VFC Lab
VFC gives a new dynamic to the way an investigator works on an investigation VFC Lab puts the investigator “in the room” with the original user, providing invaluable access to software and data that cannot be easily found with a typical examination. The investigator can find evidence in its easiest format, just like the original user. Each device that is examined is different, and therefore, having quick and easy access to the original is invaluable.
VFC has many features which make it one of the most powerful tools that a digital\cyber\incident response forensic investigator can use.
Once a drive or image is mounted, VFC will take minutes to create a VM, including bypassing the user account passwords, and injecting your preferred analysis software.
VFC quickly triages a device within minutes of obtaining the device.
VFC is capable of virtualising from many different image types – including Single Volume Images and to virtualise from write blocked drives.
VFC is forensically sound The generated VM can be viewed as a sandbox environment that not only allows you to analyse the device, it allows you to test and change things repeatably.
VFC LAB features
Password Bypass Tool does as its name suggests and bypasses the windows user account passwords.
GPR Tool – resets the local user account password, as well as being able to convert windows live accounts to local accounts. With the aid of the GPR tool, you are able to view any saved autofill information in the browser history.
- Standalone VM – our standalone VM feature allows you to provide evidence to a colleague, a different department, or third party. The standalone is great for report purposes, interviews and court presentations. What sets the standalone VM apart from anything else is that it doesn’t require the original image or drive present in order for it to work.
- Inject files –This feature allows you to inject third party analysis software into a VM while VFC is generating a VM. For example, you could inject tried and trusted analysis tools to analyse a device.
- Flexible– VFC can be used with a variety of image types, write blocked; and INCLUDING with V7 onwards Single Volume Images
Access computers configured with S-Mode
- Triage – within 30 seconds of selecting the partition, you will be able to view the VFC Triage log that can provide you with the following:
- Recently accessed files
- Recent app
- Recent URLS
- Installed applications
- Installed documents
- Windows history
- Chrome history
- Windows links
- List of previously connected USB devices
- List of user accounts
- Last user logged on
- Last used date
We realise that not one organisation or entity is the same when it comes to who triages devices and how devices are triaged. That’s why it is important to have a simple tool that allows someone to look at evidence in a simple format is crucial.
- BACK TO THE FUTURE– VFC is capable of creating a virtual machine with a desired date and time. Enabling you to access licensed software and applications still in their license period.
- VFC has scripts to enable you to seamlessly work with X-W ays, EnCase.
- VFC can be used in Memory capture analysis in both live and deadbox enquiries by creating a .vmem file for analysis when generating a VM
VFC General Features
Easy to use – built on over 15 years of R&D in creating VM’s you just need minimum IT Skills to operate. Take Analysis to another level -Experience the original user desktop and take screenshots or video key evidence items for use in reports interviews and court.
- Reliably and quickly create a VM from either forensic image or write-blocked physical disk with just a few mouse clicks
- Maintaining the integrity of the original evidential material since developed forensically, logs generated for each process ensures thata proper chain of custody is maintained and aids ISO 17025 compliancy
- Access encrypted disk data such as Bitlocker (this requires recovery key or similar)
- Access:
- Original folder structure and desktop layout (as seen by the original user)
- Recently accessed files and network shares
- Browsing history, saved passwords and P2P accounts
- Interact with installed software in its native environment and access evidence that could otherwise be unavailable:
- View data using original software e.g. Sage, QuickBooks, Photoshop etc.
- Access data e.g Crypto Currency Wallets or other online systems using original user credentials
- Access time-limited or expired software
- Interact with original connected devices such as:
- iPhones (via iTunes accounts)
- Encrypted partitions or USB drives
- Restore point Forensics – Rewind the VM to show what may have been changed by a user
- Amend VM hardware to match the original hardware by adding additional disk/images, sound, USB or network support (disabled by default) or increase RAM or Processors
- Attempt to repair broken VMs following Windows System Restore or similar
- Heavy investment in R&D customer support and regular updates
