Belkasoft Evidence Center Ultimate Changelog

What's new in Belkasoft Evidence Center Ultimate 9.9

Dec 12, 2019

Mobile Forensics:
GrayKey images analysis massively improved and speed up
More improvements in iOS acquisition without jailbreak
ADB-based Android device acquisition improved
Agent-based Android device acquisition improved
Android apps supported or updated
Android OneDrive support updated to v. 5.40.4
Android Google Docs supported
Android Google Maps improved
Android Google Translate supported
iOS apps supported or updated
iOS Yahoo Mail app improved
Text extraction improved for iOS Evernote app
Attachments for iOS Evernote now extracted properly
Contacts extracted from Facebook profiles when analyzing iTunes backup
iOS Hangouts messenger supported (including geolocation data extraction)
Computer Forensics:
Carving performance is significantly improved
Zip-based data sources analysis is massively improved
Carved data is no more stored in database what will also save significant amount of space for every case
Virus Total analysis fixed
Analysis of Puffin browser for Windows improved
LNK files analysis improvements continued
LNK carving and analysis of carved LNK files is significantly improved
Reports are improved for LNK artifacts
Folder names are extracted for mailboxes of Mail 163 Windows app
Windows OneDrive app support updated
Issues when creating Key dictionary for password bruteforce are fixed
Hex is now displayed for Jumplists and LNK files
Incorrect filter criteria by 'has embedded files' for Documents fixed
Incident Investigation:
OpenSavePdl artifacts cleared up
Author field extraction fixed for Scheduled Tasks artifacts
Prefetch files, Shim cache and Windows Power Shell artifacts presented better
Origin path for Prefetch files filled
Data from the future extracted for Scheduled Tasks artifacts—fixed
Windows RDP-Related Events Log analysis supported
Remote Acquisition:
Deployment via GPO is available again. Now there are three deployment types: local (using thumbdrive or network share), via WMI, via GPO
Remote agent stability improved when Server and Agent are of different versions
SQLite Viewer:
Carved SQLite unallocated data now always shown on the corresponding page inside SQLite Viewer (it was blank in some circumstances before)
SQLite loading made quicker for switching between different artifacts in artifact list
Report creation from SQLite Viewer fixed
WAL records count properly shown at the bottom of each SQLite Table
Other Improvements:
Windows Google Drive data extraction improved. Offset is now shown for Google Drive artifacts. Hex now properly highlights them
Video keyframe analysis for faces, skin etc improved
Length extraction improved for OneDrive artifacts on Windows
Google Consent Page fixed for Google Drive and Gmail cloud downloading
Incorrect count for pictures in Overview when key frames are presented—fixed
The "Copy files" option doesn't work for videos from Overview—fixed
Search terms from cases made with previous BEC version are not displayed on Search Result tab—fixed

New in Belkasoft Evidence Center Ultimate 9.6 (Jul 3, 2019)

New in Belkasoft Evidence Center Ultimate 9.4 (Nov 26, 2018)

New in Belkasoft Evidence Center Ultimate 9.3 (Sep 21, 2018)

New in Belkasoft Evidence Center Ultimate 9.2 (Aug 14, 2018)

New in Belkasoft Evidence Center Ultimate 9.1 (Jun 26, 2018)

New in Belkasoft Evidence Center Ultimate 8.6 Build 2346 (Dec 20, 2017)

New in Belkasoft Evidence Center Ultimate 8.5 Build 2285 (Oct 19, 2017)

New in Belkasoft Evidence Center Ultimate 8.4 Build 2163 (Aug 4, 2017)

What's New in Version 8.4:
Physical Acquisition of Rooted Android Devices and More Stable ADB Acquisition
iTunes 10.x.x Backup Support
Download Of iTunes Backups From iCloud For iOS 9 and Newer
Network Licenses
AD1 Images Support and AccessData Integration
Chinese Translation
New Dashboard Statistics
New and Updated Apps
Customer Requests Addressed
Physical Acquisition of Rooted Android Devices and More Stable ADB Acquisition:
Belkasoft Evidence Center 2017 v.8.4 (BEC) now supports physical acquisition of rooted Android devices. The physical image allows you to recover much more information from mobile devices than a logical acquisition or a backup. Many times this will include deleted data. Our free Belkasoft Acquisition Tool is updated accordingly.
Apart from physical acquisition, v.8.4 has updated its logical acquisition, making it more stable thanks to its improved logging and the updated acquisition process for the newest of devices (in particular, new Samsung smartphones). And remember, the output of this type of acquisition are standard AB files.
BEC now analyzes both types of acquired images for hundreds of artifacts, including email, browser histories, chats and mobile apps, such as WhatsApp, WeChat, Skype, Telegram, Snapchat and so on.
iTunes 10.x.x Encrypted Backups Support:
This latest version of BEC now supports all existing versions of iTunes backups, including encrypted backups for v.10.3. The support works the same as it did for previous versions of iTunes: If you know or can recover a password, you can enter it in the corresponding node within Evidence Center's interface and it will decrypt the backup (or inform you that password is wrong). After a successful decryption, the product will analyze the backup for artifacts we support for Apple (which includes hundreds of formats and mobile applications).
Go to our Tutorials page, to watch a short video on working with encrypted iTunes backups.
Download Of iTunes Backups From iCloud For iOS 9 and Newer:
The process of downloading new iOS 9 iTunes backups changed, effectively disabling older versions of Evidence Center and BelkaImager to download Apple backups. BEC v.8.4 solves this issue by supporting this new operating system. BelkaImager (aka our Free Belkasoft Acquisition Tool) has also been updated accordingly.
Network Licenses:
The long awaited network licensing is now supported in the new version of BEC. This type of license is a very efficient way to use Evidence Center in medium to large teams, and thus a great way to save those departments money. For example, say you have 20 investigators, each investigator is using 3-4 computers, and they have at their disposal multiple forensic tools, not just Belkasoft product. They won't be using Evidence Center every second. Previous versions of BEC didn't support network dongles. You would have needed to purchase up to 20 regular standalone dongles, this made it a pricy. Now you can purchase a single dongle for say 10 concurrent users, and thereby dramatically saving your money.
Just plug the network dongle into any computer available to BEC users over a local network (usually this is a computer which serves as license server and has other dongles, from various tools, plugged in). You can choose to have 5, 10, 20 or even 50 concurrent users. When the amount of users reaches the purchased limit, no more connections are allowed, however, when a user closes BEC, another user may start using it.
What do you do, if you have a in-field investigation, where you LAN is not accessible? This is also solved by BEC's new network licensing: each package has one or more free "standalone" dongles, so it doesn't require access to your local license server.
AD1 Images Support and AccessData Integration:
Previously announced, Belkasoft has recently become a new AccessData Technology Partner, a definite quality seal on our products. Together, we have released a new version of AccessData's Lab Web UI, enriching it with hundreds of new apps and formats, now analyzed by AD Lab out of the box. All this is thanks to the Belkasoft engine. We will continue our collaboration, and we are working on the same feature for AccessData's FTK product.
Since both of AccessData's products use an AD1 image format, the new version of BEC now supports this type of image. You can now ingest AD1 images into your case, along with E01, Ex01, L01, Lx01, AFF, UFD, CTR, DMG and many other formats, including virtual machines, RAM, chip-off and JTAG dumps, and analyze the lot of them using all the power of BEC.
Chinese Translation:
BEC now has an up-to-date Chinese translation what enables our huge amount of customers in China to use BEC more effectively including creation of reports on their native language. Many thanks goes out to DataExpert, our partner in China for the help in the translating.
New Dashboard Statistics:
The BEC Dashboard screen, introduced in v.8.3 received a very positive feedback from our customers, and so we improved it even more with the v.8.4 release. New things to look fore in this screen are:
Predefined search results. A predefined search is made automatically by the BEC while analyzing a data source for artifacts. Searches include IP and MAC addresses, emails, SSN numbers, browser searches and many other standard artifacts you usually search yourself. Since BEC now performs these searches automatically you don't have to wait after you run corresponding searches, saving your time and labor. Now the Dashboard conveniently shows you the result amounts for each type of search. Click on an icon and the results of the selected type will be shown.
Count by item type. You can now review the number of artifacts extracted for each particular application. Thus you can immediately observe the most frequented apps inside your case. In the picture below, under the Artifacts Heading, is an example of how this graph will look:
New and Updated Apps:
We continually work on updating the support for formats and apps which are constantly releasing new versions. Here is the list of apps updated or newly supported in BEC v.8.4:
All platforms, including mobile and desktop:
Skype
Tumblr
Growlr
ICQ
Twitter
Textie
Gigatribe
Chrome
Firefox
Performance of carved MIME mail parsing significantly improved
Customer Requests Addressed:
Thanks to everyone who contributed to the improvement of the BEC product quality by sharing your feedback. It tremendously helps in moving the tool forward. Among the fixes we have done for you are:
Very long BEC start up - caused by third-party library changed behavior. This is now fixed. This fix is especially important for Windows 10, where the worst performance degradation was noticed on v.8.3
Rare crash in "Open File" dialog opening fixed (Windows 10)
Is Deleted flag value for SQLite based artifacts fixed
Origin path improved for many data types
Incorrectly added default data range filter fixed
The hang during text detection for specific TIFF files fixed
Visualization of large number of values in mail filters fixed
Rare Item List's columns vanishing after resize fixed
Rare problem of incorrect sort by column and column options loss fixed
Filter names synced with column names in item list where corresponding filter buttons present
Rare "Error loading value" during item list sorting fixed
Selecting "Show in file system" context menu item now properly expands folder tree in File System window
Support of L01 updated: File System window now correctly processes L01/Lx01 images created by EnCase v.7
About 200 of other improvements were made in this new release

New in Belkasoft Evidence Center Ultimate 7.3 Build 1162 (Jul 23, 2015)

File System:
$FreeSpace: you can now carve only unused space in allocated, thus significantly decreasing carving time
Mobile devices:
iOS (iPhone, iPad)
New iOS applications supported: Kakao Talk, OneDrive, Standard Mail app, Meow Chat
SMS can now be carved
Android:
New Android applications supported: Badoo, OneDrive, Google Drive, Brosix
Calls for Viber are now extracted
User interface:
After selecting a data source you can then select what to analyze inside: logical drive, partitions, unallocated and/or freespace, what saves you a lot of time
User interface responsiveness is significantly improved
Per our customers' requests we returned list view for pictures, so that you now have both Gallery view and Details view
Case Explorer now conveniently shows partitions and volumes
Task Manager window shows statistics on how many tasks are visible and selected
Add datasource window now has "Add another datasource" button. While the possibility to add multiple datasources to a case was available before, some of our customers did not know about it. To make this possibility more explicit, the new button is introduced, helping to add multiple datasources at a time
Search:
Search performance is massively improved
Size of search index greatly decreased
Search Results window is fully reworked:
Each search attempt results in a separate Search Results window, so that you can navigate between different search results
Search history is now saved
You can filter search results by multiple criteria
There is a possibility to select multiple predefined searches
When searching for multiple search terms, the product shows how many results found for each particular one
After re-opening a case you can run saved search again with just a single click
Sorting is supported in the Search Results window
Search inside Search Results is now available
In order to add results to a report, Search Results window offers convenient checkboxes
In general, Search became much more robust and convenient
SQLite:
Even with v.7.2 we heard from our customers that "Belkasoft support for SQLite is the best worldwide", but v.7.3 raises the bar to a new level:
Performance massively improved
Huge databases are now opened in a blink of an eye
Database table structure is now shown
You can convert selected column values to multiple data types, such as various timestamps, integer and floating values, string types etc.
Selected column type is remembered and used in a report, which you can run directly from the SQLite Viewer
Reporting and exporting:
Geolocation data can be exported to KML format
Evidence Reader license never expires
Cellebrite Link Analysis integration supported via Export to UFDR format (Instant Messengers only)
System files:
More info extracted about plugged USB devices
Performance:
Registry analysis performance is massively improved
Predefined searches performance is massively improved
Browser analysis performance is massively improved (especially for Chrome browser)
General performance improved: more effective usage of computer's cores
Instant Messengers:
OneDrive support improved
Skype picture transfers is now supported, if sent picture is still available, it is added to "Pictures" node of the Case Explorer
Skype contact extraction is improved: contacts, stored in Skype database as a result of people search are not shown
Smaller improvements:
Searching of "The Bat!" email profiles improved
PList validation improved
Deleting of cases and profiles is improved
Carving improved: sizes of carved JPG and PNG are now much smaller
Video keyframe extraction is now off by default. This is now an option, which you can switch on or off. You can extract keyframes for individual video or selected videos manually. Switching keyframe extraction off makes your initial analysis much faster
Mounting under Windows 8 became faster and better. If you experience issues with standard mounting, powered by third-party "imdisk" tool, you can switch it off in Options
Important! Cases stored with v.7.2 won't open by v.7.3. Please keep using v.7.2 or Evidence Reader to access older cases. We recommend installing v.7.3 to a separate folder in case you are going to work with legacy cases. Alternatively, you can re-analyze datasources used in older cases with the new version.

