Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.belkasoft.com Belkasoft Acquisition and Analysis Suite.

Published byRalph Burke Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.belkasoft.com Belkasoft Acquisition and Analysis Suite."— Presentation transcript:

1 www.belkasoft.com Belkasoft Acquisition and Analysis Suite

2 www.belkasoft.com Computer Acquisition Step By Step 1.Acquisition Capturing volatile memory Imaging disks 2.Discovery and analysis Discovering existing evidence Carving destroyed evidence Analyzing data 3.Management Reporting Sharing evidence Managing cases Preparing for the next case The Complete Cycle of Forensic Process

3 www.belkasoft.com Computer Acquisition Step By Step 1.Ready-to-use portable memory dumping tool High-capacity USB pen drive Kernel mode RAM acquisition software 2.Disk imaging hardware Disk cloning Secure erase 3.Evidence discovery and analysis software Analysis and reporting Evidence sharing, archiving and management tools What’s Inside?

4 www.belkasoft.com Step 1: Live RAM Acquisition

5 www.belkasoft.com Acquiring Information Never Stored on the Disk RAM contains information never stored on a hard drive 1-16Gb of important data decryption keys for encrypted volumes Facebook chats, InPrivate browsing history, etc Getting The Most Out of a Computer Portable software Can run from a thumb drive Dumps all available memory contents Very small executable (~150Kb) Our solution

6 www.belkasoft.com Overcoming Memory Protection Malware can detect user-mode memory dumping, block acquisition or fake content Certain games do this as well Malicious software can prevent memory dumping Capturer tool runs in kernel mode Transparent to other software 32-bit and 64 -bit kernel-mode drivers supplied Our solution

7 www.belkasoft.com Step 2: Disk Acquisition

8 www.belkasoft.com Problems solved: Unknown Device Condition Many imaging products stall on damaged devices Other imagers may take hours to show an issue You are not in control Devices Being Acquired Are in Unknown Condition Our solution Detailed real-time acquisition information Remote diagnostics (RDC, Ethernet)

9 www.belkasoft.com Problems Solved: HDD Passwords ATA passwords effectively prevent all disk access In Maximum Security mode, Secure Erase follows unsuccessful unlock attempts Few duplicators can deal with ATA passwords Possible loss of data ATA password may lock the device Automatic acquisition of password-protected disks Our solution

10 www.belkasoft.com Problems Solved: Physical Damage May slow down or prevent acquisition Physical damage prevents imaging Our solution Real-time diagnostics and reporting Advanced options to skip bad sectors and heads Skipped areas can be analyzed later Forward (linear) and backward (reverse) modes Imaging of specified sectors only Receive data from undamaged areas really fast Damaged areas can be analyzed later Important for field investigations

11 www.belkasoft.com Problems Solved: HPA/DCO Areas HPA/DCO areas are “invisible” to most imagers HPA/DCO areas can be of any size Device may be clipped with HPA/DCO techniques Instantly resets HPA/DCO Acquires data from HPA/DCO areas Our solution

12 www.belkasoft.com Step 3: Discovering and Analyzing Evidence

13 www.belkasoft.com Belkasoft Evidence Center: Searches Everywhere Looks in: Storage devicesHard drives and removable media Disk imagesEnCase (including Ex01), FTK, raw (DD), SMART Mobile devicesiPhone/iPad, Android and Blackberry backups Mobile dumpsUFED dumps, chip-off dumps Virtual machinesVMWare, Virtual PC Volatile memoryLive RAM dumps Fragmented memory set analysis with BelkaCarving™ Virtual memoryHibernation files and Page files Unallocated spaceFile carving discovers destroyed evidence Network trafficPCAP files

14 www.belkasoft.com Belkasoft Evidence Center: Data types Can find and analyze: Office documents Emails Mobile device backups Social network chats (Facebook, Twitter etc.) Browsing history Instant messenger chats Pictures Videos System Files SQLite databases Chats in multi-player online games Data from P2P and file sharing apps Encrypted files

15 www.belkasoft.com Analyze Evidence Automated Evidence Analysis Picture analysisDetects faces, scanned text and pornography Authenticity analysisDetects altered pictures with Forgery detection Geolocation analysisDetermines EXIF and GPS coordinates for images Video analysisExtracts key frames from videos Encryption detectionDiscovers encrypted files and volumes

16 www.belkasoft.com Evidence in Images and Videos Automated Image Content Analysis Automatically discovers scanned text and human faces Automated detection of pornographic content Extracts EXIF data and GPS coordinates Speeds up content analysis Speeds Up Video Analysis Lengthy videos are represented as series of key frames and displayed as galleries of still images Key frames automatically analyzed for all supported evidence types

17 www.belkasoft.com SQLite Evidence Cleared Skype Histories and Deleted SQLite Records Native SQLite support recovers more evidence SQLite is used in: most system and user-level Android and iOS apps Skype, Yahoo Messenger, eBuddy, PhotoBox, Picasa Explorer Major Web browsers: Mozilla, Chrome, Safari Support for damaged and destroyed SQLite databases ‘freelist’ analysis recovers deleted records Cleared Skype histories and conversation logs can be recovered

