Home > Belkasoft Forensic IM Analyzer

Belkasoft Forensic IM Analyzer Features

Search seized drive for histories

There is a seized hard drive in you lab and you want to find all history files containing there. You do not know which means of communication the suspect was using. The product allows you to search whole hard drive for all supported types of Instant Messengers:

  • All drives or particular ones may be selected

  • You can select particular folder to search through

  • History to be searched may be constrained to a particular types (e.g. Skype files only)

  • You can search against drive image such as Encase image or DD image

  • There is a possibility to manually select a history to analyze

Analyze found histories

The product does all analysis with two mouse clicks:

  • No password required

  • You do not have to be logged under a history owner

  • No write access required. The product works with the write-blocking devices

Explore extracted histories

The product shows extracted messages in user-friendly form:

Within the user interface you can:

  • See all available histories and their extraction status

  • See all contacts belonging to a profile

  • See all conversations with selected contact

  • Sort by time, message direction, message text

  • Apply filtering

  • Search history. Simple search through history and advanced search using file with a set of words to search. Experienced users can benefit from searching by regular expressions, which are great when searching for templates or phrases with fuzzy structure

Retrieving deleted history

If the history was deleted by a user, there are some chances that parts of it are still kept on a drive. In order to find such parts the products uses so-called 'carving' techniques which can help you to retrieve deleted conversations.

The following features are supported:

  • Carving of FAT and NTFS drives

  • Carving of drives attached through write-blocking device

  • Carving of drive images (Encase or DD format)

  • Live memory investigation (carving of RAM image made in win32dd/win64dd or FTK Imager)

Note! This feature allows for retrieval of conversations, deleted from a drive. It will not help you in case the history was never stored on a drive, expect for RAM image carving.

Export history

After completing your investigation you need to export history of interest into a readable form. The product allows you to:

  • Export history to plain text, HTML, XML and also to CSV format which is great for exploring the data within powerful Microsoft Excel product

  • Constrain exported history to selected dates and contacts

  • Constrain exported history to selected chat messages

  • Split huge histories into separate files, broken by contact

The report can be burned to a CD and given away.

Instant Messengers support

The following IMs are supported:

  • ICQ (all versions from 97a to ICQ 7)
  • Microsoft MSN/LiveMessenger
  • Skype versions 2, 3, 4 (including chatsync recovery)
  • Yahoo! Messenger
  • MySpace IM
  • &RQ
  • Miranda
  • SIM
  • QIP
  • QIP Infium
  • Google Hello
  • Trillian
  • QQ 2008 and earlier
  • QQ 2009 and 2010 (Professional and Ultimate edition only)
    See this link for details on retrieval QQ 2009/2010
  • Digsby
  • Rambler Virtus
  • Mail.Ru Agent
  • Pidgin
  • AIM (search history files only)

Deleted history carving support (Ultimate edition only):

  • Skype 3
  • Skype 4
  • Digsby
  • ICQ Lite
  • ICQ 7
  • Miranda IM
  • Windows Live Messenger
  • QIP Infium/2010
  • SIM
  • AIM
  • Virtus
  • Pidgin
  • Trillian
  • Mail.ru Agent 5
  • Gajim
  • Emesene
  • Yahoo! Messenger

Live memory images carving (Ultimate edition only):

  • ICQ 7
  • Yahoo! Messenger
  • Skype
  • Gmail
  • MSN
  • Meebo
  • Google Talk
  • Facebook (personal messages)
  • Vkontakte.ru (personal messages)

Product editions

The product has a number of editions:

  • Home - this edition is intended for home (individual) users. Organizations are not allowed to purchase this edition. This is the most basic version of the product

  • Standard - this edition is the basic version for organizational users

  • Professional - this edition includes support for mounting drive images, extraction of Skype chatsync and QQ 2009/2010

  • Ultimate - this edition includes support for carving (retrieving) data of deleted Instant Messengers and data in live RAM. Note, this version is still Beta

  • Intelligence - this edition is distributed as flash-drive with executable which does not require installation on the target computer. This is useful for gathering information outside the forensic lab in an uncontrolled environment like internet cafe. The edition is only available for police and law enforcement organizations.
    More details...

All editions except Home may be purchased with regular protection (registration key bound to a single computer) or with USB key (dongle) protection.

Download 10-day trial
Register $99.95 (Home)
$199.95 (Standard)
$299.95 (Professional)
$499.95 (Ultimate)
$1499.95 (Intelligence)
Latest news

Related products

eXTReMe Tracker