I recently signed up for a trial license to try out the new Belkasoft Evidence Center X tool.
Link at https://belkasoft.com/get
The tool is described on the product page as a "Solution to accelerate Digital Forensics and Incident Response Investigations". With the features that support the major data sets to Aquire(imaging including checkm8), Examine, Review & Analyze, and Report.
I spoke with friendly customer service reps from the company and they emailed over a trial exe with a readme file that wrote:
Belkasoft Evidence Center is a digital forensic software which makes it easy for an
investigator to acquire, search, analyze, store and share digital evidence found inside
computer and mobile devices, RAM and cloud. The toolkit will quickly extract digital
evidence from multiple sources by analyzing hard drives, drive images, cloud, memory dumps,
iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps. Evidence Center will
automatically analyze the data source and lay out the most forensically important artifacts
for investigator to review, examine more closely or add to report.
Belkasoft Evidence Center can be installed on any computer running
Windows 10, Windows 8, Windows 7 (including 64 bit), Windows Vista and Windows 2003.
Mac users can run the tool under bootcamp.
HOW TO INSTALL
Run setup file and follow instructions of the installation program. It
takes just a few minutes to get the product installed.
- Ran the becu.trial.fixed.x64.exe to install
- Was given an option to activate trial license online or offline which was nice if you forensic work station is on a segmented network.
- 30 days start when first installing. Interesting caveat it was noted that when reporting with the trial version only 50% of random data makes it to the report. Which makes sense for a trial license.
- Dashboard interface opens for to name and create new case
- Taking a look at the Options (settings)
-can set CPU core and Memory cache number sizes
-Picture recognition settings to assist examination and analysis. There is a dropdown to detect
language and more/less false positives options for face and skin.
-Malware detection with VirusTotal, which is nice
-Allows for hashsets to be added and includes remote capabilities
- Selected create and open for new case. And the Add Data Source option opens:
-Options for Adding Existing data source or Acquiring a new one
- Added a Disk Image(Windows), Mobile Image (iOS), and Ram Image(Windows) I had made for practice.
- Artifact selection menu opened:
- Processing shows Dashboard of progress, and Task manager tab for tasks being ran on images
Bottom right corner shows progress bar
When processing I found it best to wait to let it finish all the tasks before opening artifact categories.
- Processing finished (shown on Dashboard) about a little less than1hr for all 3 images
- In case explorer shows device geometry for hard drive image only
- In case Explorer the tree pane shows items analyzed
- Overview tab is the analyzed count for all evidence items
- Other tabs include one for Timeline, Bookmarks, Task maanger, Remote Aquisition, and Incident Investigations
- The Incident Investigations tab categorizes the artifacts useful for intrusions and would seem to be useful for Incident Response cases (Downloads, Execution, Persistence, Recent, Eventlogs):
- The remote acquisition tab allows for a package to be generated or deployed via GPO, WMI, or via a configurable IP/port. Which would seem helpful for IR investigations.
- Search function allows for multiple kinds of searches. Results display properties if found in execution artifacts.
The tool also offers a timeline, hex, plist, registry, and sqlite view.
Overall I like Belkasoft's Evidence Center's ability to parse all kinds of data sources including disk, memory, and mobile and I believe it is a less expensive option than other industry tools. However I don't believe it is quite at the caliber of mobile forensics as the leading mobile tools. Belkasoft's strong suite, for me, is its ability to be deployable and used for Incident Response. I like the ability to configure VirusTotal and parse Incident Investigation artifacts. I believe it could be best used for a small to larger enterprise setting and deployed as such. The tool also has some benefits in its acquisition capabilities for which the checkm8 jailbreak package is included with a licensed version.
However may make a post on how to do that for free on windows with a bootable version linux and the checkm8 exploit from GitHub.
If your budget isn't has high as the other licensed tools go but you want a little more support than Autopsy (also a great tool) I would recommend giving the trial version of this tool a go to see if it gets what you are looking for.