+7 (812) 926 64 74


04.11.2015: The Future of Mobile Forensics: November 2015 Follow-up

Mobile forensics is a moving target. In our recent article, “The Future of Mobile Forensics”, we described acquisition techniques that used to be state-of-the art back then. Weeks later, some things have changed already. Three months after the publication a lot of things have changed. Our publication was published on Forensic Focus and discussed in online forums, with readers pointing to certain inaccuracies in our article. In this follow-up, we will use up-to-date information to address the issues of concern in the original article.

Read entire article

07.09.2015: Countering Anti-Forensic Efforts - Part 2

In the first part of this paper we talked about the most common - and also some of the simplest - ways suspects can try to cover their tracks in an attempt to slow down the investigation. This part of the article is dedicated to some of the more advanced techniques that sometimes can really be challenging to deal with. Let's take a look at some of the possible workarounds when the data we are looking for was deleted or encrypted.

Read entire article

31.08.2015: Countering Anti-Forensic Efforts - Part 1

Computer forensic techniques allow investigators to collect evidence from various digital devices. Tools and techniques exist allowing discovery of evidence that is difficult to get, including destroyed, locked, or obfuscated data. At the same time, criminals routinely make attempts to counter forensic efforts by wiping data, deleting files, faking or clearing logs, histories and other traces of performed activities. Anti-forensic efforts are not limited to just that. In this whitepaper, we will have a brief overview of common anti-forensic techniques frequently used by suspects who are not specialists in high-tech, and ways to counter them during the investigation.

What this paper does not discuss is the suspects’ use of advanced tools dedicated to countering forensic efforts. Instead, we will talk about the most common anti-forensic techniques. In this paper, we will move from easy to moderately difficult anti-forensic techniques, explaining who might be using these methods and how to counter them.

Read entire article

27.07.2015: NAS Forensics Explained

Network Attached Storage (NAS) have a long track history of corporate deployments. Their scaled-down versions (ranging from single-bay to four-drive enclosures) are frequently used at homes and in the offices. These smaller-size appliances are often called “personal clouds” for providing some parts of functionality of online cloud services.

More and more people prefer using their laptop computers at home instead of a full-size desktop. As many laptops are equipped with relatively small, non-expandable storage, NAS becomes an obvious and convenient way to increase available storage. In home environments, NAS storage are often used for keeping backups and/or storing large amounts of multimedia data such as videos, music and pictures, often including illicit materials. Due to the sheer size of these storage devices and their rapidly increasing popularity with home users, NAS forensics becomes increasingly important.

When acquiring information from the suspect’s computer, investigators often face a challenge of extracting information also from all external storage devices. Why is NAS acquisition a challenge, and what can be done to overcome it?

Read entire article

17.06.2015: The Future of Mobile Forensics

Most would agree that the golden age of mobile forensics is over. There is no longer an easy way to get through the passcode in new iOS devices running the latest version of iOS. Chip-off acquisition is dead for iOS devices due to full-disk encryption, while physical acquisition of Apple hardware is dead since the introduction of 64-bit devices and versions of iOS 8 that cannot be jailbroken. Blackberries were highly resistant to chip-off acquisition from the beginning, and Android is getting there quickly. In this whitepaper, we will look into the current state of mobile forensics for the different platforms and devices, analyze current trends and attempt to predict how mobile forensics will look in the years ahead.

To gather these predictions, Belkasoft analyzed state-of-the-art tools, methods and hardware offered by leading manufacturers, and interviewed experts working for manufacturers of digital forensic products. Since manufacturers often specialize in specific areas (e.g. producing equipment for breaking iPhone passcodes), we questioned multiple representatives to be able to see the whole picture. Today, we are ready to share our findings.

Read entire article

14.05.2015: Acquiring Windows PCs

In this publication, we will talk about the acquisition of Windows computers – desktops and laptops. This class of devices has their own share of surprises when it comes to acquisition. The obvious path of acquiring a Windows PC has always been “pull the plug, take the disk out, connect to an imaging device and collect evidence”. Sounds familiar? Well, in today’s connected world things do not work quite like that.

