Integration with existing Forensic software, EnCase & X-Ways
VFC Mount to simplify the virtualisation process and remove reliance upon third party tools
Windows Live ID Exploit (including PIN accounts)
Having access to the ‘digital scene of crime’ can offer huge benefits to an investigator. Whether investigating fraud, murder, child abuse or something else, seeing the computer through the eyes of the suspect can be invaluable. Building a virtual machine (VM) of the suspect’s computer is one easy way to get forensically sound access to the user’s environment.
As virtualisation platforms have improved, building a replica of a suspect’s system has become much easier. What once could take a few days now takes just a few hours if you are lucky. Most of this time is spent fixing driver errors (e.g. human input device drivers such as the mouse and keyboard) and overcoming driver problems and the infamous blue screen of death (BSOD).
However, with the right tools, investigators can now do all this reliably in just a couple of minutes. ‘Virtual Forensic Computing’ or ‘VFC’ allows the user to create a VM from a forensic image (or a write-blocked physical hard disk drive), automatically fixing common problems and typically booting the VM in under a minute. VFC makes the virtualisation process smooth and hassle free.
Among VFC’s valued customers, to “VFC a forensic image” has become synonymous with virtualisation since it was first released by MD5 in 2007.
Using a VM to replicate the user’s computer, the desktop environment can easily be captured for presentation to a judge or a jury. This helps juries understand the more technical aspects of their reports, or enable powerful emotive images to be put before the judging panel. Using VFC, investigators can:
VFC is now used on every continent, in almost every aspect of digital forensic investigations, by law enforcement, military investigations teams, forensic and cyber investigation teams in both the private and public sector.
VFC 5.0 integrates the VFC workflow directly into existing forensic analysis tools VFC 5.0 makes the creation of a VM even easier with its integration components for common forensic analysis tools:
The integration components are provided with the standard VFC package and can be setup and used within minutes. Similarly, VFC now supports a command line interface to support automated workflows.
These exciting new features now allow the analyst to launch a VM of their target image directly from within their standard forensic examination suite.
VFC 5.0 now comes with its own mount utility, VFC Mount, to simplify the virtualisation process and remove reliance upon third party tools. VFC Mount currently supports .E01, .EX01, AFF4, .VMDK, .BIN, .IMG, .RAW, and .DD images. VFC Mount helps reduce instances of common Windows errors when dealing with mounted images such as the very common “The physical disk is already in use” error in VMware.
VFC also gives the ability to clearly demonstrate that something doesn’t work – for instance, if a suspect insist the password they have provided is correct, VFC provides a quick way to prove them wrong without affecting the original data.
Historically VFC PWB only worked on local Windows user accounts, however, now VFC 5.0 adds support for Windows 8/10 ‘live’ accounts with the Generic Password Reset (GPR) feature.
Generic Password Reset (GPR) tool
New to VFC 5.0, the GPR tool can be used to help makenpowerful system-level changes. With GPR,the investigator can:
Early feedback from a select group of active police investigators, that have been given pre-release access to the Live-ID feature has been very positive
With additional support for Linux and other Operating Systems, VFC has continued to deliver new features since it was introduced. The newest features (for ease of reference) include:
Part No:
AP-VFC-LE