VFC has become an essential tool in our forensic investigator’s toolkit. It provides investigators an insight into the suspect’s perspective by actually seeing the user’s desktop, settings and user environment. Screen captures from the suspect’s environment add significant weight to the forensic report when describing how the suspect utilized the computer to facilitate the crime. VFC is truly a tool that I rely upon and use in all my computer investigations!
MD5’s proprietary forensic software tool, Virtual Forensic Computing (VFC®) is an essential tool in an investigator’s tool box. VFC saves time and energy by helping the examiner to quickly and effortlessly recreate the digital crime-scene, allowing the investigator to hunt around and interact with the suspect’s desktop environment.
The resulting VFC virtual machine can be used in many ways, including to:
o proprietary databases
o files with proprietary file extensions in their native environment
Screen shots and screen capture video of the suspect’s system – or even live use the software – can provide invaluable evidence in a court of law and have helped many prosecutors to explain what may otherwise have been highly technical evidence to non-technical audiences
VFC is the original – and we think best – virtualisation solution for the forensic investigator. Version 4 (VFC4) includes some great new features, as requested by users. These enhanced features come alongside a faster, more powerful version of VFC.
Virtual Forensic Computing software is often considered an essential tool for Forensic Investigators, as it allows for seamless recreation of a digital crime scene using the original evidence.
VFC works alongside VMware’s Workstation Player or Workstation Pro and Virtual Disk Development Kit (VDDK) to replicate the suspect’s desktop in a virtual environment.
VMware, in our experience at least, is the most reliable virtualisation tool out there which makes for a smoother user experience. VFC makes VMware do things it wasn’t built to do, fixing errors automatically to save the user hours of complex problem-solving. VMware’s inherent stability helps with this.
For Law Enforcement, no further purchase is necessary since VMware’s Workstation Player is free for non-commercial use. FTK Imager from AccessData is freely available to download and can be used as a no-nonsense mounting tool, however investigators are not tied to particular mounting programs.
VFC works with write-blocked physical drives, Unix-style DD images or mounted forensic images. The software interrogates the target drive to gather relevant system information so that it can very quickly build the VMware framework to create a forensic replica of the target system (the exhibit) as a Virtual Machine (VM). VFC achieves this by following accepted forensic practices while simultaneously and automatically fixing a multitude of known problems to avoid BSOD and driver errors and save the user hours of manual diagnosis and repair.
The resulting VFC VM is launched in VMware to enable the user to navigate around the suspect’s desktop as if they had literally turned on their machine. Any network connections are disabled by default to ensure a secure environment.
VFC now offers the option to add hardware to an existing VFC VM (e.g. to rebuild a tower system with multiple drives) and the capability to export a standalone clone of a VM for further investigation without tying up the forensic workstation further.