In this article, we will have a look at measure the investigator has to take before taking the disk out, and even before pulling the plug, review Windows security measures and how they can work in combination with the computer’s hardware.

Read entire article

30.04.2015: Capturing RAM Dumps and Imaging eMMC Storage on Windows Tablets

While Windows desktops and laptops are relatively easy to acquire, the same cannot be said about portable Windows devices such as tablets and convertibles (devices with detachable keyboards). Having no FireWire ports and supplied with a limited set of external ports, these devices make attaching acquisition media more complicated in comparison to their full-size counterparts. Equipped with soldered, non-removable eMMC storage, Windows tablets are extremely difficult to image while following the required forensic routine. Finally, the obscure Windows RT does not allow running unsigned desktop applications at all while restricting the ability to boot into a different OS, making forensic acquisition iffy at best.

In this article, we will have a look at how Windows-based portable electronic devices are different from traditional laptops and desktops, review new security measures and energy saving modes presented by Windows tablets and discuss hardware, methods and tools we can use to acquire the content of their RAM and persistent storage.

Read entire article

20.04.2015: Kik Messenger Forensics

Kik Messenger is a popular free messaging app for all major mobile platforms. Available for Android, iOS and Windows phone, Kik Messenger had a user base of more than 130 million users just a year ago. Today, the company claims over 200 million registered accounts, with another 250,000 users added each day. The messenger’s user base consists of teenagers and young adults. It is estimated that approximately 40 per cent of 13- to 25-year-olds in the United States are using Kik.

As a result, Kik Messenger becomes one of the forensically important messenger apps. With hundreds of millions of users communicating with Kik on daily basis, ignoring this popular messenger during an investigation may lead to missing important evidence. With Kik’s user base mostly consisting of teenagers and young adults, Kik messages can come especially handy when investigating cases of molesting.

Read entire article

18.02.2015: Analyzing Windows Phone 8.1 JTAG and UFED Dumps

In recent months, we’ve started receiving calls from our customers asking us about extracting files and looking for evidence in binary dumps extracted out of Windows Phone 8 devices. We’ve got dozens of requests from European police departments, especially those from Germany, Italy, and the UK about extracting and analyzing JTAG and UFED-produced dumps of Windows phones. While in the past we were reluctant to work in this direction considering how small of a market share these devices had, the recently published numbers of every 10th device sold in Europe being a Windows Phone made us change our mind.

Read entire article

16.02.2015: Forensic Analysis of SQLite Databases: Free Lists, Write Ahead Log, Unallocated Space and Carving

SQLite is a widely popular database format that is used extensively pretty much everywhere. Both iOS and Android employ SQLite as a storage format of choice, with built-in and third-party applications relying on SQLite to keep their data. A wide range of desktop and mobile Web browsers (Chrome, Firefox) and instant messaging applications use SQLite, which includes newer versions of Skype (the older versions don’t work anyway without a forced upgrade), WhatsApp, iMessages, and many other messengers.

Forensic analysis of SQLite databases is often concluded by simply opening a database file in one or another database viewer. One common drawback of using a free or commercially available database viewer for examining SQLite databases is the inherent inability of such viewers to access and display recently deleted (erased) as well as recently added (but not yet committed) records. In this article, we’ll examine the forensic implications of three features of the SQLite database engine: Free Lists, Write Ahead Log and Unallocated Space.

Read entire article

21.08.2014: SSD Forensics 2014. Recovering Evidence from SSD Drives: Understanding TRIM, Garbage Collection and Exclusions

We published an article on SSD forensics in 2012. SSD self-corrosion, TRIM and garbage collection were little known and poorly understood phenomena at that time, while encrypting and compressing SSD controllers were relatively uncommon. In 2014, many changes happened. We processed numerous cases involving the use of SSD drives and gathered a lot of statistical data. We now know more about many exclusions from SSD self-corrosion that allow forensic specialists to obtain more information from SSD drives.

