To Review Memory Dumps in Ftk the Forensic Examiner Should Select the Live Search Tab

Shafik G. Punja is a erstwhile law enforcement officer, with 25 years in policing, of which over sixteen years was spent as a digital forensic examiner for a law enforcement agency, assigned to the Digital Forensics Squad (Cyber/Forensics Unit).

"In my opinion, based on my general review, I would consider Belkasoft X for parsing Windows data, iOS and Android mobile data."

Download pdf

Introduction

In October of 2020, I was approached by my respected professional person colleague, Yuri Gubanov (Owner and CEO of Belkasoft), to review their latest product, Belkasoft X (or Belka X).

I will begin kickoff, by stating that anything noted herein about Belkasoft X, is a reflection of my ain thought processes and has NOT been influenced by the Belkasoft. Secondly, I use a wide diverseness of tools for analyzing data. I observe leveraging a multi-tool approach an asset, in that it allows me to view the same data from different perspectives. No software is perfect, our collective, constructive utilize and feedback to the vendors helps to profoundly improve any product.

My first interest in the Belkasoft products was specifically for parsing Instant Messenger (IM) chat communications. I take been watching the Belkasoft products evolve for well over 8 years, with more features existence added to help examiners.

This review of Belkasoft Ten was congenital running Belkasoft X x64 version 1.0.6190 on Windows ten 20H2 (Bone Build 19042.thirty) running in VMFusion 12.1.0. The 'README.txt' file, that is independent in the download archive of Belkasoft Ten, specifically indicates "Mac users can run the tool under bootcamp." Test data that comes with installing Belkasoft X, and publicly attainable CTF data was used for processing and analysis within Belkasoft 10. Links to the CTF information are provided in the Sources department of this article.

The intent of this review is to provide an overview of the Belkasoft Ten. I volition non be describing every detail of Belkasoft 10, nor trying to explain every unmarried aspect of how to use Belkasoft X. This is not meant to deed every bit or replace the provided user guide and tutorial videos. Rather, the intent of this article is to act as a general review, using several dissimilar types of datasets. I strongly urge you to obtain a trial version and explore the product using the test and CTF data. In add-on to Belkasoft Ten, Belkasoft as well provides a complimentary RAM capturing production chosen Belkasoft Live RAM Capturer that is available from their website.

Belkasoft X What'due south New: This is an extensive overview that explains the differences between Belkasoft X and its predecessor, Belkasoft Show Eye 2020, which includes: new user Interface and new windows, usability, workflow, triage, acquisition, iOS forensics, bookmarking, viewers, medial file forensics, and new and updated artifact parsing back up.

Belkasoft X Editions: The reader should also be aware that there are 4 different editions (or versions) of the Belkasoft Ten product: X Reckoner, X Mobile, X Forensic, and X Corporate. If you are doing Incident Response (IR), and then you want to utilise X Corporate, that in addition to the X Forensic, too has an IR module to investigate hacking and intrusions into Windows-based computers.

Belkasoft Ten: What Tin can It Practise? (and Cannot Do)

What Belkasoft X can practice relative to its technical specifications are listed below, cited directly from Belkasoft's website: https://belkasoft.com/x#technical-specifications.

Computer

Operating systems: Windows, macOS, Unix-based systems (Linux, FreeBSD, etc.)
Storage devices: hard drives and removable media
Disk images: EnCase, FTK, X-Ways, AFF4, L01/Lx01, DD, SMART, Atola, DMG, archive files (such every bit tar, zip and others)
Virtual machines: VMWare, Virtual PC/Hyper-V, VirtualBox, XenServer
Retentiveness: RAM dumps, hibernation files, folio files
File systems: APFS, Fat, exFAT, NTFS, HFS, HFS+, ext2, ext3, ext4
Acquisition: Bachelor to DD or E01 images with optional hash adding and verification

MOBILE

Operating systems: iOS (iPhone/iPad), Android, Windows Phone 8/viii.ane, Blackberry
Information sources: Mobile backups, UFED and OFB images, GrayKey, chip-off dumps, TWRP images, JTAG dumps, Blackberry IPD and BBB backups, Android physical dumps, Xiaomi MIUI backups, Huawei HiSuite backups
File systems: APFS, HFS+, F2FS, YAFFS, YAFFS2, ext2, ext3, ext4
Conquering

iOS: iTunes, agent-based , checkm8-based , lockdown file support, PTP/MTP, jailbroken devices back up
Android: ADB backup, amanuensis-based, rooted devices back up, PTP/MTP, MediaTek

CLOUD

iCloud
Email: Yahoo, Hotmail, Opera, Yandex, Mac.com and 25 more webmail clouds
Instagram

In my conversations with Yuri, about Belkasoft 10 capabilities, I besides gathered additional information which is worth noting.

I of the best iPhone acquisition feature set up (comparable to Cellebrite) – includes checkm8, agent acquisition (jailbreak-free), jailbreaks, lockdown files, lifting USB restrictions etc.
Memory Assay: Support for procedure extraction for Windows, Linux and ARM, not for Mac. Can extract procedure list, review each procedure retentivity, under HexViewer, cleave for artifacts, and detect malware.
Book Shadow Copy (VSC) data can exist viewed as a snapshot in the aforementioned tree at the aforementioned level as the current land of the bulldoze.
Triage profiles: This volition show all "profiles" – that is, databases/storage files used by various apps – without extracting data.
Using Belkasoft X triage feature, yous tin can decided to only excerpt those data areas of involvement such as files, belonging to Outlook, Skype, Chrome. This tin exist very useful for instance, with Outlook electronic mail PST files that are large in size.
You volition likewise find all "nested" data sources such as mobile backups and virtual machines – again, without analyzing them.

Specifically, there are certain limitations to the production.

Cannot mount Windows RAM as a virtual file organization similar MemProcFS. No digital forensics product does this yet, that I am enlightened of.
Limited cloud-based conquering capabilities.
No special back up for T2 Mac devices – nonetheless.
No PCAP/PCAPNG (captured network traffic) data assay capabilities.

Belkasoft X Get-go

Like many other mainstream, commercial digital forensics acquisition and assay products that you may have been exposed to, Belkasoft Ten is a software GUI (graphical user interface) based tool. When installing Belkasoft X, there are ii options that are unchecked during the install process: 'Install sample data image', and 'Cheque updates every fourth dimension the product starts'. If y'all don't have any sample data for Belkasoft 10 to parse then this check this choice, and similarly also check for updates if you desire to be using the latest version.

The sample data is located in the programme folder application path nether: 'C:\Program Files\Belkasoft Evidence Center X\Sample Data' folder in the form of an EnCase evidence file format with filename 'Samples.E01'.

Have note the Passwords binder contains a Passwords.txt file that lists the passwords required to decrypt specific types of data contained within the 'Samples.E01' image.

The Belkasoft X installer also installs, in the aforementioned awarding folder path location, the x32 and x64 versions of the Belkasoft RAM Capturer tool, plant in their respective folders. These sub-folders are located at: 'C:\Program Files\Belkasoft Show Center X\RamCapture\'. The x32 and x64 folders tin be copied on to a removable USB drive for use in the field for acquiring Windows RAM retention.

Post install of Belkasoft X, yous tin can drop the 'licence.xml' file, into the 'C:\Program Files\Belkasoft Evidence Center X' path, which effectively licences the product. The specific licence.xml shown in the screenshot beneath, is uniquely tied to the USB dongle ID being used.

With the licenced USB dongle attached, Belkasoft X tin be launched, using the shortcut. Upon starting it, all modules are listed, just merely modules covered past the licence are enabled, according to the Belkasoft X edition licence that was purchased.

Before you starting time processing any data in Belkasoft X, take a few minutes to bank check the settings. In Settings -> General, specify the application binder path and temp binder path. In the screenshot beneath the default path locations and settings are shown. When y'all change the application folder path, you are warned that the program must be restarted to apply the change. Until restarting, the program still uses the old application path and will show the old path when you lot reopen the Settings window. But subsequently you restart the program, information technology will utilize the new awarding binder and volition evidence the new path in Settings.

If your arrangement bulldoze is depression on space or yous desire to conserve deejay space, then point the 'Application folder path' location to a different physical bulldoze. Doing this will automatically change the 'Temp binder path' location to the same parent folder of the awarding folder path.

Information technology is besides worth briefly examining the other tabs to personalize other features of Belkasoft X and to gain familiarity with Bookmarks, Carving, Pictures and Video tabs.

For a detailed user guide, access the product reference and video tutorial links from the home (chief) interface window.

At present that the install and basic preferences have been reviewed let'due south start processing some data.

Samples.E01 Image File

For the first run of Belkasoft X, the provided 'Samples.E01' file was imported into a newly created case. Part of the case creation involves identifying the 'Timezone'.

The timezone choice merely pertains to data viewed in the timeline portion of Belkasoft 10. In all other views in the user interface, the timestamps are displayed in UTC value (Coordinated Universal Fourth dimension), as observed in my testing. All the same, Yuri helped clarify that timestamps, in Belkasoft X, are displayed in the format which was used by an app to store it. That is, if an app used UTC, fourth dimension is shown in UTC, if an app used local fourth dimension, an artifact would be shown in local time. This is washed to prove original time value beingness used by the app of grade. The fourth dimension recalculation, to local examiner'south fourth dimension zone or device time zone is a handy feature, that is being considered for a future release.

The inability to view data in the fourth dimension zone local, relative to where the device was primarily being used, tin be a challenge, especially when for not-technical persons that volition exist reading the resulting analysis reports. Nigh, if not all the digital forensic products that I take used permit an examiner to view the information in the local time zone of the device or that of the examiners.

Later you create the example you volition demand to add a data source to process.

In the 'Add data source' window there are three options: Add an existing data, Triage or Acquire.

Add an existing data source has the following sub-options: Paradigm, Mobile epitome, Disk drive, Retention dump, Folder.

Memory dump images supported are: RAM images as '.mem' files, hiberfil.sys and pagefile.sys.

Triage has the following sub-options: Image, Mobile image, Disk drive. This can exist especially useful for quick review of depression hanging fruit data.

Acquire has the following sub-options: Bulldoze, Mobile, Cloud.

The next screenshot shows the partitions that are chosen for analysis under the 'Part' column'. The 'Analysis type' and 'Etching type' columns nowadays with default options and can be adjusted according to the needs of the examiner.

Notation that under 'Analysis blazon', the Snapshots (referring to only to Windows Volume Shadow Copies (VSC's)) is not checked. Therefore, this type of data will not be processed by Belkasoft X. Next to the Snapshots checkbox (which is unchecked in the screenshot), at that place is a watch/clock icon, when moused over, indicates that selecting this option will increment processing time. You will also find this watch/clock icon in media classification and encryption detection areas nether the 'Select advanced analysis options'. This is no dissimilar in whatever other digital forensics assay production, where refining the volume, in guild to parse more data will increment the time taken during processing.

Once the desired analysis options are chosen then click 'Next', to advance to the next stage. When you get to the avant-garde analysis options, you lot volition demand to place the type of contour to employ based on the image or information type you are processing.

The chosen profile affects what artifact types, applications and formats are pre-selected for analysis. Regardless of which profile is selected the examiner can elect to modify the profile choices.

For case, a 'Custom' contour will select 'All' in the 'Antiquity types' and 'Applications and formats' sub windows. Each category of antiquity nether the 'Artifact types > All' has its own subset of artifacts which will populate in the 'Applications and formats' area to the right. In the screenshot shown beneath the Custom profile has been chosen, which has everything selected.

With large datasets it is strongly advisable to try and identify what type of data you are looking to parse and analyze, based on the nature of the investigation and scope of the search. For example, if the data that is being processed contains no Android related artifacts, then deselect whatsoever Android options from the awarding the 'Applications and formats' area. In this example, for the 'Samples.E01', the 'Windows' profile was called, and no changes were fabricated to the pre-selected defaults.

