VFC (Virtual Forensic Computing)


 

VFC Lab

VFC gives a new dynamic to the way an investigator works on an investigation VFC Lab puts the investigator “in the room” with the original user, providing invaluable access to software and data that cannot be easily found with a typical examination. The investigator can find evidence in its easiest format, just like the original user. Each device that is examined is different, and therefore, having quick and easy access to the original is invaluable.

VFC has many features which make it one of the most powerful tools that a digital/cyber/incident response forensic investigator can use.

Once a drive or image is mounted, VFC will take minutes to create a VM, including bypassing the user account passwords, and injecting your preferred analysis software.

VFC quickly triages a device within minutes.

VFC is capable of virtualising from many different image types – including Single Volume Images and to virtualise from write blocked drives.

VFC is forensically sound The generated VM can be viewed as a sandbox environment that not only allows you to analyse the device, it allows you to test and change things repeatedly.

 

VFC LAB features

Password Bypass Tool does as its name suggests and bypasses the windows user account passwords.

GPR Tool – resets the local user account password, as well as being able to convert windows Live accounts to local accounts. With the aid of the GPR tool, you are able to view any saved autofill information in the browser history.

  • Standalone VM –  our standalone VM feature allows you to provide evidence to a colleague, a different department, or third party. The standalone is great for report purposes, interviews and court presentations. What sets the standalone VM apart from anything else is that it doesn’t require the original image or drive present in order for it to work.
  • Inject files – This feature allows you to inject third party analysis software into a VM while VFC is generating a VM. For example, you could inject tried and trusted analysis tools to analyse a device.  
  • Flexible– VFC can be used with a variety of image types, write blocked, and, Single Volume Images with V7 onwards.

Access computers configured with S-Mode

  • Triage – within 30 seconds of selecting the partition, you will be able to view the VFC Triage log that can provide you with the following:
  • Recently accessed files
  • Recent app
  • Recent URLS
  • Installed applications
  • Installed documents
  • Windows history
  • Chrome history
  • Windows links
  • List of previously connected USB devices
  • List of user accounts
  • Last user logged on
  • Last used date

We realise that not one organisation or entity is the same when it comes to who triages devices and how devices are triaged. That’s why it is important to have a simple tool that allows someone to look at evidence in a simple format is crucial.

  • BACK TO THE FUTURE VFC is capable of creating a virtual machine with a desired date and time. Enabling you to access licensed software and applications still in their license period.
     
  • VFC has scripts to enable you to seamlessly work with X-Ways, EnCase.
  • VFC can be used in Memory capture analysis in both live and deadbox enquiries by creating a .vmem file for analysis when generating a VM.

 

VFC General Features

Easy to use – built on over 15 years of R&D in creating VM’s you just need minimum IT Skills to operate. Take Analysis to another level -Experience the original user desktop and take screenshots or video key evidence items for use in reports interviews and court.

  • Reliably and quickly create a VM from either forensic image or write-blocked physical disk with just a few mouse clicks 
  • Maintaining the integrity of the original evidential material since developed forensically, logs generated for each process ensures  that a proper chain of custody is maintained  and aids ISO 17025 compliance
  • Access encrypted disk data such as Bitlocker (this requires recovery key or similar)
  •  Access:
    • Original folder structure and desktop layout (as seen by the original user)
    • Recently accessed files and network shares
    • Browsing history, saved passwords and P2P accounts
       
  • Interact with installed software in its native environment and access evidence that could otherwise be unavailable:
    • View data using original software e.g. Sage, QuickBooks, Photoshop etc.
    • Access data e.g Crypto Currency Wallets or other online systems using original user credentials
    • Access time-limited or expired software
  •  Interact with original connected devices such as:

    • iPhones (via iTunes accounts)
    • Encrypted partitions or USB drives
  • Restore point Forensics Rewind the VM to show what may have been changed by a user
  • Amend VM hardware to match the original hardware by adding additional disk/images, sound, USB or network support (disabled by default) or increase RAM or Processors
  • Attempt to repair broken VMs following Windows System Restore or similar
  • Heavy investment in R&D customer support and regular updates

Part No:
AP-VFC-LAB

Please wait...

 

VFC Portable

VFC Portable is designed to use the existing hardware – on scene, in the lab, and just about anywhere required.

The functionality of VFC Portable is the exactly the same as VFC Lab, with the added features that enables VFC to be used in the field.

Write blocking behaviour – VFC Portable allows you to disable automatic disk online, SSD and Windows Dynamic Disks. This feature can be found in the settings/tools tab in VFC. (portable addition only). Drives will be read only.

VFC Portable can be used in Memory capture analysis in both live and deadbox enquiries by creating  a .vmem file when generating a VM

 

VFC Triage

Being able to quickly triage a computer device on scene is vital. When conducting on scene triage, you want to be in and out as quickly as possible, while collecting sufficient evidence to warrant bringing the device back to the lab or even decide it does not meet the case parameters. VFC triage allows you quick and safe access to the device, within 30 seconds of selecting the partition, you will be able to view the VFC Triage log that can provide you with the following:

  • Recently accessed files
  • Recent app
  • Recent URLS
  • Installed applications
  • Installed documents
  • Windows history
  • Chrome history
  • Windows links
  • List of previously connected USB devices
  • List of user accounts
  • Last user logged on
  • Last used date

Inject files – This feature allows you to inject third party analysis software into a VM while VFC is generating a VM. This can be anything to aid with the analysis. For example, you could inject tried and trusted analysis tools to analyse a device onsite.     

Access computers configured with S-Mode

Password Bypass Tool does as its name suggests and bypasses the windows user account passwords.

GPR Tool resets the local user account password, as well as being able to convert windows live accounts to local accounts. With the aid of the GPR tool, you are able to view any saved autofill information in the browser history.