Read entire article

14.10.2013: Recovering Destroyed SQLite Evidence, iPhone/Android Messages, Cleared Skype Logs

The SQLite format is extremely popular with developers. Android and Apple iOS are using SQLite extensively throughout the system, storing call logs, calendars, appointments, search history, messages, system logs and other essential information. Desktop and mobile versions of third-party apps such as Skype, Yahoo Messenger, eBuddy, PhotoBox, Picasa Explorer and hundreds of other tools are also using SQLite. Major Web browsers such as Mozilla Firefox, Chrome and Safari are using SQLite to store cache, downloads, history logs, form data and other information. With all those operating systems and applications relying heavily on SQLite, this database becomes one of the most important formats for digital investigations. Learn how Evidence Center helps investigators recover destroyed evidence stored in SQLite databases.

Read entire article

22.08.2013: Detecting Altered Images

Are digital images submitted as court evidence genuine or have the pictures been altered or modified? We developed a range of algorithms performing automated authenticity analysis of JPEG images, and implemented them into a commercially available forensic tool. The tool produces a concise estimate of the image’s authenticity, and clearly displays the probability of the image being forged. This paper discusses methods, tools and approaches used to detect the various signs of manipulation with digital images.

Read entire article

25.06.2013: Catching the Ghost: How to Discover Ephemeral Evidence with Live RAM Analysis

Many types of evidence are only available in computer’s volatile memory. However, until very recently, this additional evidence was often discarded. Approaching running computers with a “pull-the-plug” attitude used to be a standard practice, without recognizing the amount of evidence lost with the content of the computer’s volatile memory. Certain information just never ends up on the hard drive, while some other information may be stored securely on an encrypted volume with all the decryption keys conveniently available in the computer's volatile memory. By simply pulling the plug, forensic specialists will slam the door to the very possibility of recovering these and many other types of evidence. Read about how to capture and analyze volatile data, learn how to make a RAM dump and perform a comprehensive analysis of the memory dump.

Read entire article

18.10.2012: Why SSD Drives Destroy Court Evidence, and What Can Be Done About It

Solid State drives (SSD) introduced dramatic changes to the principles of computer forensics. Forensic acquisition of computers equipped with SSD storage is very different of how we used to acquire PCs using traditional magnetic media. Instead of predictable and highly possible recovery of information the suspect attempted to destroy, we are entering the muddy waters of stochastic forensics where nothing can be assumed as a given.

Read entire article

15.04.2012: Retrieving Digital Evidence: Methods, Techniques and Issues

This article describes the various types of digital forensic evidence available on users’ PC and laptop computers, and discusses methods of retrieving such evidence.

Read entire article


Forensic Interviews project

Renowned experts in computer forensics, owners and executives of multiple forensic companies, investigators, software resellers and law enforcement officials give their interviews to Yuri Gubanov, CEO of Belkasoft and computer forensic expert. Check out extremely interesting interviews from active or retired police investigators, experts from such companies as Digital Intelligence, Paraben, ADF Solutions, Videntifier, F-Response, Fulcrum Management, DFLabs and others!

Go to the f-interviews site

19.02.2012: Belkasoft CEO's interview to ForensicFocus

Yuri Gubanov gives an interview to industry known online magazine about Belkasoft history, its tools and gave some predictions on computer forensics future.

Read the interview

Older articles

31.05.2009: Forensic Instant Messenger Investigation

This article deals with the subject of forensic investigation of Instant Messenger histories: why it is needed, what messenger types there are, what difficulties are involved in investigating histories, and what tools can help overcome those difficulties.

Read all article
Read Chinese version

16.04.2006: Secure Instant Messenger Communication

These days Instant Messengers cannot surprise anyone. They are widely used by people with access to the Internet, by people of any age, gender and occupation. You can exchange jokes with your friends via your IM, discuss business questions with your colleagues, support your customers, make a date with your girlfriend, and even to propose marriage through your favorite messenger. A important question arises immediately: How secure is all this communication? Are you and your recipient the only ones who can see your conversation? Can anybody else access your history which is probably confidential, especially when it comes to business and personal matters? Can any malicious user or your boss or your parent learn your secrets?

Read all article

Other Articles

О компании