Acquiring Removable Drives, Mobile Devices, RAM And Cloud Storage

Presenter: Yuri Gubanov, CEO, Belkasoft

Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.
Yuri Gubanov: Hello everyone,

My name is Yuri, I am from Belkasoft, and today I am going to show you how to image various devices using our free Belkasoft Acquisition Tool or, in short, BelkaImager.

Acquisition Tool is a software which exists as a free standalone tool. Besides, if you have a Belkasoft Evidence Center license, you automatically receive it with the version 8 of this product, so Acquisition tool also exists as an embedded feature of Evidence Center.

The tool can run on any Windows system starting from Windows XP, and can acquire 4 types of data sources, such as hard drives and removable drives, smartphones based on iOS and Android operating systems. Also, it can download cloud data and capture RAM contents.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

The output of the tool is standard. For storage devices, it’s Raw (DD) or E01 formats. For iPhones and iPads, it is the regular iTunes backup format. For Android devices, it’s a standard ADB backup. For RAM, it’s uncompressed raw data. The only exception is clouds, as there is no standard format for saving cloud information, so we use our own format based on XML, it’s called .Belkaml. This format can be analyzed with Evidence Center. The contents of what you download from clouds is just regular files, so you can analyze them with any tool in your possession. As you can see from this slide, you are not forced to use Evidence Center (nor any other tool) to analyze data from BelkaImager, you can use whichever tool you have.

Now let me go to the tool and show you how it works. I will show it as an embedded feature of Evidence Center, but it will behave all the same if you run the standalone version. In order to run it from Evidence Center, go to Tools menu and choose Acquisition menu item. You are now presented with the first screen of Acquisition Tool. This is also the first screen you will see if you run it as standalone free product. Here you can see 3 types of data sources: drives, mobile devices, and clouds. There is no icon for RAM because we have a separate executable for that.

The idea is to make the RAM-capturing tool as small as possible in order to not overwrite too much of user’s data, that’s why we have RAM Capturer as a separate executable that is included in the Acquisition Tool package. I will show you RAM Capturer separately. Let me click on Drive. You will see all physical and logical drives currently attached to my computer. Let me select L:\ drive. We can see that it’s a fixed drive with hundred-plus gigabytes. Next you specify the path – where you want the image to be stored. If you name it using “.e01” extension, the corresponding format will be used. Any other extension will result in DD format being used. You can ask the software to calculate and verify the checksum. Besides, you can split the image into several images of given size.

When I click on Next, the program will start imaging, and in a few minutes – or hours, depending on the drive’s size – it will create an E01 image. I will not wait for the entire process to finish because it will be too long, so I cancel it and move on to the next type of acquisition, which will be mobile device acquisition.

For mobiles, we currently support acquiring logical images for Apple and Android devices. Let me first choose Apple. The software automatically scans for all the devices attached to your machine. Here you can see that I have just one Apple device connected to my computer, and you can see some of the information about this device. As you can see, I don’t have the most recent iPhone, instead I have a 5s, and you can also see that I am quite conservative about updating my operating system, I am on version 8.4. If you have a device connected but you can’t see it here, you can click on the link “Connected device is not listed”. You will see the hint advising you what you should do. For Apple devices, you need to ensure that iTunes is installed and a corresponding service is running. If you connect the device for the first time, you will have to wait a little bit until Windows installs required USB driver for Apple.

Now let’s specify the path for our image to be stored, click Next, and wait for the program to initialize the mobile device. Once it is initialized, you will see that the program has connected to the device and started acquiring the contents. Again,I will have to cancel it because it will take a few minutes, and now we will go to another type of mobile devices – Android devices.

The tool scans for connected devices and shows a Samsung device, but it says that it’s “unauthorized”. In order to continue, I have to go to the device and unlock it. On the screen of the phone I will see a notification, asking whether to allow USB debugging. I click OK, and immediately Acquisition Tool update information about Android operating system and serial number of the device. Here you can also click on “Connected device is not listed”, and you will see a hint on how to connect the device. It must be Android version 4.0 or higher, and you need to enable Developer mode and turn on USB debugging. On the right, you will see a picture, demonstrating how to do that. Back to main screen, here on the bottom you can see some more options: whether to copy system applications data, SD card, or .apk files.

Let’s copy everything, then click Next. Again, the tool initializes my device, so I have to wait a bit while it is trying to establish a connection. Once again, it asks me to allow USB debugging on my phone and then to allow creating a backup, and then the process starts. You can see that it is copying the data from my phone. I will not show you the entire process now either (in order to save time), so I will click Cancel and go back to the first screen.