New in Belkasoft Evidence Center Ultimate 6.3 Build 749 (Oct 14, 2014)

General Improvements:
Support for a number of new Android apps. To name a few, version 6.3 adds support for Instagram, Kik, Snapchat, Tumblr, Pinterest, LinkedIn, Textie, ChatOn, TextMe, Telegram, Mail.ru, Odnoklassniki, Yandex.Mail, Xabber.
New picture preview. The old table-view replaced with a new gallery view. Gallery view greatly improves usability of working with pictures multiple images can be previewed at the same time. You can preview discovered pictures, video keyframes, files embedded in documents, picture attachments, carved pictures and pictures from other sources.
Indexing-based search with term highlighting. The search was completely refurbished, becoming nearly 25 times faster with the use of an indexing engine. Besides, the new Search Results windows shows the location in analyzed data where a search term was discovered.
Iterative data analysis. Some types of data might store other types of data. For example, emails may contain attached documents, and documents may contain embedded pictures. Evidence Center v.6.3 continues analyzing such embedded data without your participation. For example, it extracts EXIF data from pictures embedded in documents. Besides, such data now goes to a dedicated "data type" node inside Case Explorer. For example, pictures from attachments and pictures embedded into documents are combined under the node called "Pictures" along with pictures from a drive or drive image.
Reporting improvements. Reporting to PDF and HTML formats was completely rewritten to make it robust on huge data sets. No more "out of memory" errors even on gigabyte-sized reports! Better column chooser is implemented, a number of new handy options introduced; for example, the possibility to change the logo, fonts and colors. Besides, advanced options are now hidden into a special window, so creating a report just takes one button click.
General performance and stability enhancements. The product was tested against huge data sets to improve its speed. A great number of improvements were made so today the product works perfectly with hard drives sized 3-4 Tb and filled with various data, such as 25 Gb Outlook pst files.
Other Improvements:
Skype analysis improvements. Chatsync analysis extracts IP addresses of parties.
SQLite analysis enhancements. SQLite databases support improved and extended. SQLite Viewer performance improved.
Window Event Log carving. Windows Event Logs can now be analyzed even if they were deleted.
X-Ways containers and Atola image files are supported
New Task Manager window allows you to see Running, Scheduled and Completed tasks. For completed tasks you can filter them by status.
Graphical timeline improved, now it clusterizes various types of data to decrease amount of bars. Synchronization between textual and graphical timeline improved. Textual timeline now contains "data source" column.
Reports now can be created from any node of Case Explorer.
Email attachments are now extracted to a report folder, when creating a report for mail box.
Messengers: WhatsApp message direction fixed, new version of ooVoo supported, new ICQ 8 extraction fixed.
File system support: a number of issues fixed with "no file systems found" error.
EnCase integration scripts now included to the setup file.
About 250 other improvements and bug fixes.

