All-in-one forensic solution for acquiring, extracting, and analyzing digital evidence stored inside computers and mobile devices
Trusted by the police around the Globe
Used by thousands forensic experts and police departments from more than 70 countries worldwide
Evidence Center features
- Fully automated acquisition, extraction and analysis of 1000+ types of evidence.
- Destroyed and hidden evidence recovery via data carving.
- Live RAM analysis.
- Cloud data downloading and analysis.
- Advanced low-level expertise.
- Concise and adjustable reports, accepted by courts.
- Case Management and a possibility to create a portable case to share with a colleague at ni cost.
Types of evidence supported by Evidence Center
- Office documents.
- Email clients.
- Pictures and videos.
- Mobile application data.
- Web browser histories, cookies, cache, passwords, etc.
- Chats and instant messenger histories.
- Social networks and cloud services.
- System files, including WIndows 10 timelien and TOAST, macOS plists, smartphone Wi-Fi and Bluetooth configurations etc.
- Encrypted files and volumes.
- Registry files.
- SQLite databases.
- Peer-to-peer software.
- Plist files.
Types of analysis performed by Evidence Center
- Existing files search and analysis. Low-level investigation using Hex Viewer.
- Timeline analysis - ability to display and filter all user activities and system events in a single aggregated view.
- Data carving and destroyed evidence recovery. Custom carving, including support for Scalpel and FTK sets
- Live RAM analysis including process extraction and data visualization. Malware detectub
- Cloud data analysis.
- In-depth Volume Shadow Copy support.
- Hibernation file (hiberfil.sys) and page file (pagefile.sys) analysis.
- Native SQLite analysis with freelist and WAL support.
- Discovers deleted SQLite records, e.g. Skype conversations or WhatsApp messages.
- Picture analysis including EXIF and GPS analysis, face/test/pornography/forgery detection.
- Video key frame extraction.
- Analysis of links between persons using Connection Graph features such as communication visualization and communities detection..
- Malware and suspicious processes detection.
- Encryption detection and decryption of found encrypted files.
- Special files and folders analysis (e.g. Volume Shadow Copy, $OrphanFiles, $MFT etc.).
- Hashset analysis.
- Flexible analysis with BelkaScript, free scripting module.
- Advanced search and data filtering, more than 20 types of predefined search (card and telephone numbers, names, suspicions words, etc.).
- Deduplication by using PhotoDNA hashing as well as not carving existing files.
Evidence Center works with the following data sources and file systems
- Storage devices - Hard drives and removable media.
- Disk images - EnCase (including Ex01), L01/Lx01, FTK, DD, Smart, X-Ways, Atola, DMG, tar and zip files.
- Mobile devices - Mobile backups, UFED and OFB dumps, chip-off and JTAG dumps.
- Virtual machines - VMWare, Virtual PC, VirtualBox, XenServer.
- Volatile memory - Life RAM dumps; fragmented memory set analysis with BelkaCarving™.
- Memory files - Hibernation file and Page file.
- Unallocated space - Data carving discovers destroyed evidence.
- File systems – FAT, exFAT, NTFS, HFS, HFS+, ext2, ext3, ext4, YAFFS , YAFFS2.
Evidence Center supports the following acquisition types
- Mobile devices : iTunes backup (iOS), ADB backup or agent based backuyp (Android), physical backup or EDL (rooted Android)
- Hard drives : logical and physical drives, available to DD or E01 images with optional hash calculation and verivication
- Clouds : Google Clouds (Google Drive, Google Plus, Google Keep, GMail, Google Timeline), iCloud, EMail (Yahoo, Hotmail, Opera, Yandex, Mac.com, and 25 more webmail clouds), Instagram, Whatsapp
Evidence Center helps investigate the following systems
- Windows (all versions, including Windows 10).
- Mac OS X.
- Unix-based systems (Linux, FreeBSD, etc.).
- iOS: iPhone, iPad.
- Windows Phone 8/8.1.