Virtual Forensic Computing (VFC)
VFC, which was first launched to the forensic community in 2007, is the original virtualisation solution for the forensic investigator. Version 4 (VFC4) includes some great new features, as requested by users. These enhanced features come alongside a faster, more powerful version of VFC.
Virtual Forensic Computing software is often considered an essential tool for Forensic Investigators, as it allows for seamless recreation of a digital crime scene using the original evidence.
VFC works alongside VMware’s Workstation Player or Workstation Pro and Virtual Disk Development Kit (VDDK) to replicate the suspect’s desktop in a virtual environment.
VMware, in our experience at least, is the most reliable virtualisation tool out there which makes for a smoother user experience. VFC makes VMware do things it wasn’t built to do, fixing errors automatically to save the user hours of complex problem-solving. VMware’s inherent stability helps with this.
For Law Enforcement, no further purchase is necessary since VMware’s Workstation Player is free for non-commercial use. FTK Imager from AccessData is freely available to download and can be used as a no-nonsense mounting tool, however investigators are not tied to particular mounting programs.
VFC works with write-blocked physical drives, Unix-style DD images or mounted forensic images. The software interrogates the target drive to gather relevant system information so that it can very quickly build the VMware framework to create a forensic replica of the target system (the exhibit) as a Virtual Machine (VM). VFC achieves this by following accepted forensic practices while simultaneously and automatically fixing a multitude of known problems to avoid BSOD and driver errors and save the user hours of manual diagnosis and repair.
The resulting VFC VM is launched in VMware to enable the user to navigate around the suspect’s desktop as if they had literally turned on their machine. Any network connections are disabled by default to ensure a secure environment.
VFC now offers the option to add hardware to an existing VFC VM (e.g. to rebuild a tower system with multiple drives) and the capability to export a standalone clone of a VM for further investigation without tying up the forensic workstation further.
VFC4 Aids Forensic Investigators in Performing the Following Tasks:
- Boot a forensic image of a suspect’s computer.
- Forensically Launch a suspect machine in its native environment.
- Experience the “desktop” as seen by the original user.
- Take screenshots of key evidence such as folder structure, evidence location, recently accessed files, browsing history & saved passwords, P2P shares and virus definitions among others.
- Interact with fully licenced software to view files and data in its native environment (e.g. Sage or QuickBooks) without the need to invest in a copy of the often-expensive software.
- Interact with connected devices (e.g. iPhones with inherent iTunes accounts or encrypted USB drives).
Features & Benefits
- Bypass Windows User Account passwords in seconds.
- Includes Pass Word Bypass (PWB) Routines for Windows 7, Windows 8 & Windows 10.
- The latest update* includes PWB routines for 42 variants of Windows 10 OS alone.
- PWB routines now externalised from the main program for faster, independent updates.
- PWB process expedited for quicker analysis and implementation.
- User Account Password hashes are extracted to the splash screen and embedded in the VMX annotation.
- The provision of password hashes enables the use of external hash-cracking tools to identify the original system-password. This helps with programs that require EFS access.
- Point-and-click option to add in additional hardware to load external or multiple drives into an existing VM (to rebuild the suspect machine as last viewed by them).
- Point-and-click generation of a standalone Virtual Machine for sharing with non-technical departments.
- Restore Point Forensics allows the user to ‘Rewind’ a VFC VM back in time.
- Larger GUI and bigger splash screen on home tab.
- Supports GPT formatted disks.
- Support for Windows 3.1 – Windows 10.
- Additional support for Apple Mac OSX, Linux and SunSolaris.
- Heavy investment in R & D resulting in regular updates.
- Full phone and email support.
VFC has become an essential tool in our forensic investigator's toolkit. It provides investigators an insight into the suspect's perspective by actually seeing the user's desktop, settings and user environment. Screen captures from the suspect's environment add significant weight to the forensic report when describing how the suspect utilized the computer to facilitate the crime. VFC is truly a tool that I rely upon and use in all my computer investigations!