Meet Belkasoft Evidence Center 3.0! Yuri Gubanov CEO, Belkasoft What's new in the recent Belkasoft release?

Previous forensic software  Belkasoft Evidence Center 1.0, 1.1 and 2.0.  Evidence Center is successor for Belkasoft Forensic Studio  3 separate products in 1: chats, browsers, s Belkasoft Forensic IM Analyzer  Chats Belkasoft Forensic Carver  Chats, Browsers New Belkasoft release: Belkasoft Evidence Center 3.0

Major Evidence Center features  Search and extraction for chats, browser history and s  Carving, Live RAM and Network traffic analysis  Mounting drive and Live RAM images  Case and User management  Bookmarking  Reports in text, xml, html, csv, pdf  Hash calculation  No Internet connection required (included in previous v.2.0) New Belkasoft release: Belkasoft Evidence Center 3.0

Major improvements to 3.0  Not just Windows anymore MacOS support added  Not just histories anymore Picture and video support added  Not just history extraction anymore Analysis added Also: Option to carve allocated/unallocated Hibernation and page file analysis Thunderbird client support New Belkasoft release: Belkasoft Evidence Center 3.0

MacOS support  Mounting HFS/HFS+ drives and drive images supported Encase, SMART, DD  Carving and regular history extraction, Instant Messengers only  Currently supported:  More history types to come New Belkasoft release: Belkasoft Evidence Center 3.0 Adium AIM Brosix Fire iChat ICQ InstantBird Mail.Ru Agent Mercury Nimbuzz Trillian Yahoo! Messenger

Picture support  Search for pictures  Extracting and showing EXIF and other properties  Filtering by various properties  Showing pictures with GPS coordinates on Google Maps and Google Earth New Belkasoft release: Belkasoft Evidence Center 3.0

Picture analysis  Pornography detection (beta)  Face detection Both frontal and profile  Text detection English Russian New Belkasoft release: Belkasoft Evidence Center 3.0

Video support  Search for video  Extracting key frames Saves time for video analysis: only significantly changed frames need review Less emotional stress for an investigator  Only need to see a set of pictures  The same analysis available for key frames as for pictures New Belkasoft release: Belkasoft Evidence Center 3.0

Filters  Powerful filter manager  Allows to create filters on one or more criteria Arithmetic, boolean and string operations AND/OR conjunctions Negating criterion using NOT  Applied to pictures and videos New Belkasoft release: Belkasoft Evidence Center 3.0

Carving  Previously: carving all drive/image  Now 3 options: Carve allocated Carve unallocated Carve both  Why carving allocated? E.g. corrupted files (e.g. met with IE dat files) Renamed files  Also: "mounting does not work under some XP machines" problem fixed New Belkasoft release: Belkasoft Evidence Center 3.0

Hibernation and page files  Support for carving hibernation and page files hiberfil.sys pagefile.sys  LiveRAM analysis available Instant Messenger artifacts Social network artifacts (Facebook) Browser artifacts (IE, Firefox) Gmail letters and drafts  Regular carving available All supported types New Belkasoft release: Belkasoft Evidence Center 3.0

Thunderbird support  Search and extraction of Thunderbird mailboxes msf format SQLite format is on the way  Huge mailboxes supported Tested on 3Gb mailbox: 30 minutes to extract New Belkasoft release: Belkasoft Evidence Center 3.0

Smaller enhancements  New Windows messengers: Paltalk (LiveRAM) Gajim emClient Nimbuzz Qutim Gadu-Gadu (old and new versions)  MacOS: see previous slides New Belkasoft release: Belkasoft Evidence Center 3.0

Smaller enhancements  Social networks: Facebook IE remnants Live RAM: chats and group chats  Better Gmail support Live RAM: Not only s, but also drafts extracted  Better Skype group chats extraction  Better ICQ 6 and 7 file transfer extraction  Multiple usability improvements E.g. Reporting now considers From/To dates inclusively  Possibility to tweak report templates E.g. put own logo instead of Belkasoft's one, tweak colors, fonts etc. New Belkasoft release: Belkasoft Evidence Center 3.0

Smaller enhancements  The Bat! mailbox analysis no more fails on big mailboxes (previously was failing on 1Gb sized ones)  Outlook mailbox analysis no more fails on 10Gb mailboxes  Sample histories included to setup Before one had to download manually from site  Setup on a machine without Internet connection supported 4 predefined setup packages for various Windows versions: English/German 32/64 bit Other Windows languages are also supported New Belkasoft release: Belkasoft Evidence Center 3.0

Price enhancements  More clear price structure Every additional feature cost the same  $250 per feature (floating license)  $200 per feature (fixed license)  More features in the base configuration Browser cache and passwords included  Previously were additional features Basic picture and video support included New Belkasoft release: Belkasoft Evidence Center 3.0

Available features 1.Deleted information retrieval (carving) 2.Live RAM dump analysis 3.Mounting images such as Encase evidence files, SMART, DD, mounting MacOS drives 4.Network traffic analysis for chat artifacts 5.Picture analysis 6.Video analysis New Belkasoft release: Belkasoft Evidence Center 3.0

More convenient registration process  No more entering licenses and mistakes in this  All feature and license information is included to a single file features.xml Sent to customer right after purchase Just put it in the product folder and product will register automatically  As previously, no Internet required for registration New Belkasoft release: Belkasoft Evidence Center 3.0

Less Hardware ID pain  Previously every change in hardware lead to new Hardware ID Even adding virtual device in VMWare!  Now less hardware changes count Customers will ask for new keys less frequently New Belkasoft release: Belkasoft Evidence Center 3.0

Comprehensive help  Read online at _Center_Help_Contents.asp _Center_Help_Contents.asp  Download PDF from 3.0_Help.pdf 3.0_Help.pdf New Belkasoft release: Belkasoft Evidence Center 3.0

Belkasoft customers  See for morehttp://belkasoft.com/home/en/Customers.asp

Why Belkasoft Evidence Center?  Reduced cost of investigation  Reduced investigation time  Less specific knowledge required for investigator  Ideal for triage  Simultaneous work of several analysts on the same case New Belkasoft release: Belkasoft Evidence Center 3.0

Where to get the product?  Product page:  Direct download link:  Registration page:  This presentation: New Belkasoft release: Belkasoft Evidence Center 3.0

About Belkasoft  Belkasoft – computer forensics software vendor  Site –  Founded at 2002  Contacts – product support – all questions – business-related  DUNS:  NCAGE: SKF09  CCR: see  We are also in ORCA and WAWF New Belkasoft release: Belkasoft Evidence Center 3.0

Customer problems solved New Belkasoft release: Belkasoft Evidence Center 3.0  Computer forensic investigation Is there any evidence on a suspect's computer?  Out-of-the box solution for a number of evidence types How to find such evidence quickly, without too much manual work?  Corporate security Did a fired employee unveil commercial secrets? Are current employees use computer only for business needs?  Intelligence and counterintelligence Are there any suspicious chats made in an internet café?  Parental control Is a child safe during web surfing and chatting?

Training  Belkasoft can handle online and onsite trainings if a customer requires this  Online training delivered via GoToMeeting (WebEx analogue)  Onsite training requires travel, accommodation and meal expenses to be covered by a customer  More details: New Belkasoft release: Belkasoft Evidence Center 3.0

Contact us!  Interested? Drop us an at right now!  Add Belkasoft CEO in LinkedIn: New Belkasoft release: Belkasoft Evidence Center 3.0