Transcript Instant Messenger Forensic Investigation

Meet
Belkasoft Evidence Center 3.0!
What's new in the recent Belkasoft release?
Yuri Gubanov
CEO, Belkasoft
http://belkasoft.com
Previous forensic software
 Belkasoft Evidence Center 1.0, 1.1
and 2.0.
 Evidence Center is successor for
 Belkasoft Forensic Studio
 3 separate products in 1: chats, browsers,
emails
 Belkasoft Forensic IM Analyzer
 Chats
 Belkasoft Forensic Carver
 Chats, Browsers
New Belkasoft release: Belkasoft
Evidence Center 3.0
Major Evidence Center features
 Search and extraction for chats, browser
history and emails
 Carving, Live RAM and Network traffic
analysis
 Mounting drive and Live RAM images
 Case and User management
 Bookmarking
 Reports in text, xml, html, csv, pdf
 Hash calculation
 No Internet connection required
(included in previous v.2.0)
New Belkasoft release: Belkasoft
Evidence Center 3.0
Major improvements to 3.0
 Not just Windows anymore
 MacOS support added
 Not just histories anymore
 Picture and video support added
 Not just history extraction anymore
 Analysis added
Also:
 Option to carve allocated/unallocated
 Hibernation and page file analysis
 Thunderbird email client support
New Belkasoft release: Belkasoft
Evidence Center 3.0
MacOS support
 Mounting HFS/HFS+ drives and drive
images supported
 Encase, SMART, DD
 Carving and regular history extraction,
Instant Messengers only
 Currently supported:






Adium
AIM
Brosix
Fire
iChat
ICQ






 More history types to come
New Belkasoft release: Belkasoft
Evidence Center 3.0
InstantBird
Mail.Ru Agent
Mercury
Nimbuzz
Trillian
Yahoo! Messenger
Picture support
 Search for pictures
 Extracting and showing EXIF and
other properties
 Filtering by various properties
 Showing pictures with GPS
coordinates on Google Maps and
Google Earth
New Belkasoft release: Belkasoft
Evidence Center 3.0
Picture analysis
 Pornography detection (beta)
 Face detection
 Both frontal and profile
 Text detection
 English
 Russian
New Belkasoft release: Belkasoft
Evidence Center 3.0
Video support
 Search for video
 Extracting key frames
 Saves time for video analysis: only
significantly changed frames need review
 Less emotional stress for an investigator
 Only need to see a set of pictures
 The same analysis available for key
frames as for pictures
New Belkasoft release: Belkasoft
Evidence Center 3.0
Filters
 Powerful filter manager
 Allows to create filters on one or
more criteria
 Arithmetic, boolean and string operations
 AND/OR conjunctions
 Negating criterion using NOT
 Applied to pictures and videos
New Belkasoft release: Belkasoft
Evidence Center 3.0
Carving
 Previously: carving all drive/image
 Now 3 options:
 Carve allocated
 Carve unallocated
 Carve both
 Why carving allocated?
 E.g. corrupted files (e.g. met with IE dat
files)
 Renamed files
 Also: "mounting does not work under
some XP machines" problem fixed
New Belkasoft release: Belkasoft
Evidence Center 3.0
Hibernation and page files
 Support for carving hibernation and
page files
 hiberfil.sys
 pagefile.sys
 LiveRAM analysis available




Instant Messenger artifacts
Social network artifacts (Facebook)
Browser artifacts (IE, Firefox)
Gmail letters and drafts
 Regular carving available
 All supported types
New Belkasoft release: Belkasoft
Evidence Center 3.0
Thunderbird support
 Search and extraction of Thunderbird
mailboxes
 msf format
 SQLite format is on the way
 Huge mailboxes supported
 Tested on 3Gb mailbox: 30 minutes to
extract
New Belkasoft release: Belkasoft
Evidence Center 3.0
Smaller enhancements
 New Windows messengers:






Paltalk (LiveRAM)
Gajim
emClient
Nimbuzz
Qutim
Gadu-Gadu (old and new versions)
 MacOS: see previous slides
New Belkasoft release: Belkasoft
Evidence Center 3.0
Smaller enhancements
 Social networks: Facebook
 IE remnants
 Live RAM: chats and group chats
 Better Gmail support
 Live RAM: Not only emails, but also drafts extracted
 Better Skype group chats extraction
 Better ICQ 6 and 7 file transfer extraction
 Multiple usability improvements
 E.g. Reporting now considers From/To dates
inclusively
 Possibility to tweak report templates
 E.g. put own logo instead of Belkasoft's one, tweak
colors, fonts etc.
New Belkasoft release: Belkasoft
Evidence Center 3.0
Smaller enhancements
 The Bat! mailbox analysis no more fails on
big mailboxes (previously was failing on
1Gb sized ones)
 Outlook mailbox analysis no more fails on
10Gb mailboxes
 Sample histories included to setup
 Before one had to download manually from site
 Setup on a machine without Internet
connection supported
 4 predefined setup packages for various
Windows versions: English/German 32/64 bit
 Other Windows languages are also supported
New Belkasoft release: Belkasoft
Evidence Center 3.0
Price enhancements
 More clear price structure
 Every additional feature cost the same
 $250 per feature (floating license)
 $200 per feature (fixed license)
 More features in the base
configuration
 Browser cache and passwords included
 Previously were additional features
 Basic picture and video support included
New Belkasoft release: Belkasoft
Evidence Center 3.0
Available features
1. Deleted information retrieval (carving)
2. Live RAM dump analysis
3. Mounting images such as Encase
evidence files, SMART, DD, mounting
MacOS drives
4. Network traffic analysis for chat artifacts
5. Picture analysis
6. Video analysis
New Belkasoft release: Belkasoft
Evidence Center 3.0
More convenient registration
process
 No more entering licenses and
mistakes in this
 All feature and license information is
included to a single file features.xml
 Sent to customer right after purchase
 Just put it in the product folder and
product will register automatically
 As previously, no Internet required
for registration
New Belkasoft release: Belkasoft
Evidence Center 3.0
Less Hardware ID pain
 Previously every change in hardware
lead to new Hardware ID
 Even adding virtual device in VMWare!
 Now less hardware changes count
 Customers will ask for new keys less
frequently
New Belkasoft release: Belkasoft
Evidence Center 3.0
Comprehensive help
 Read online at
http://belkasoft.com/bec/en/Evidence
_Center_Help_Contents.asp
 Download PDF from
http://belkasoft.com/download/BEC_
3.0_Help.pdf
New Belkasoft release: Belkasoft
Evidence Center 3.0
Belkasoft customers
 See http://belkasoft.com/home/en/Customers.asp for more
Why Belkasoft Evidence Center?
 Reduced cost of investigation
 Reduced investigation time
 Less specific knowledge required for
investigator
 Ideal for triage
 Simultaneous work of several
analysts on the same case
New Belkasoft release: Belkasoft
Evidence Center 3.0
Where to get the product?
 Product page:
http://belkasoft.com/bec/en/Evidence_Center.asp
 Direct download link:
http://belkasoft.com/download/bec.zip
 Registration page:
http://belkasoft.com/bec/en/register.asp
 This presentation:
http://belkasoft.com/download/info/bec30.zip
New Belkasoft release: Belkasoft
Evidence Center 3.0
About Belkasoft




Belkasoft – computer forensics software vendor
Site – http://belkasoft.com
Founded at 2002
Contacts
 [email protected] – product support
 [email protected] – all questions
 [email protected] – business-related




DUNS: 683524694
NCAGE: SKF09
CCR: see http://www.bpn.gov/ccr
We are also in ORCA and WAWF
New Belkasoft release: Belkasoft Evidence
Center 3.0
Customer problems solved
 Computer forensic investigation
 Is there any evidence on a suspect's computer?
 Out-of-the box solution for a number of evidence types
 How to find such evidence quickly, without too much
manual work?
 Corporate security
 Did a fired employee unveil commercial secrets?
 Are current employees use computer only for business
needs?
 Intelligence and counterintelligence
 Are there any suspicious chats made in an internet
café?
 Parental control
 Is a child safe during web surfing and chatting?
New Belkasoft release: Belkasoft
Evidence Center 3.0
Training
 Belkasoft can handle online and onsite
trainings if a customer requires this
 Online training delivered via
GoToMeeting (WebEx analogue)
 Onsite training requires travel,
accommodation and meal expenses to
be covered by a customer
 More details:
http://belkasoft.com/home/en/Training.asp
New Belkasoft release: Belkasoft
Evidence Center 3.0
Contact us!
 Interested? Drop us an e-mail at
[email protected] right now!
 Add Belkasoft CEO in LinkedIn:
http://ru.linkedin.com/in/yurigubanov
New Belkasoft release: Belkasoft
Evidence Center 3.0