After Artifact choice, when you lot advance past clicking on Adjacent, you are taken to the other areas pertaining to Hashes, Media and Encryption, in guild to select any specific options related to these areas. These options are unchecked past default.

Once processing starts, you tin can run across the three default tabs to the right of the home icon: Dashboard, Artifacts and Tasks. The Tasks tab should be periodically monitored in the effect that examiner input is required as shown in the screenshot below. In this case the passwords to the iPhone 6 backup and Chrome information are required to be input into the 'Enter missing information' area. The passwords are required in order to decrypt the data.

In addition, there is besides a squeamish feature in the Dashboard view, that if there is a awaiting task waiting for a user input, the corresponding data source on the Dashboard can exist identified with an exclamation marking. Thus, Dashboard is helpful for noticing such tasks, too.

For iOS fill-in information that is encrypted and identified within a disk image, in one case the correct countersign information is entered into the data field, Belkasoft X volition prompt you to choose the parsing contour once more

To admission more Dashboard tabs, click in the click on the three, vertically stacked, horizontal lines, to the left of the home button.

This will open a Dashboard window where you tin enable other tabs for viewing the data.

One time processing is finished, you lot can review the parsed data from the Dashboard tab, under Data sources. From the Dashboard tab, an overview of all the entire case, from left to right can exist viewed: automatic searches, data sources, application types and artifacts.

Selecting any category of search under Automated searches opens a Search Results tab.

All the categorized data sources, when clicked on, will take yous to the corresponding data category in the Artifacts -> Overview tab. The adjacent two screenshots show the Calls data source being accessed.

In the Artifacts -> Overview tab, the Calls information shows four incoming Skype call records in the Items window. The artifact properties are shown on the far right, and for this type of data in the Hex Viewer is also the SQLite viewer are shown below. The Hex Viewer has a data interpreter attached to it.

There is a flat timeline bar at top of the Artifacts tab, that can provide a quick and easy overview of when this specific disk image had user activeness. A slider function tin can be used to filter artifacts (data) for a desired time flow. When the slider is used, the corporeality of artifacts that are displayed to the examiner, are adjusted accordingly based on the time catamenia beingness viewed.

The File System tab allows an examiner to view the entire file organisation structure of the 'Samples.E01' image file. Right click to show the properties of 'Samples.E01'. This presents the Device backdrop where information about the image is presented along with the device geometry. The screenshot beneath also visually shows what type of data has been seeded into the sample image file.

2 other tabs worth reviewing during data assay, are the Incident Investigations and Connection Graph tabs. I find the Incident Investigations tab contains a nice summary of antiquity areas that can be quickly reviewed to discover if there are malicious file based threats, that have gained persistence on a Windows operating system deejay.

The Connection Graph is an effective mode to visualize connections between information artifacts relating to persons relative to SMS messages, call logs, Instant Messenger, file transfer, email etc.

Using Belkasoft'south seeded image file, 'Samples.E01', immune me to empathize the layout and flow of the user interface. It has changed, I retrieve, for the better compared to its predecessor. In the next few sections I will be using various CTF image files and Josh Hickman's iOS 13.four.one public image.

Horcrux Paradigm File

This epitome file created was past Champlain College'south Digital Forensic Association for the 2019 Unofficial Defcon DFIR CTF. After creating the case the data source was added in the manner of the Horcrux.E01 file. In Belkasoft X, by default, all the partitions/volumes within the deejay image are checked. Remember what I said earlier nigh targeting the areas you lot want to process? Well, this also applies to partitions/volumes inside the deejay paradigm as well. The challenge here is I don't know exactly which partitions should be selected for processing. There are no volume names (default or otherwise) to place a 'System Reserved' sectionalisation from the user operating organisation sectionalization. Based on my feel, I can take an educated approximate based on size of the volume and ascertain what I likely don't demand to procedure now.