18 www.belkasoft.com Evidence in Smartphones and Tablets Android, BlackBerry, Apple iOS Backups Locates Android, BlackBerry and iTunes backups Extracts information from mobile backups for many popular applications Parses and analyzes evidence GPS coordinates and geolocation information Evidence from mobile devices automatically added to the Timeline SQLite analysis recovers cleared histories with freelist support Industry standard dumps UFED dumps Chip-off dumps

19 www.belkasoft.com Jumplists and Thumbnails Looking for Evidence in Obscure Places Jumplists: little known, rarely cleaned, kept forever Information on files being viewed, opened, or launched Even for deleted files or data stored on remote or external devices Definite proof of access: information contains full file name, path and meta data Thumbnails: not just pictures Cached preview images of many file formats JPEG, GIF, DOC/DOCX, XLS/XLSX, PDF, and hundreds of others

20 www.belkasoft.com Destroyed Evidence Discover Destroyed Evidence with Data Carving Finds destroyed evidence on hard drives and Live RAM Recovers evidence from formatted volumes and repartitioned hard drives Allocated/unallocated disk space analysis Carving for physical disks, forensic drive images, memory dumps, hibernation and page files Fully automated operation requires no special skills

21 www.belkasoft.com Analyzing Ephemeral Evidence Live RAM Analysis Evidence Center analyzes Belkasoft and third-party RAM dumps Hibernation and page file also supported Instant access to TrueCrypt, PGP, BitLocker and other encrypted volumes with binary encryption keys Recent social network communications Data from browsing sessions with enforced privacy settings Registries and pictures BelkaCarving™ recovers fragmented data from memory dumps

22 www.belkasoft.com Convenient Presentation Present and Share Evidence. Create and Submit Reports All events during a certain time period displayed in single visual timeline Printable reports admissible as court evidence Collected evidence can be exported and shared with others

23 www.belkasoft.com Sharing and Archiving Evidence Evidence can be shared with colleagues and coworkers Free tool available for viewing shared evidence Case Management enables long-term archiving Unlimited database size Easy management Sharing and Archiving Evidence What You Get: Evidence presented to colleagues or archived for future use

24 www.belkasoft.com Sharing Evidence Evidence Reader: Share Collected Evidence Evidence collected with Evidence Center can be saved or shared Offers extra value at no extra charge Export to Evidence Reader Free to all licensed users

25 www.belkasoft.com Integrate with EnCase Full EnCase Integration Integrated with EnCase 7 Launches via EnScript module Processes E01s & Ex01s Imports discovered evidence back into EnCase Guidance approved for EnCase AppCentral Available in EnCase AppCentral

26 www.belkasoft.com Our Customers

27 www.belkasoft.com Hands On Experience Free Demo Version Downloadable evaluation version belkasoft.com/get Request your FREE LE demo at belkasoft.com/trial

Download ppt "Www.belkasoft.com Belkasoft Acquisition and Analysis Suite."

Similar presentations

Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.

Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.
XProtect ® Professional Efficient solutions for mid-sized installations.

XProtect ® Professional Efficient solutions for mid-sized installations.
XProtect ® Express Integration made easy. With support for up to 48 cameras, XProtect Express is easy and affordable IP video surveillance software with.

XProtect ® Express Integration made easy. With support for up to 48 cameras, XProtect Express is easy and affordable IP video surveillance software with.
{ Making Microsoft Office work for you Organizing Your Life at work and home in the Cloud Presented by: Matthew Baker (321)

{ Making Microsoft Office work for you Organizing Your Life at work and home in the Cloud Presented by: Matthew Baker (321)
Objectives Overview Define an operating system

Objectives Overview Define an operating system
This presentation will take a look at to prevent your information from being discovered by and investigator.

This presentation will take a look at to prevent your information from being discovered by and investigator.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society.

No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
You can run that from a USB Drive ? Portable Applications: the good, the bad and the ugly Jeff Gimbel © 2007.

You can run that from a USB Drive ? Portable Applications: the good, the bad and the ugly Jeff Gimbel © 2007.
XProtect ® Essential Brilliant simplicity. With support for up to 26 cameras, XProtect Essential is cost-efficient and easy to use IP video surveillance.

XProtect ® Essential Brilliant simplicity. With support for up to 26 cameras, XProtect Essential is cost-efficient and easy to use IP video surveillance.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
Installing Windows Vista Lesson 2. Skills Matrix Technology SkillObjective DomainObjective # Performing a Clean Installation Set up Windows Vista as the.

Installing Windows Vista Lesson 2. Skills Matrix Technology SkillObjective DomainObjective # Performing a Clean Installation Set up Windows Vista as the.
Utility Programs  A type of system software that is used to solve a particular problem is called utility program. Many operating system provides different.

Utility Programs  A type of system software that is used to solve a particular problem is called utility program. Many operating system provides different.
XProtect ® Enterprise. XProtect Enterprise is comprehensive IP video surveillance software with interactive monitoring capabilities The perfect match.

XProtect ® Enterprise. XProtect Enterprise is comprehensive IP video surveillance software with interactive monitoring capabilities The perfect match.
Mobility Without Vulnerability: Secure and Enable Your Mobile Users, Apps, and Devices David Clapp – Intuitive.

Mobility Without Vulnerability: Secure and Enable Your Mobile Users, Apps, and Devices David Clapp – Intuitive.

Similar presentations

Ads by Google