New in Belkasoft Evidence Center Ultimate 6.2 (Oct 14, 2014)

Window Event Log Analysis:
Added support for Windows Event Log, an extremely important source of information for Windows systems.
Chip-off Support:
Evidence Center enables the analysis of chip-off dumps acquired from mobile devices, extracting a wide range of artifacts such as calls, application data, SQLite databases, and much more.
Mac OS X Analysis:
Supports search and analysis of EML, EMLX, Firefox, Safari. Added carving of deleted data for pictures, Adium, AIM, Firefox, Safari, iChat, Fire IM.
Linux Analysis:
Supports picture carving.
Mobile Analysis:
Added WhatsApp analysis for iPhone.
Live RAM Analysis:
Added Facebook Desktop support, updated Facebook analysis.
New Applications Support:
Added ICQ 8.2, Mail.Ru 6.2, Main.Ru for Windows 8, Gmail offline
Skype Analysis Improvements:
Improved extraction of group chats from chatsync files, improved support for deleted freelist entries.
SQLite Viewer Enhancements:
Deleted (freelist) entries are now highlighted. Viewer works faster and more stable. Improved freelist data extraction from corrupted SQLite databases.
Reporting Improvements:
Added 'One report file per case' option. Customization options available for report logo, fonts and colors, select columns to show for each data type. Bookmark export fixed. Export for Evidence Reader works better for keyframes and pictures.
General Performance and Stability:
The product now works faster, improves memory consumption, allows for instant task cancellation (previously one had to wait up to several minutes). Error logging is improved, all issues are reported to the file related to task where a problem occurred.
Other Improvements:
Pornography detection support significantly improved.
Browser "downloaded files" are now extracted.
Case Explorer now shows data source structure. Allocated/Unallocated areas can be viewed; carved items are displayed separately for allocated and unallocated areas.
Timeline: 'filter data by data source' option added.
Facebook improvements: lost dates issue fixed.
UTL/Local mess in emails is fixed.
Registry: Analysis for a number of new registry keys added. Unicode names issues fixed. It is now possible to extract registry data on a live machine. Registry Viewer loads nearly 100 times faster than in previous version.
German translation updated, Czech translation added.

New in Belkasoft Evidence Center Ultimate 6.1 (Oct 14, 2014)

New in Belkasoft Evidence Center Ultimate 6.0 (Oct 14, 2014)

Android backup support:
In addition to iPhone, iPad and Blackberry backups, the product now supports the analysis of Android backup files, extracting dozens of artifacts such as calls, messages, contacts and histories of various applications (e.g. Facebook, ICQ and so on).
Android dump support:
Evidence Center v.6 is now capable to carve Android dumps made with UFED.
Graphical timeline:
The new version displays an aggregated view of all events in a handy graphical chart. You can locate events and zoom to a period of interest, and all selected events will be automatically synchronized with the text-based timeline, allowing you to narrow your search. The synchronization between text-based and graphical timeline is two-way, which, in particular, enables you to filter data in the text-based timeline and view only events of the requested type in the graphical timeline.
BelkaCarving extenstion:
This unique analysis feature that no competitor has at this moment allows Evidence Center to defragment information contained in Live RAM dumps. With version 6.0, we extended BelkasCarving support to Linux 32, 64 bit and PAE RAM dumps, Android and Windows 7 PAE.
AFF image mounting:
The popular Advanced Forensic Format is now supported by Evidence Center and can be mounted.
Virtual machine support:
Evidence Center can mount and analyze evidence in popular virtual machines such as VMWare (dynamic, static and multi-part static drives) and Virtual PC (VDI format).
Reporting:
We have completely redesigned this part of the product. This made Evidence Center much more robust on large histories (getting rid of Out of memory issues). We also added a number of new target formats such as DOCX, XLSX and RTF, improved reporting layout and many more.
Registry analysis and carving enhancements:
The registry analysis is now implemented in low-level, which helps avoid "insufficient access rights" errors. Registry carving is now supported. Built-in Registry Viewer now supports viewing badly damaged and corrupted registry files, which gives you a benefit over using conventional regedit tool.
Other Improvements:
The issue with dd images starting with *.000 is fixed
New report options: orientation (portrain, landscape), date and time formats for different cultures and countries
A number of issues with EML export are fixed
A number of issues with export to Evidence Reader are fixed
QQ 2013 extraction is supported
Skype chatsync carver implemented. Skype chatsync analysis improved
Facebook timeline carving is renewed to the modern Facebook layout
Freelist analysis is improved

