VFC 5.0 makes Forensic Virtualisation easier than ever with a host of new features:
Integration with existing Forensic software, EnCase & X-Ways VFC Mount to simplify the virtualisation process and remove reliance upon third party tools Windows Live ID Exploit (including PIN accounts)
What is Virtual Forensic Computing?
Having access to the ‘digital scene of crime’ can offer huge benefits to an investigator. Whether investigating fraud, murder, child abuse or something else, seeing the computer through the eyes of the suspect can be invaluable. Building a virtual machine (VM) of the suspect’s computer is one easy way to get forensically sound access to the user’s environment.
A VM allows an investigator to:
See the desktop and operating environment just as the user saw it
Navigate financial records within the native software (Sage, QuickBooks, Great Plains etc.)
Access emails and internet search histories, demonstrate interaction with installed software
Determine accessibility of illegal files
VFC simplifies the virtualisation process
As virtualisation platforms have improved, building a replica of a suspect’s system has become much easier. What once could take a few days now takes just a few hours if you are lucky. Most of this time is spent fixing driver errors (e.g. human input device drivers such as the mouse and keyboard) and overcoming driver problems and the infamous blue screen of death (BSOD).
However, with the right tools, investigators can now do all this reliably in just a couple of minutes. ‘Virtual Forensic Computing’ or ‘VFC’ allows the user to create a VM from a forensic image (or a write-blocked physical hard disk drive), automatically fixing common problems and typically booting the VM in under a minute. VFC makes the virtualisation process smooth and hassle free.
Among VFC’s valued customers, to “VFC a forensic image” has become synonymous with virtualisation since it was first released by MD5 in 2007.
A picture speaks a thousand words
Using a VM to replicate the user’s computer, the desktop environment can easily be captured for presentation to a judge or a jury. This helps juries understand the more technical aspects of their reports, or enable powerful emotive images to be put before the judging panel. Using VFC, investigators can:
take screenshots and embed these in their reports.
record video screen-capture of an examination to playback in the courtroom
Create portable versions of VM to demonstrate live in court
VFC is now used on every continent, in almost every aspect of digital forensic investigations, by law enforcement, military investigations teams, forensic and cyber investigation teams in both the private and public sector.
VFC 5.0 integrates the VFC workflow directly into existing forensic analysis tools VFC 5.0 makes the creation of a VM even easier with its integration components for common forensic analysis tools:
XWF X-Tension files
The integration components are provided with the standard VFC package and can be setup and used within minutes. Similarly, VFC now supports a command line interface to support automated workflows.
These exciting new features now allow the analyst to launch a VM of their target image directly from within their standard forensic examination suite.
VFC Mount helps reduce common errors
VFC 5.0 now comes with its own mount utility, VFC Mount, to simplify the virtualisation process and remove reliance upon third party tools. VFC Mount currently supports .E01, .EX01, AFF4, .VMDK, .BIN, .IMG, .RAW, and .DD images. VFC Mount helps reduce instances of common Windows errors when dealing with mounted images such as the very common “The physical disk is already in use” error in VMware.
Password bypass (PWB) gives quick access to suspect accounts
VFC also gives the ability to clearly demonstrate that something doesn’t work – for instance, if a suspect insist the password they have provided is correct, VFC provides a quick way to prove them wrong without affecting the original data.
Historically VFC PWB only worked on local Windows user accounts, however, now VFC 5.0 adds support for Windows 8/10 ‘live’ accounts with the Generic Password Reset (GPR) feature.
New from September 2019 – Windows Live ID Exploit (including PIN accounts)
Generic Password Reset (GPR) tool
New to VFC 5.0, the GPR tool can be used to help makenpowerful system-level changes. With GPR,the investigator can:
List User Accounts (including password status)
Change ‘online’ accounts to traditional ‘local’ accounts
Reset account passwords to known values (including PIN accounts)
Open a SYSTEM level command prompt (at the logon screen)
Easily reboot the guest VM
Early feedback from a select group of active police investigators, that have been given pre-release access to the Live-ID feature has been very positive
Continual investment ensures continued development
With additional support for Linux and other Operating Systems, VFC has continued to deliver new features since it was introduced. The newest features (for ease of reference) include:
Windows ‘Live ID’ (online) password reset feature – gives the user a simple method to get around even the latest in Windows user security
VFC Mount – simplifies the user experience and minimize common VMware problems
Generic Password Reset – gives users a simple and fast way to access a specific account or make systemlevel changes. It is portable, powerful and user friendly.
Command Line functionality and inclusive components – seamlessly integrate with EnCase Forensic and XWays Forensics allowing VFC to be used alongside existing, trusted forensic software.
64-bit host system support – brings VFC fully up to date, giving it a rightful place in today’s forensic laboratory
Other significant features include:
Standalone Clone VFC VM gives the user the option to export a copy of their VM that can be reviewed by an investigator away from the forensic analyst’s workstation, without the need for a VFC dongle (license).
Modify Hardware allows VM hardware to be amended including adding extra drives or network support
Password Bypass (PWB) feature for Windows user accounts – VFC 5.0 has increased the number of discrete PWB routines to over 2000, up considerably from 500 with VFC 4.0.
Patch VM / Restore Points feature – allows the investigator to patch problematic virtual machines or repair a VM after using the Windows system restore feature to ‘rewind’ a VM to an earlier historic state.
The VFC Log File – keeps a forensic log of all steps taken by the software (effectively contemporaneous notes) and makes VFC a powerful weapon in the forensic investigator’s arsenal.
Updates and upgrades have enhanced the product more, including further OS support, new password bypass routines and slicker processes.