case and other BEC cases. The information found in the current case is compared with the information found in the selected older cases and all matches will be reported.
  • Handy Built-in Tools. PList, Registry, and SQLite viewers allow you to work more thoroughly with particular types of data and find even more evidence than automatic search was able to discover.
  • Low-level Investigations. Equipped with File System Explorer, Hex Viewer, and Type Converter, Belkasoft Evidence Center will allow you to perform deep examination of the contents of files and folders on the device.
  • Extendable with BelkaScript. Free scripting module allows user to write their own custom scripts in order to automate some of the routine and further extend the product’s functionality.

Technical Specifications

belkasoft-2017

Computer

  • Operating systems: Windows (all versions, including Windows 10), macOS, Unix-based systems (Linux, FreeBSD, etc.)
  • Storage devices: hard drives and removable media
  • Disk images: EnCase, AD1, L01/Lx01, FTK, Advanced forensics formats, DD, SMART, X-Ways, Atola, DMG, archive files (such as tar, zip and others)
  • Virtual machines: VMWare, Virtual PC/Hyper-V, VirtualBox, XenServer
  • Memory: RAM dumps, Hibernation files, Page files
  • File systems: APFS, FAT, exFAT, NTFS, HFS, HFS+, ext2, ext3, ext4, YAFFS, YAFFS2
  • Acquisition: Available to DD or E01 images with optional hash calculation and verification

Mobile

  • Operating systems: iOS (iPhone/iPad), Android, Windows Phone 8/8.1, Blackberry
  • Data sources: Mobile backups, UFED and OFB images, GrayKey and Elcomsoft iOS images, chip-off dumps, TWRP images, JTAG dumps, Blackberry IPD and BBB backups, Android physical dumps
  • Acquisition: Available formats and ways are iTunes backup (iOS), full logical backup of jailbroken iOS devices, ADB backup or agent-based backup (Android), physical backup or EDL (rooted Android), acquisition of iOS with lockdown file authentication

Cloud

  • Google Clouds: Google Drive, Google Keep, GMail, Google Timeline
  • iCloud
  • EMail: Yahoo, Hotmail, Opera, Yandex, Mac.com and 25 more webmail clouds
  • Instagram
  • WhatsApp Google

The following types of artifacts can be extracted and analyzed:

Pictures and Videos

  • Supported picture formats:3FR, ARW, BAY, BMP, BMQ, CAP, CINE, CR2, CRW, CS1, CUT, DC2, DCR, DDS, DIB, DNG, DRF, DSC, EMF, ERF, EXIF, EXR, FAX, FFF, G3, GIF, HDR, HEIC, IA, ICO, IFF, IIQ, J2C, J2K, JFIF, JNG, JP2, JPE, JPEG, JPG, K25, KC2, KDC, KOA, LBM, MDC, MEF, MNG, MOS, MRV, NEF, NRW, ORF, PBM, PCD, PCT, PCX, PEF, PFM, PGM, PIC, PICT, PNG, PNM, PPM, PSD, PTX, PXN, QTK, RAF, RAS, RAW, RDC, RLE, RPBM, RPGM, RPPM, RW2, RWZ, SGI, SR2, SRF, STI, TGA, TIF, TIFF, WBM, WBMP, WMF, XBM, XPM.
  • Picture analysis allows detection of texts, faces, skin tone and scanned text (OCR). ANN (Artificial neural network)-based pornography, gun and narcotic cache detection supported.
  • Detection of photo manipulation (forgery) is available with Forgery Detection plugin (extra module)
  • The following formats can be carved: GIF, JPEG/JPG, PNG, BMP, WMF
  • Supported video formats: 3GP, 3G2, ASF, AVI, DIVX, DRC, F4A, F4B, F4P, F4V, FLV, IFO, M2V, M4P, M4V, MK3D, MKA, MKS, MP2, MP4, MKV, MOV, MPE, MPEG, MPG, MPV, NSV, OGG, OGV, QT, RM, RMV8, SVI, TS, VOB, WEBM, WMV
  • Key frame analysis available for 3GP, 3G2, AVI, MP4, MPEG, MPG, WMV, MOV videos

Email Clients

  • Outlook 2013, 2010, 2007 and older, Outlook Express
  • Apple Mail (EML/EMLX)
  • Android Mail
  • Blackberry Mail
  • Mail 163
  • Gmail, Hotmail, Yahoo Mail
  • Windows Live Mail
  • Mozilla Thunderbird
  • The Bat
  • Mail.ru, Yandex Mail
  • MIME, MBOX, MSG Emails

Browsers

  • Adobe Flash
  • Avant
  • Baidu Browser
  • Chrome
  • Chromium-based browsers (e.g. Brave, Puffin etc.)
  • Edge
  • Firefox
  • Internet Explorer
  • Maxthon 5
  • Opera
  • Qihoo 360
  • QQ Browser
  • Safari
  • Sogou Explorer
  • Tor
  • Yandex

 

Mobile Applications

  • Android:

    Standard Apps

    • Calendar
    • Calls
    • Contacts
    • Installed Applications
    • SMS

    Browsers

    • 360 Extreme Explorer
    • Android application web-data
    • Baidu
    • Chrome
    • Default Browser App
    • Dolphin
    • Downloads
    • Edge
    • Firefox
    • Maxthon
    • Mercury
    • Opera
    • Samsung Browser
    • US Browser

    Mails

    • Default mail app
    • Gmail
    • inbox.lv
    • inbox.lt
    • mail.ee
    • MailRu Mail
    • Yahoo Mail
    • Yandex Mail
    • Voice mail

    Messengers

    • AIM
    • Badoo
    • BBM
    • Brosix
    • ChatON
    • CommFort
    • Draugiem.lv
    • eBuddy XMS
    • Facebook Messenger
    • FireChat
    • Fring
    • Google+
    • Grindr
    • Growlr
    • Hangouts
    • HeyTell
    • ICQ
    • Im+
    • IMO
    • Instagram Direct
    • KakaoTalk
    • KateMobile
    • Kik
    • Line
    • Mail.ru Agent
    • MeetMe
    • Meow Chat
    • NextPlus
    • Odnoklassniki/OK
    • ooVoo
    • Paltalk
    • Signal
    • Skype
    • Slack
    • Snapchat
    • Tango
    • Telegram
    • Telegram X
    • Text Plus
    • Textie
    • TextMe
    • TikTok
    • Touch
    • Tumblr
    • Twitter
    • Viber
    • Vipole
    • VK Coffee
    • Vkontakte/VK
    • Voxer
    • Wamba
    • WeChat
    • WhatsApp
    • Xabber
    • Yahoo Messenger
    • YapChat
    • YouMagic

    Other Apps

    • Any.do
    • Evernote
    • Foursquare
    • Gettaxi
    • Instagram
    • LinkedIn
    • Memo
    • Pinterest
    • Pokemon GO
    • Richnote
    • ShareIT
    • Sina Weibo
    • Swarm
    • Tinder
    • Uber
    • Whisper
    • YandexTaxi
    • Zalo
    • Zello

    Payment Systems

    • Android Bitcoin Wallet
    • Bitcoin Armory Wallet
    • Bitcoin Core Wallet
    • Jaxx
    • Qiwi Wallet

    Fitness trackers

    • Fitbit
    • Mi Fit

    Cloud services

    • Dropbox
    • Google Drive
    • OneDrive
  • iOS:

    Standard Apps

    • Calendar
    • Calls
    • Contacts
    • Installed applications
    • Notes
    • SMS
    • Voice mail

    Browsers

    • Chrome
    • Dolphin
    • Edge
    • Firefox
    • Maxthon
    • Mercury
    • Opera
    • Safari
    • UC Browser

    Messengers

    • Brosix
    • ChatOn
    • eBuddy XMS
    • Facebook Messenger
    • FireChat
    • Fring
    • Grindr
    • Growlr
    • HeyTell
    • ICQ
    • Im+
    • IMO
    • KakaoTalk
    • Kik
    • Line
    • MeetMe
    • Meow Chat
    • NextPlus
    • Odnoklassniki/OK
    • ooVoo
    • Paltalk
    • Recents
    • Skype
    • Tango
    • Telegram
    • Text Plus
    • Textie
    • TextMe
    • Touch
    • Tumblr
    • Twitter
    • Viber
    • Vipole
    • WeChat
    • WhatsApp
    • Yahoo Messenger
    • YapApp

    Mails

    • Apple Mail
    • MailRu Mail
    • Yahoo Mail

    Cloud services

    • Dropbox

    Other Apps

    • Any.do
    • Evernote
    • Gettaxi
    • LiveMe
    • Pokemon GO
    • Richnote
    • Snapchat
    • Tinder
    • Uber
    • Whisper
    • Zello
  • Blackberry:

    Standard Apps

    • Calendar
    • Calls
    • Contacts
    • Notes
    • SMS
    • Voice Mail

Instant Messengers

  • &RQ
  • Adium
  • AIM
  • AIM Express
  • aMSN
  • Badoo
  • Brosix
  • BBM
  • ChatOn
  • Chatzilla
  • CommFort
  • Contacts
  • Digbsy
  • eBuddy XMS
  • eM Client
  • Emesene
  • Empathy
  • Facebook Messenger
  • Fire
  • FireChat
  • Fring
  • Gadu-Gadu
  • Gajim
  • Gigatribe
  • Google+
  • Google Hello
  • Google Talk
  • Grindr
  • Growlr
  • GTalk
  • Hangouts
  • Hey Tell
  • Hotmail
  • iChat
  • ICQ
  • Im+
  • IMO
  • InstantBird
  • Ircle
  • Jclaim
  • Jitsi
  • Kadu
  • KakaoTalk
  • KateMobile
  • Kik
  • KMess
  • Kopete
  • Line
  • Mail.ru Agent
  • Meebo
  • MeetMe
  • MeowChat
  • Mercury
  • MessageMe
  • Messenger Plus!
  • Miranda IM
  • mIRC
  • MSN/Live Messenger
  • MySpace IM
  • Nate ON
  • NextPlus
  • Nimbuzz
  • Odnoklassniki/OK
  • ooVoo
  • Paltalk
  • Pidgin
  • Psi
  • Recents
  • QIP
  • QIP Infinum
  • QQ
  • qutIM
  • SIM
  • Skype
  • Slack
  • Snak
  • Snapchat
  • Tango
  • Team Viewer
  • Telegram
  • Text Plus
  • Textie
  • TextMe
  • Touch
  • Trillian
  • Tumblr
  • Twitter
  • Viber
  • Vipole
  • Virtus
  • Vkontakte/VK
  • Voxer
  • Wamba
  • WeChat
  • WhatsApp
  • Xabber
  • X-Chat Aqua
  • Yahoo! Messenger
  • Ya-Online
  • YouMagic
  • Zello

Office Documents

  • Microsoft Office: Excel (.xls, .xlsx), Word (.doc, .docx), PowerPoint (.ppt, .pptx)
  • Open Office: Documents (.odt), Spreadsheets (.ods), Presentations (.odp)
  • macOS: Keynote, Numbers, Pages
  • PDF
  • RTF

Peer-to-peer Software

  • Ares Galaxy
  • eMule
  • Frostwire
  • Gigatribe
  • Shareaza
  • Torrent
  • ShareIT

Social Networks, Cloud Services and Online Games

  • Social Networks: Bebo, Facebook, Facebook Messenger, Google+, Myspace, Odnoklassniki/OK, Orkut, Twitter, VKontakte/VK
  • Cloud Services: Dropbox, Flickr, Google Drive, SkyDrive, OneDrive, Sharepoint, Yandex.Disk
  • Multi-user Online Games: Karos, Lineage, World of Warcraft

Windows Registry Files

  • Accounts (user name, last login time, last failed login time, last password changed time, user RID, LM-hash, NT-hash)
  • Autorun (USBs, CDs, DVDs)
  • Common file dialogs
  • Computer name
  • Event log location
  • Internet Explorer
  • List of USB devices ever connected to the system
  • List of mounted devices
  • MS Paint
  • Network cards
  • Operating system version and installation date
  • Prefetch files
  • Program startup
  • Recently opened and saved documents for MS Office Word, Excel, PowerPoint
  • Search Assistant
  • Shellbags
  • System shutdown time
  • Timezone
  • Trillian
  • UserAssists
  • User name and SID
  • Windows Explorer
  • Windows Media Player
  • Wireless profiles

System Files and Configurations

Windows

  • Jumplists
  • Link files
  • Prefetch files
  • System event logs
  • TeamViewer connections
  • Thumbnails
  • TOAST notifications
  • LNK files
  • Prefetch info
  • Windows notifications
  • Windows 10 timeline
  • WMI Event Subscription

macOS

  • Bluetooth
  • Installed applications
  • System configurations
  • Wi-Fi connections

Android, iOS

  • IP connections
  • Thumbnails
  • Wi-Fi connections

Encrypted Files and Volumes

  • Acrobat 3.0, 4.0, 5.0, 6.0, 7.0, 8.0, 9.0
  • eBook document
  • Symantec ACT! 2.0, 3.0, 4.0, 2000
  • ACT! by Sage 2005, 2006, 2007, Sage 2008, 2009
  • Apple iTunes PLIST
  • BestCrypt 6.0, 7.0, 8.0
  • Bitlocker
  • FileMaker Pro 3.0, 4.0, 5.0, 6.0, 7.0, 8.x, 9.0, 10.0, 11.0
  • FileVault
  • ICQ 2000 – 2003 (.dat), 99a (.dat)
  • ICQ Lite (.fb)
  • Lotus 1-2-3 1.1+
  • Lotus Notes 4.x, 6.x, 7.0, 8.0
  • Lotus Notes Client
  • Lotus Organizer 1.0, 2.0, 3.0, 4.0, 5.0, 6.0
  • Lotus WordPro
  • macOS Keychain
  • McAfee Endpoint Security
  • MS Access 2.0
  • MS Access 2.0 System Database
  • MS Access 95, 97, 2000, 2002, 2003, 2007, 2010, 2013
  • MS Access 97 System Database, 2000 System Database, 2003 System Database, 2007 System Database, 2010 System Database
  • MS Backup
  • MS Excel 4.0, 5.0, 95, 97, 2000, 2002, 2003, 2007, 2010, 2013
  • MS Pocket Excel
  • MS Mail
  • Money 99 or earlier, 2000 – 2007
  • MS OneNote 2003 Section, 2007 Section, 2010 Section
  • MS Outlook 2000 Personal Storage, 2003 Personal Storage, 2007 Personal Storage, 2010 Personal Storage
  • MS Outlook 2000 Form Template, 2003 Form Template, 2007 Form Template, 2010 Form Template
  • MS PowerPoint 2002, 2003, 2007, 2010, 2013
  • MS Project 95, 98, 2000, 2002, 2003, 2007
  • MS Schedule Schedule+ 1.0, 7.x
  • MS SQL 2000, 2005, 2008
  • MS Word 1.0, 2.0, 3.0, 4.0, 5.0, 6.0, 95, 97, 2000, 2002, 2003, 2007, 2010, 2013
  • MYOB earlier than 2004, 2004-2009
  • Norton Backup
  • Paradox Database
  • Peachtree 2002 – 2006, 2007
  • PGP Desktop Zip
  • PGP Desktop Private Keyring
  • PGP Desktop Virtual Disk
  • PGP Desktop Self-Decrypting Archive
  • Quattro Pro 5 – 6, 7 – 8, 9 – 12, X3, X4
  • QuickBooks 3.x – 4.x, 5.x, 6.x – 8.x, 99, 2000-2012
  • Quicken 95/6.0, 98, 99, 2000, 2001, 2002, 2003, 2007-2012
  • RAR Archives
  • Remote Desktop Connection Document
  • Visual Basic for Applications Projects
  • WordPerfect 5.x, 6.0, 6.1, 7 – 12, X3, X4
  • Zip Archives
  • 7-Zip Archives

Why BEC?

belkasoft-2017
SIMPLE—Belkasoft Evidence Center is designed to be easy to use with its straightforward and convenient interface. Most of the routine is automated, and commands can be given using compact toolbar or context menu. No special training is required in order to be able to work with the product, and our support specialists will be glad to help if you face any issues.

FAST—The tool skips indexing every single file and folder in the file system, instead searching specifically for the most significant types of digital evidence that forensic investigators most often look for. Advanced algorithms allow for fast and comprehensive evidence search and analysis, helping to speed up the investigation and save your time.

POWERFUL—Belkasoft Evidence Center can acquire and analyze mobile and computer devices, cloud data and memory dumps. It supports comprehensive analysis of device back-ups and disk images, virtual machines and other data sources.
The product identifies and analyzes hundreds of artifact types completely automatically, while it is also equipped with a variety of analytical tools that help to ensure wholeness and high quality of investigation process.

FAIR PRICE—Compared to other similar tools on the market, Evidence Center offers the most for its price. Additionally, knowing how challenging it can be to receive funding, we use a very flexible pricing scheme where customers can choose the combination of features that fits the budget.

Fixed License

For one user on one computer.

Part No:
AP-BEL-ECFXL

Floating License

Comes with a USB dongle. This licensing option allows to run Belkasoft Evidence Center on multiple machines. We recommend to select this option if there will be more than one user to work with the product, or if a single user needs to run Evidence Center on different computers.

Part No:
AP-BEL-ECFL