VFC is one of the most significant breakthroughs in Computer Forensics within the last ten years. VFC enables investigators to:
- Rapidly boot a Forensics image of a suspects Computer; or
- Boot a physical write blocked hard drive.
The investigator can then experience the ‘desktop’ as seen by the original user in an entirely Forensics manner. The investigator can use the suspects Computer in a read only virtual environment.
“VFC boots a mounted EnCase image in seconds…”
There are numerous specialist software applications available to assist the investigation and analysis of digital media which has been forensically acquired. Whilst these tools can and do provide a great depth of analysis and will reveal data fragments of material no longer readily available, it is often the case that the ‘scene of the crime’ part of the examination process is overlooked as an additional source of potentially invaluable information.
In the ‘real’ world, it is almost unthinkable not to examine in detail the actual crime scene and then perform ‘Forensics’ examinations on evidence gathered from the scene. In the ‘virtual’ world of Forensics Computing, the same is not true and all too often it is only the underlying data and information that resides on the storage devices that is examined in detail.
The VFC application utilises VMware’s freely available Player and Disk Mount utilities, along with the Computer Forensics disk mount tool ‘Mount Image Pro’, to re-create a subject machine in a matter of seconds.
VFC has been developed by Michael Penhallurick, a senior Computer Forensics analyst with MD5 Ltd. In 2005 an abridged version of his research was published in Digital Investigations, a magazine aimed directly at the Computer Forensics arena. His successful methods of transposing digital data into a virtual machine environment have been read and utilised by investigators across the globe. Building from this research, Michael has now developed this standalone application that enables an investigator to experience almost any Windows based system within seconds of acquisition. With VFC:
- There is no need to have access to a full Computer Forensics application (such as EnCase) or any additional disk emulation modules.
- There is no need to restore Computer Forensics image files to another PC to try and boot them.
Once the Computer Forensics image has been acquired, simply mount it with Mount Image Pro, and boot it with VFC in seconds!
The latest version of VFC is version 3 which has the following features and functions:
- Added detection of VMware work station 10 and Player 6
- Added support for parsing partitions on GPT formatted disks
- Added support for PWB routines when using a GPT formatted target disk
- Modified progress display for analysis and generate routines
- Fixed minor bug in ViewSectors dialogue to prevent read past end of disk
- Added option to go to last sector of disk in ViewSectors dialogue
- Added remnant hive removal check when forced dismount of VMDK is necessary
- Bypass any Windows user account password
- Rewind a machine to ‘last week’ utilising restore point forensics
In development is hardware modification to add network capability and enhanced partition handling. For existing VFC users we have a discounted upgrade package.
VFC has been successfully applied to every Windows version from Windows 95 through to Windows 8.