New in Belkasoft Evidence Center Ultimate 5.4 (Oct 14, 2014)

Forgery Detection Plugin:
This unique plugin automatically analyzes digital pictures, detecting images that have been altered, modified or edited. The plugin enables law enforcement authorities tell whether submitted pieces of evidence are original or are faked. Supporting more than a thousand camera models, this new plugin is a paid add-on available to the users of Forensic Studio Ultimate. More information about Forgery Detection Plugin
Improved Live RAM analysis:
Live RAM analysis in Evidence Center 5.4 is greatly improved thanks to the ability to defragment memory sets. In real life, Windows rarely stores volatile data in contiguous fashion. Instead, reasonably large images and other types of data are split into chunks that are scattered along the entire memory content. This is called memory fragmentation. Traditional RAM analysis algorithms have little success analyzing fragmented memory sets. The new BelkaCarving algorithm is based on a scientific research enabling Evidence Center to carefully reconstruct fragmented chunks into contiguous pieces of information, allowing the tool to extract broken pieces such as recently viewed images that no other tool can access. At this time, support is based on memory dumps captured on 32-bit and 64-bit Windows 7 systems. Support for other operating systems is being actively developed.
Timeline - aggregated view of user activities and system events:
The Timeline has always been a feature that was highly demanded by law enforcement officials. Evidence Center 5.4 introduces the Timeline, providing the ability to display all detected user activities and system events in a single aggregated view. By using the Timeline, investigators can quickly glance at user activities over a certain time period or scrutinize a particular period of time with ease.
The Timeline view allows convenient filtering, allowing to search for certain types of events of include only selected types of data. Case-sensitive full-text content filtering is supported. Timeline filters are stackable, allowing investigators specify a number of conditions that an event must meet in order to make it to the Timeline view.
Native SQLite parsing:
The newest release gets rid of third-party SQLite libraries, enabling fully native SQLite parsing. This new feature allows Evidence Center users to parse even badly damaged, fragmented and incomplete databases such as those resulting from a carving attempt. Previous versions of Belkasoft Evidence Center only allowed limited access to corrupted databases.
SQLite freelist processing:
Information deleted from SQLite databases is not wiped immediately. Instead, it is transferred into a so-called freelist. Freelists are not accessible with standard SQLite parsing tools. The newest release of Belkasoft Evidence Center enables the recovery of deleted information stored in SQLite freelists.
SQLite Viewer:
Visualizing SQLite databases becomes easier with newly added SQLite Viewer control.
Windows Registry support:
The newly added support for Windows Registry artifacts automatically locates and parses registry hives, extracting many types of valuable evidence such as MRU of various applications (e.g. MS Office, Acrobat Reader etc.), UserAssists, program startup data, list of connected USB devices, network cards, wireless profiles and many other types of artifacts. This feature is available in Professional and Ultimate editions. You should re-download your license from Personal Cabinet.
UTC/Local conversion:
The new release now adds the ability to enter default time zone information for each individual case, data source or profile. Time zone information is used to correctly display items obtained from various data sources in the Timeline.
Microsoft Office 2007-2013 and Adobe PDF carving:
Evidence Center can now carve documents in Office 2007-2013 formats. Adobe PDF files are now also supported.
Other Improvements:
Non-ASCII URL decoding
Carving speed improved by 25%
Check for updates
Users can now check for updates from within Belkasoft Evidence Center by invoking the Help -> Check updates menu.
ICQ 8 support
MacOS X instant messengers
A list of instant messengers for MacOS X was added. Fixed issues with Adium and AIM Mac messengers.
Hibernation and page files automatically added as data sources
All hibernation and page files discovered are now added to the list of available data sources automatically.
Email attachment support
The new release adds the ability to save email attachments to a specified folder. Attachments from multiple email messages can be saved.
Bug Fixes in Version 5.4:
Fixed exporting issues in the Portable edition
Fixed the Database Locked error
Fixed NOT filters for images and documents
Fixed the No filesystem found (dd/Linux) error
Removed a rarely used filter from the Case Tree