 

VFC General Features

Easy to use –built on over 15 years of R&D in creating VM’s you just need minimum IT skills to operate. Take Analysis to another level -Experience the original user desktop and take screenshots or video key evidence items for use in reports, interviews and court.  

  • Reliably and quickly create a VM from either forensic image or write-blocked physical disk with just a few mouse clicks
  • Maintaining the integrity of the original evidential material since has been developed forensically,logs generated for each process ensures  that a proper chain of custody is maintained  and aids ISO 17025 compliance
  • Flexible- VFC can be used with a variety of image types, write blocked; and INCLUDING with V7 onwards Single Volume Images.
  • Bypass Windows account passwords including Windows “live” account passwords
  • Access encrypted disk data such as Bitlocker (requires recovery key or similar)  
  • Access:

    • Original folder structure and desktop layout (as seen by the original user)

    • Recently accessed files and network shares

    • Browsing history, saved passwords and P2P accounts

  • Interact with installed software in its native environment and access evidence that could otherwise be unavailable  
    • View data using original software e.g. Sage, QuickBooks, Photoshop etc

    • Access data eg. Crypto Currency Wallets or other online systems using original user credentials

    • Access time-limited or expired software

  • Modify hardware – once a VM has been created, you can attach other images/drives so you can access these within the VM.
  • Interact with original connected devices such as:  
    • iPhones (via iTunes accounts)
    • Encrypted partitions or USB drives
       
  • BACK TO THE FUTURE– VFC is capable of creating a virtual machine with a desired date and time. Enabling you to access licensed software and applications still in their license period
  • Restore point Forensics – Rewind the VM to show what may have been changed by a user
  • Standalone VM – our standalone VM feature allows you to provide evidence to a colleague, different department, or third party. The standalone is great for report purposes, interviews and court presentations. What sets the standalone VM apart from anything else is that it doesn’t require the original image or drive present in order for it to work   
  • VFC has scripts to enable you to seamlessly work with X-Ways and EnCase launch VM’s straight from these software tools
  • Amend VM hardware to match the original hardware by adding additional disk/images, sound, USB or network support (disabled by default))or increase RAM or Processors
  • Attempt to repair broken VMs following Windows System Restore or similar
  • Heavy investment in R&D customer support and regular updates

Part No:
AP-VFC-PORTABLE

Please wait...

 

What is new in Version 7

VFC v7 features a streamlined workflow making it simpler to progress from forensic image to virtual machine but still allows the experienced user to perform a detailed exploration of the mounted image.

Single Volume Images

VFC v7 now supports non-bootable single volume images. These are images that contain a complete file system but lack components removed found in a whole disk image. VFC v7 can now emulate seamlessly the missing components and allow such images to be converted to a bootable virtual machine.

Virtualising a single volume image involves setting up a virtual environment where the contents of the single volume image can be accessed and interacted with as if it were a physical storage volume. A virtual machine provides a controlled and isolated environment to work with the contents of the image, making it easier to analyse and manipulate the data without affecting the original image.

VFC does all this for you which makes it an invaluable tool that can be used for various purposes such as Cyber\Digital Forensic testing, development and analysis.

This is particularly useful for images that were captured as a single volume or where an image has been converted from another volume based format such as a device that is TPM(TCM) encrypted, “BitLocker” and “VeraCrypt” encrypted, or any supported image format that can be converted in this way.

Using VFC to Virtualise a TPM, BitLocker or VeraCrypt encrypted single volume image enables controlled access and analysis of the decrypted data without modifying the original image

VFC enables a Cyber\Digital\Incident Response Investigator to follow the best practices of maintaining the integrity of the digital evidence with confidence and ensures that a proper chain of custody is maintained throughout the analysis process.

(Please note VFC does not support L01 logical images. These do not contain file system information and cannot be converted to a bootable virtual machine.)

Access computers configured with S-Mode

Windows S Mode is primarily used in specific environments where a more locked-down and controlled computing experience is desired. Here are some of the common scenarios where Windows S Mode is used:

Education Sector: Windows S Mode is often used in educational institutions, such as schools and universities. Its streamlined nature and restriction to installing apps from the Microsoft Store can provide a more secure and controlled environment for students and educators.

Enterprise and Business Environments: Some businesses may choose to use Windows S Mode on their devices to enhance security and manageability. The restricted app installation can help prevent the installation of unauthorized or potentially harmful software.

Devices for General Consumers: In some cases, manufacturers may pre-install Windows in S Mode on certain devices targeted at general consumers. This is less common compared to the use in education and business sectors, but it provides a simplified and secure computing experience for individuals who do not need to install software from outside the Microsoft Store.

VFC enables the system to operate like a standard operating system without the controls and security restrictions of S-Mode.

Inject files

This very powerful feature allows you to inject third party analysis software into a VM while VFC is generating it. Whether you are a Cyber Forensic; Digital Forensic; Incident Response Investigator you will have your favourite suite of tools to aid and carry out analysis of a device in your enquiries, using this feature you can use the generated VM to get the answers more efficiently and effectively in the field or in the lab.

VFC Triage

Being able to quickly triage a computer device on scene or in the Lab can prove vital prioritising items can save time and and money for an organization. When conducting on scene triage, you want to be in and out as quickly as possible, while collecting sufficient evidence to warrant bringing the device back to the lab or even decide it does not meet the case parameters. VFC triage allows you quick and safe access to the device, within 30 seconds of selecting the partition, you will be able to view the VFC Triage log that can provide you with the following:

  • Recently accessed files
  • Recent app
  • Recent URLS
  • Installed applications
  • Installed documents
  • Windows history
  • Chrome history
  • Windows links
  • List of previously connected USB devices
  • List of user accounts
  • Last user logged on
  • Last used date