Why You Want It

MD5 Virtual Forensic Computing

View the digital crime scene in seconds


Launched in 2007, VFC is the leading virtualisation solution for the forensic investigator. VFC is used to create a virtual copy (VM) of a suspect computer:


  • Fast – VFC typically takes just a couple of minutes to produce a bootable VM
  • Safe – VFC is forensically safe and doesn’t modify original evidential data
  • Flexible – VFC supports common forensic image formats and write-blocked physical disks
  • Reliable – Based on over 10 years of research, contains support for numerous operating system and machine configurations and can produce a usable VM in > 95% of cases
  • Capable – VFC includes a built-in image mount tool and can bypass most Windows account passwords in seconds


VFC removes the guesswork from virtualisation and allows the investigator to concentrate on the investigation. It lets the investigator to quickly experience the computer environment just like the original user. This puts the investigator “in the room” with the suspect, providing invaluable access to software and data that cannot be easily found with a typical “dead box” examination.


MD5 Virtual Forensic Computing


In some cases, an experienced investigator can manually create a virtual machine from a forensic image. However, this can be time-consuming and error-prone task. VFC automates the process and applies over 10 years of acquired knowledge to fix numerous potential issues and quickly produce a compatible and stable virtual machine in seconds. VFC removes the guesswork from virtualisation and allows the investigator to concentrate on the investigation:

  • Reliably and quickly create a VM from either forensic image or write-blocked physical disk with just a few mouse clicks
  • Avoid common virtualisation errors due to BSOD and incompatible drivers
  • Avoid accidently changing original evidential material
  • Bypass Windows account passwords including Windows 8/10 “live” account passwords
  • Access encrypted disk data such as Bitlocker (requires recovery key or similar)
  • Experience the original user desktop and take screenshots or video of key evidence items for use in court:
    • Original folder structure and desktop layout (as seen by the user)
    • Recently accessed files and network shares
    • Browsing history, saved passwords and P2P accounts


  • Interact with installed software in its native environment and access evidence that could otherwise be unavailable:
    • View data using original software e.g. Sage, QuickBooks etc.
    • Access data or online systems using original user credentials
    • Access time-limited or expired software


  • Interact with original connected devices such as:
    • iPhones (via iTunes accounts)
    • Encrypted partitions or USB drives


  • Amend VM hardware to match the original hardware by adding additional disk/images, sound, USB or network support (disabled by default)
  • Repair broken VMs following Windows System Restore or similar
  • Generate standalone VM for use by non-technical staff and other investigators
  • Heavy investment in R&D and regular updates
  • Full telephone and email support based