New in Belkasoft Evidence Center Ultimate 5.3 (Oct 14, 2014)

Evidence Reader:
Evidence Reader is the most important addition to the product for a long time. Evidence Reader offers Belkasoft customers an all new way to deal with evidence collected during the session. The Reader allows using any computer, with or without Evidence Center installed, to access and analyze evidence collected with Belkasoft Evidence Center. Evidence Reader is perfect when you need to pass digital evidence along to a colleague or coworker, or need to present raw data in a court.
Enhanced file carving:
Another major change in the version 5.3 is the ability of Belkasoft Evidence Center Pro, Ultimate and Enterprise to recover deleted data ("carve") in many additional formats including Microsoft Word 97-2003, Excel 97-2003, PowerPoint 97-2003, jpg, bmp, gif, wmf, Thumbs.db, SQLite databases, and MIME-encoded emails. While previously the product was able to work with existing files in these formats only, now it is able to find even deleted or even partially corrupted data.
Faster completion with half-way exporting:
Investigators may now complete their work faster by interrupting the scanning process mid-way and exporting incomplete search results. The ability to save half-way results is new to Belkasoft Evidence Center 5.3.
Other Improvements:
User-selectable path to store cases. If your system drive is not big, while your case is, you now can assign another folder on another drive to store case data.
The number of discovered artifacts is now displayed in the Case Explorer, e.g. (235), including data in subfolders. This number has changed its meaning for emails: now it represents the number of emails in the selected folder along with all its subfolders.
Reporting by the column allows generating reports with data aligned by the column (in addition to raw lists).
Existing Thumbs.db files discovery and analysis. These files contain small versions of all images in a folder and may contain important evidence. All existing versions of thumbnail files are supported, including the new Windows 8 format.
All video profiles are merged into a single profile, making Case Explorer less cluttered. Before this release, every video file was a single profile in the Case Explorer, which led to hundreds of video profiles. In current release, there is just a single profile, and all the videos are shown in the right-hand list. Keyframes are shown under a special Keyframes subnode of the Video profile node.
Contact selection for Instant Messenger reports. You can now export selected contacts only for IM histories.
For consistency reasons, "images" (meaning "digital pictures") are now referred as "pictures" throughout the user interface.
Improved Facebook analysis: added discovery of json and other fields.
Turkish "İ" problem is solved in reports. Our Turkish customers reported that the product may give incorrect results for items containing the Turkish İ symbol. This is now corrected.
Added Ukrainian language localization.
Solved issues with Chrome extraction.
Supports latest Skype builds.
Skype chat headers now extracted. Though chat headers are not a chat log, we encountered a few cases when they are the only thing not erased from the Skype database. Information from chat headers may give a clue of what was happening with deleted chats.
More info extracted for jumplists.
Multiple improvements to the multi-threaded engine make it work faster and more stable compared to v. 5.2.