Still, I leveraged some other tool, FTK Imager 4.5.0.three, to assist me in verifying my educated judge. I guessed correctly for the NONAME NTFS partition (user operating organization) and NONAME ext4 (Linux) partition. I accept never seen a volume named 'PacaLady' and will include this also. In my experience, all the digital forensics assay tools that I take used have the ability to allow me to view the book name and speedily peruse the file system to some degree and select folder and files that are contained within the partition before I elect to procedure whatever data within their corresponding volumes. This is extremely useful in using a targeted sniper digital forensics approach, especially in cases where the data sizes are large.

Based on the previous screenshot and explanation, two areas of the deejay image have been excluded as shown below. For analysis type I selected to include Snapshots for the 31.GB NTFS volume and used the default settings for the called volumes with no etching.

A 'Custom' profile was selected due to the presence of two operating systems in this image file. Nether Artifact types, I manually went through each antiquity blazon and deselected either Android or iOS and selected Linux where back up was provided. Specifically, for System files, there is no parsing for Linux system data, like there is for Windows, MacOS and iOS. Also trying to type Linux in the filter field does not, unfortunately identify every Linux antiquity, as the filter only accepts antiquity names, not OS names. The examiner must manually review each Artifact type area.

If I wanted to verify the hash value of the forensic image file, I am not able to practice this in Belkasoft Ten, nor could I discover any reference to this in their user guide. Belkasoft X had no issues, that I observed parsing this image file.

With the caveat in mind, that I take not used EnCase or Access Data'south Forensic Toolkit (FTK) in years, Linux based artifacts presented in nicely laid out categories, like what is done for Windows, macOS, iOS and Android are a claiming for the digital forensic tools. In the next section Snapshots (Book Shadow Copies)will be briefly explored.

Volume Shadow Copy (VSC)

The Hunter 'dd' image file was used for this exam as I already know that it contains two Volume Shadow Copies (VSC's), from my testing with Arsenal Image Mounter (AIM). Belkasoft X shows with one division (volume) structure. The Windows contour was selected for parsing the artifacts.

In the analysis blazon, I selected the 'Snapshots' and zilch for carving.

From the File Arrangement tab, the two Book Shadow Copies (VSC'due south), that Belkasoft X calls Snapshot, can be observed, reconstructed as an actual file system. This is an excellent characteristic, which tin allow an examiner to potentially get back in time and examine any user or system data that may non exist in the current version of the file organization.

The next screenshot shows Snapshot 0 and Snapshot 1, with the file organisation tree expanded to show the directory structure.

In the File system tab, the properties of the VSC image can exist viewed by right clicking and selecting 'Show backdrop'. The creation time of the of the VSC, in Belkasoft 10 is displayed in the timezone that is chosen during case creation. In this example, the fourth dimension is displayed in UTC -07:00 Mountain Fourth dimension.

The types of data parsed from VSC's represented in Belkasoft Ten, as artifact categories can be viewed from the Artifacts tab -> Construction tab, as shown in the screenshot below.

Hopefully this brief review of Volume Shadow Copies has provided some useful insight as to how Belkasoft X manages this type of artifact.

Windows Memory – Solitary Wolf Scenario

To encounter how Belkasoft 10 handles Windows retention parsing, the Alone Wolf scenario CTF Windows memory paradigm was added to a newly created case using the Windows profile for processing. The options shown in the following screenshot, are all unchecked by default, simply the first three options were checked for processing of the 'memdump.mem' file.

In the File System tab, a list of the processes within the 'memdump.mem' file is identified. The processes that are not 'alive' and have a file size of 0 (zero) bytes, are terminated processes and thus these executables cannot be extracted, compared to those processes that are classified as 'alive'.

The Artifacts -> Construction tab list all processes in alphabetical gild detected by Belkasoft 10 within 'memdump.mem' file. I have not read the Alone Wolf scenario specifics, and my remarks/observations to follow, are prefaced based on the fact that I have no understanding of the investigation. The first process, listed alphabetically, that I chose to examine, led me down a rabbit hole. Looking at screenshot below, I paid specific attending to the 'AKMonitor.exe' process which contains v (five) Google Chrome web browser URL records. The starting time record shows a URL link to a keylogger website, with the last three records referencing explosives and gun violence. These carved records could likely be of importance in the Lonely Wolf scenario digital forensics investigation. I similar that within child process, 'Chrome.exe' (of the parent process AKMonitor.exe), Google Chrome web history URL records were carved and listed.

I decided to do a quick a Google search for 'AKMonitor.exe' and learned, that at the very least, there are several references to this specific process being a component of the 'actualkeylogger.exe'. The Google search is shown the side by side screenshot.

From the results of the Google search, I then checked the Hybrid Analysis search striking link, every bit shown the next two screenshots below. This led to the discovery that not all anti-virus engines detect 'AKMonitor.exe' file, even though this file has historical data of existence checked within a sandbox in belatedly March 2017.

Going back to the File Organization tab, I checked the 'AKMonitor.exe' procedure and see disconcertingly that this process has non been classified every bit suspicious by Belkasoft X. What I as well do not see identified in any tab or view most the extracted processes is the PID (Parent ID), the PPID (Parent Procedure ID), the Windows user business relationship that the process was spawned from or the process create time. Withal, Yuri clarified the following: "This kind of assay is based on faux organisation process names but. Say it, if at that place is an scvhost.exe instead of svchost.exe, or winlogen instead of winlogon, this will be detected. To clarify processes with more advanced methods, one can select Analyze with VirusTotal option."

The Artifacts -> Overview tab will show artifacts past their respective antiquity category. In the screenshot below, Windows system event logs have been carved from the 'memdump.mem' file. Unfortunately, the processes that are listed alphabetically in the Artifacts -> Structure tab are not presented in the Artifacts -> Overview tab, where they could be further scrutinized in a Hex viewer by an examiner.

Instead, become in to the File Organization and select respective data source (retentivity dump), all processes will be shown on the grid, which shows files for regular images. On the bottom, there is a Hex Viewer, showing yous the selected process raw retention.

For retentivity analysis, my personal preferences are the gratis open source tools: Volatility ( Volatility GitHub,) Volatility Workbench (by Passmark Software) and MemProcFS.

Apple tree iOS thirteen.4.1

For mobile data testing, I elected to utilize publicly available iOS 13.4.1 full file system data provided by Josh Hickman (a/1000/a The Binary Hick). When adding the data source, the post-obit types of mobile data is accepted for ingestion into Belkasoft X, as shown in the screenshot beneath.

The defaults were left checked for parsing, using the iOS profile.

I was pleased to see device design of life artifacts being identified in two principal means:

1. File Type: Artifacts tab -> Structure tab under Arrangement files, cleaved down by file that contains the pattern of life information as shown in the screenshot below.

two. Action blazon: Artifacts tab -> Overview tab under Organization files, broken downwards by a pattern of life data action type, as shown in the following two screenshots.

I did notation that messages, regardless of native application or tertiary party (non-stock) applications, tin also be viewed as bubble message format, in addition to the traditional grid view. In the screenshot beneath, the 'SMS' (nether Mobile Applications category) is the native iOS Letters app, that shows a bulletin referencing the word 'iMessage'. The message bubbles relative to SMS and iMessage messages are not delineated using the green and blue bubble colour scheme respectively, that is so commonly recognized by about if not all smartphone users. The current visual view makes it hard to distinguish which bulletin was sent from the device through SMS versus iMessage.

In the next screenshot, the grid view and the SQLite viewer, show the same message, from the previous chimera message screenshot. The SQLite viewer shows the sms.db file, messages table, where the service column clearly identifies that the message was sent using the iMessage service. Still, in the grid view (above the SQLite viewer) there is no column that provides a distinction between SMS and iMessage, nor is this distinction provided in the bulletin properties window.

