VFC Portable

VFC Portable

 

VFC Portable is designed to use the existing hardware – on scene, in the lab, and just about anywhere required.

 

The functionality of VFC Portable is the exactly the same as VFC Lab, with the added features that enables VFC to be used in the field.

 

Write blocking behaviour – VFC Portable allows you to disable automatic disk online, SSD and Windows Dynamic Disks. This feature can be found in the settings/tools tab in VFC. (portable addition only). Drives will be read only.

 

VFC Portable can be used in Memory capture analysis in both live and deadbox enquiries by creating  a .vmem file when generating a VM

 

VFC Triage

 

Being able to quickly triage a computer device on scene is vital. When conducting on scene triage, you want to be in and out as quickly as possible, while collecting sufficient evidence to warrant bringing the device back to the lab or even decide it does not meet the case parameters. VFC triage allows you quick and safe access to the device, within 30 seconds of selecting the partition, you will be able to view the VFC Triage log that can provide you with the following:

 

  • Recently accessed files
  • Recent app
  • Recent URLS
  • Installed applications
  • Installed documents
  • Windows history
  • Chrome history
  • Windows links
  • List of previously connected USB devices
  • List of user accounts
  • Last user logged on
  • Last used date

 

Inject files – This feature allows you to inject third party analysis software into a VM while VFC is generating a VM. This can be anything to aid with the analysis. For example, you could inject tried and trusted analysis tools to analyse a device onsite.

 

Access computers configured with S-Mode

 

Password Bypass Tool does as its name suggests and bypasses the windows user account passwords.

 

GPR Tool resets the local user account password, as well as being able to convert windows live accounts to local accounts. With the aid of the GPR tool, you are able to view any saved autofill information in the browser history.

 

VFC General Features

 

Easy to use –built on over 15 years of R&D in creating VM’s youjust need minimum IT Skills to operate. Take Analysis to another level -Experience the original user desktop and take screenshots or video key evidence items for use in reports, interviews and court.

 

  • Reliably and quickly create a VM from either forensic image or write-blocked physical disk with just a few mouse clicks

 

  • Maintaining the integrity of the original evidential material since has been developed forensically,logs generated for each process ensures  that a proper chain of custody is maintained  and a ids ISO 17025 compliancy

 

  • Flexible- VFC can be used with a variety of image types, write blocked; and INCLUDING with V7 onwards Single Volume Images

 

  • Bypass Windows account passwords including Windows “live” account passwords

 

  • Access encrypted disk data such as Bitlocker (requires recovery key or similar)

 

  • Access:
    • Original folder structure and desktop layout (as seen by the original user)
    • Recently accessed files and network shares
    • Browsing history, saved passwords and P2P accounts
  • Interact with installed software in its native environment and access evidence that could otherwise be unavailable
    • View data using original software e.g. Sage, QuickBooks, Photoshop etc
    • Access data eg. Crypto Currency Wallets or other online systems using original user credentials
    • Access time-limited or expired software
  • Modify hardware – once a VM has been created, you can attach other images/drives so you can access these within the VM.

 

  • Interact with original connected devices such as:
    • iPhones (via iTunes accounts)
    • Encrypted partitions or USB drives
       
  • BACK TO THE FUTURE– VFC is capable of creating a virtual machine with a desired date and time. Enabling you to access licensed software and applications still in their license period

 

  • Restore point Forensics – Rewind the VM to show what may have been changed by a user

 

  • Standalone VM – our standalone VM feature allows you to provide evidence to a colleague, different department, or third party. The standalone is great for report purposes, interviews and court presentations. What sets the standalone VM apart from anything else is that it doesn’t require the original image or drive present in order for it to work

 

  • VFC has scripts to enable you to seamlessly work with X-Ways and EnCase launch VM’s straight from these software tools

 

  • Amend VM hardware to match the original hardware by adding additional disk/images, sound, USB or network support (disabled by default))or increase RAM or Processors

 

  • Attempt to repair broken VMs following Windows System Restore or similar

 

  • Heavy investment in R&D customer support and regular updates