New in Belkasoft Evidence Center Ultimate 5.2 (Oct 14, 2014)

New major features:
Multitasking support. Allows the product to fully employ computational abilities delivered by multiple-core CPUs. The use of multiple CPUs and CPU cores speeds up the detection and collection of digital evidence, and reduces the time required to analyze big hard drives and process larger amounts of information. However, even users of single-core CPUs will benefit from the new engine by enjoying multi-threaded scanning and background evidence collection.
Parallel multi-threaded scan. The tool now searches for the different types of artifacts in separate threads, quickly locating evidence that's easier/faster to discover, and continuing looking for more complex types (e.g. encrypted files) in background. This new parallel scanning mode allows investigators quicky accessing many types of evidence the moment they are discovered, without having to wait while the entire process completes.
Search results are added instantly. The new multi-threaded engine now adds the results to the list of discovered evidence the instant it's discovered. There's no need to wait till the scanning process finishes before viewing the evidence.
Background evidence collection. The new engine enables background computing, allowing investigators to interact with the tool at the time evidence is being collected. Background evidence collection greatly reduces waiting times, allowing specialists analyzing evidence that’s been already discovered before the collection process is complete.
QQ 2012 support, including support for QQ 2009-2011.
Improved Skype support. More profiles can be discovered in situations if certain access rights are not available.
Mail.RU Agent 5.7-6.0 support.
Smaller enhancements:
Added Italian translation.
Identifying profiles being extracted. The new version identifies the exact profiles for which evidence is being extracted. Profiles being extracted are identified with an animated icon.
RAW images display faster. The increase in performance up to 2-3x times compared to previous version.
Support for EnCase 7.05.02. The product is now integrated with all major releases of EnCase v.7 from 7.02 through 7.05.02.

New in Belkasoft Evidence Center Ultimate 5.1 Build 441 (Dec 14, 2012)

Jumplists supported. The product now allows investigating an extremely useful source of information: Windows jumplists.
Note: This new feature is available for free to valid license holders of Evidence Center Pro and Forensic Studio Ultimate editions. You have to redownload your license in order to obtain this feature.
Gradually adding found profiles. Previously, the product could spend a couple of hours going through the entire drive or image before displaying the full list of found profiles. In this release, it adds profiles immediately as they are discovered. You can now immediately review what has been found so far.
Support for EnCase 7.05. The product is now integrated with all major releases of EnCase v.7 from 7.02 through 7.05.
UTC/Local time cleanup. The time and date are now shown as local time or UTC time with regards to what time is actually stored by the application being analyzed.
Grouping of artifacts. Search Profiles and Carve Device windows now show all supported artifacts grouped. This enables you to, for example, de-select Mac OS X and Linux data types when you are investigating a Windows image. This, in turn, helps you save time because the tool is now looking for fewer types of information.
Dropbox support enhanced. The product now extracts more information from Dropbox data.
Facebook support enhanced. We have reviewed the latest updates to Facebook, and supported all of them. The new release discovers much more Facebook data and extracts more pieces of evidence out of it (for example, datetime stamp is added)
Internet Explorer 10 is supported
Additional video types are supported: 3GP and 3G2
EML generation introduced. You can export all found, selected or bookmarked emails into EML format.
A lot of mounting issues solved. The mounting component became much more stable, and does not lock up. Many previously problematic images are now processed perfectly.
NateOn Korean messenger supported.
Smaller enhancements:
Less false positives. We have cleaned up some evidence types that were previously throwing annoying false positives with rubbish texts. The new release greatly reduces the number of such occurrences.
Mailbox extraction performance. Emails are extracted much faster than before. Besides, the user interface becomes more responsive when you are going through extracted emails.
Memory consumption improved. There are less Out Of Memory errors during report generation as well as email extraction.
iPhone/iPad backup extraction. The product now can recreate Apple device backup file structure to a selected folder
Large attachments are not stored in a database. To improve database performance and data storing performance, the product does not store huge attachments in the database, but rather stores them as files inside a user app data folder.
Passwords for Opera now extracted more correctly. Previously there was some mess in what was a password and what was a login, now everything is shown correctly.
A lot of new translations were introduced. Now we support English, German, Spanish, Russian, Arabic, Vietnamese, Chinese, and Japanese!
Hotmail support enhanced. Hotmail analysis updated, new signatures added.
Windows 8 supported. The product has been tested on Windows 8 and shown perfect performance on this OS.