Virtual Forensic Computing (VFC)

MD5’s proprietary forensic software tool, Virtual Forensic Computing (VFC®) is an essential tool in an investigator’s tool box. VFC saves time and energy by helping the examiner to quickly and effortlessly recreate the digital crime-scene, allowing the investigator to hunt around and interact with the suspect’s desktop environment.

The resulting VFC virtual machine can be used in many ways, including to:

• Demonstrate accessibility of evidence
• Interact with software on the guest system to access:

o   proprietary databases

o   files with proprietary file extensions in their native environment

• Easily disprove and/or prove claims of interaction with software or the system itself.

Screen shots and screen capture video of the suspect’s system – or even live use the software – can provide invaluable evidence in a court of law and have helped many prosecutors to explain what may otherwise have been highly technical evidence to non-technical audiences

VFC is the original – and we think best – virtualisation solution for the forensic investigator. Version 4 (VFC4) includes some great new features, as requested by users. These enhanced features come alongside a faster, more powerful version of VFC.

VMware, in our experience at least, is the most reliable virtualisation tool out there which makes for a smoother user experience. VFC makes VMware do things it wasn’t built to do, fixing errors automatically to save the user hours of complex problem-solving. VMware’s inherent stability helps with this.

For Law Enforcement, no further purchase is necessary since VMware’s Workstation Player is free for non-commercial use. FTK Imager from AccessData is freely available to download and can be used as a no-nonsense mounting tool, however investigators are not tied to particular mounting programs.

VFC works with write-blocked physical drives, Unix-style DD images or mounted forensic images. The software interrogates the target drive to gather relevant system information so that it can very quickly build the VMware framework to create a forensic replica of the target system (the exhibit) as a Virtual Machine (VM). VFC achieves this by following accepted forensic practices while simultaneously and automatically fixing a multitude of known problems to avoid BSOD and driver errors and save the user hours of manual diagnosis and repair.

The resulting VFC VM is launched in VMware to enable the user to navigate around the suspect’s desktop as if they had literally turned on their machine. Any network connections are disabled by default to ensure a secure environment.

VFC now offers the option to add hardware to an existing VFC VM (e.g. to rebuild a tower system with multiple drives) and the capability to export a standalone clone of a VM for further investigation without tying up the forensic workstation further.

• Boot a forensic image of a suspect’s computer.
• Forensically Launch a suspect machine in its native environment.
• Experience the “desktop” as seen by the original user.
• Take screenshots of key evidence such as folder structure, evidence location, recently accessed files, browsing history & saved passwords, P2P shares and virus definitions among others.
• Interact with fully licenced software to view files and data in its native environment (e.g. Sage or QuickBooks) without the need to invest in a copy of the often-expensive software.
• Interact with connected devices (e.g. iPhones with inherent iTunes accounts or encrypted USB drives).

• Bypass Windows User Account passwords in seconds.
  Includes Pass Word Bypass (PWB) Routines for Windows 7, Windows 8 & Windows 10.
  The latest update* includes PWB routines for 42 variants of Windows 10 OS alone.
  PWB routines now externalised from the main program for faster, independent updates.
  PWB process expedited for quicker analysis and implementation.
• User Account Password hashes are extracted to the splash screen and embedded in the VMX annotation.
  The provision of password hashes enables the use of external hash-cracking tools to identify the original system-password. This helps with programs that require EFS access.
• Point-and-click option to add in additional hardware to load external or multiple drives into an existing VM (to rebuild the suspect machine as last viewed by them).
• Point-and-click generation of a standalone Virtual Machine for sharing with non-technical departments.
• Restore Point Forensics allows the user to ‘Rewind’ a VFC VM back in time.
• Larger GUI and bigger splash screen on home tab.
• Supports GPT formatted disks.
• Support for Windows 3.1 – Windows 10.
• Additional support for Apple Mac OSX, Linux and SunSolaris.
• Heavy investment in R & D resulting in regular updates.
• Full phone and email support.