Third political party conversation (non-stock), instant messaging applications are listed under the Chats category relative to the Artifacts -> Structure tabs. In the screenshot beneath, data from two specific messaging applications, Point and Wickr were not parsed. For reasons unknown to me, Belkasoft X had difficulty in rendering the Point and Wickr SQLite databases, inside the File System view. As sensation to the reader, Signal and Wickr are very well encrypted, and the keychain is required in order to decrypt these databases. I did not cheque, in this case for the presence of a keychain file. Generally, Belkasoft 10 can process the keychain file only if a total file organisation (FFS) paradigm of the iOS device is extracted by Belkasoft X (checkm8, agent, jailbroken device), because there is no standard format for storing keychain extracted with FFS.

Fifty-fifty though no screenshot examples are provided, I also quickly checked '.plist' and '.bplist' files which appear to be displayed correctly. What I could not empathize how to exercise in Belkasoft X is recursively view all files and then filter all files, based on extension, for plist, bplist or sqlite (database) file types. In other words, there is no category, which I can come across, that allows an examiner to quickly filter and identify these types of files past their detected file signature or extension.

Within the Belkasoft X product (and further explained in the user guide), the search role, as cited straight from the assistance guide, is restricted to indexed data that is: "text-based properties of artifacts, such as their texts, dates and times, metadata and some other things". An examiner cannot live (raw) search all the files/folders or selected files/folders. Indexed data may exist quicker to search. In my feel, I have found, regardless of analysis production being used, where an indexed search has failed to identify the search value of interest, and hence, I resort to a live (raw search), of selected files (rather than the entire image) as my preferred method of searching. Of course, at that place is the power to do raw search within an entire information source in Hex and search for a string or a hex pattern.

I did briefly cheque the parsing of an macOS Catalina APFS image file using the macOS profile. In my opinion at this fourth dimension, I believe that other commercial products perform improve, based on previous usage.

Final Thoughts

Remember that in that location are other data source options, including Triage, that were not explored in this article, nor was the extraction/acquisition of information investigated using Belkasoft X. I invite the interested digital forensics practitioner to try Belkasoft X for themselves using any of the publicly available information sources.

The needs of a digital forensics' lab and along with fiscal factors, can greatly influence which commercial products are purchased. In my opinion, based on my general review, I would consider Belkasoft X for parsing Windows data, iOS and Android mobile data.

I hope this review has been useful, and a practiced high level overview, regarding the capabilities of Belkasoft X. Cheers for taking the time to read this.

Sources

1. Horcrux Image File created past Champlain Higher's Digital Forensic Association for the 2019 Unofficial Defcon DFIR CTF: https://drive.google.com/drive/folders/1JwK8duNnrh12fo9J_02oQCz8HlILKAdW?usp=sharing

2. Hunter DF Paradigm File (must sign in to download): https://cyberdefenders.org/labs/32

three. Lone Wolf Scenario Retentiveness Image: https://digitalcorpora.org/corpora/scenarios/2018-lone-wolf-scenario

4. Josh Hickman's iOS 13.4.i Public Image: https://thebinaryhick.blog/?s=13.4.i

5. Josh Hickman'south Android 10 Public Paradigm: https://thebinaryhick.blog/2020/02/15/android-10-image-now-available/

6. Josh Hickman's Android xi Public Image: https://thebinaryhick.weblog/2020/x/07/new-android-epitome-available-this-one-goes-to-11/

seven. Champlain College's Digital Forensic Association CTF Spring 2020 MacOSImage:

https://bulldoze.google.com/drive/folders/10VsFFlTyiZyPnjCKaBmUhdsRiT4XrcIC?usp=sharing

https://champdfa-ccsc-sp20.ctfd.io/

See also

Belkasoft X review by Brett Shavers
Belkasoft X review by Santosh Khadsare
Belkasoft X review by Lorenzo Martínez Rodríguez
Belkasoft X review by Alan Jeffries
Belkasoft X review by Francois H. Putter
Most Belkasoft X

corcoranandiention.blogspot.com

Source: https://belkasoft.com/shafik-punja-reviews-belkax