Now let’s go to Cloud data. Currently, we support Google Drive and iCloud. I will select Google. For Google, there are two types of Google services supported, Google Drive and Google Plus. We support two types of authentication methods: consent screens and refresh tokens. Refresh token method is a bit too technical for today’s webinar, but if you’d like to know more details, you can visit our website to see how to work with refresh tokens.

Today, I will show you consent screen method. Click Next, and now my browser automatically opens, and you can see that I am already logged in to my Gmail account, so the only thing I have to do now is to click Allow button. The screen says “Verification code is received”, I can close this window and go to Acquisition Tool. Here I can specify which artifacts I would like to download. I can download meta-information about files on Google Drive and the files themselves. I select everything and click Next, and the download starts. You can see that I have almost two thousand files on my Google Drive. I was surprised when I saw this number for the first time because I did not think that I had that amount of files, but actually, it’s not only my files. Most of the files are shared with me by someone else, so that explains the high number. Whenever you share anything with your colleagues or friends, it can be downloaded via their account. This is about 2 GB of information, so I will cancel the process and go back to demonstrate another kind of acquisition.

Now I go to iCloud. With iCloud, there are two types of authentication, login plus password or cookies. Login/Password is respectively AppleID and password for the account, and you have to know them to download backup information from iCloud. Please be aware that once you have successfully logged in with user’s password, iCloud will send a notification to the account’s owner, so there is no way to conceal the fact of logging in. I will enter some fake details and click Next. You can see which types of artifacts are available to download: Find my phone, Calendar, Pages, Backup info, and most importantly, Backup files (not only the most recent ones, but also from older backups). Click Back. If i choose Cookies, which is another way to get in if you don’t know the login and password, it is required that the user has previously logged in to icloud.com. If your user has logged in there, you can test your luck – maybe cookies are still stored and have not expired yet. You can fill in the cookie values here (you will need 3 cookies on this page in order to log in). If everything works well, on the next page you will see what artifacts are available to you. You can see that there are fewer artifacts, particularly, you don’t have access to backups. Unfortunately, without login and password, you can’t access those. I don’t have a sample iCloud account, so I won’t be able to demonstrate how it works, but it’s more or less the same as with Google Drive.

That’s it for this interface. Now let me quickly show you RAM capturing.
RAM capturer is a one-screen tool that is very easy to use. When you run it from a thumb drive or from a hard drive, you will see this screen with some information about memory. Basically, the only thing you have to do is to click on “Capture!”, and that’s it. It will create a raw memory dump on your selected device. You will be able to investigate it with any tool that supports RAM dump analysis, be that Belkasoft Evidence Center or other tools.

Now, let me go back to my presentation. The next question is how to analyze the acquired dumps or backups. You can use almost any tool because the output format is standard, but of course, we would like to offer you to use our own product, Belkasoft Evidence Center. One of the best things about Evidence Center is that it automatically extracts data for more than 700 types of artifacts, both computer and mobile. Among automatically extracted artifacts are documents, emails, hundreds of mobile apps, hundreds of chats, major browsers, system files (such as thumbnails, jumplists, registries, and so on). We also can analyze various media files, such as pictures and videos.

We can detect more than 200 types of encrypted files, and if you have a Decryption module, you’ll be able to decrypt file as well. One of the strong features of the product is forensic analysis of SQLite databases. We also have other kinds of analysis, for example, pornography detection for pictures and videos, as well as face detection and text detection. For videos, we have keyframe extraction. We have community detection inside social graphs, and so on and so forth.

Both Acquisition Tool and Evidence Center are used in more than 70 countries worldwide. Most of our customers are in Law Enforcement, but we also have a lot of private and corporate customers (such as the Big Four, Kaspersky, and even Disney).

How to get the tools? For BelkaImager, you can go to belkasoft.com/bat. This tool is free, and you are welcome to download and use it. Belkasoft Evidence Center 2017 is a commercial product, but a full free trial is available at belkasoft.com/trial. If you would like to get a quote on Evidence Center, you can go directly to belkasoft.com/quote or ask us at sales@belkasoft.com. If you have to work via reseller, we have resellers on all the continents and almost all countries, so contact us, and we will find our partner that is closest to you.

That’s it for today! I hope you enjoyed the webinar. If you have any questions, you can use chat window of the webinar client. Thanks for your time!

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 27th March 2024 6:06 pm

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles