Virtual Forensic Computing (VFC)
VFC originally created in 2005 as an “in house tool” only, as a result, realising the potential of the software MD5 took the innovation to release the software to the forensic community worldwide.
VFC enables Digital Forensic Investigators to view a suspect’s machine in its native environment, as a result is an essential tool in every Computer Forensic Investigator’s toolbox. Therefore, VFC can be found in the majority of Law Enforcement and Government agencies and Corporate Digital Forensics organisations around the world.
This “must have tool” effortlessly virtualises a suspect’s computer either from the original evidence drive, a forensic image or a DD Image. Crucially for the Investigator the process never alters the original evidence, allowing the process to be repeated as and when required.
The latest version, VFC4, is a more powerful and faster version, which contains brand new features plus, lots of other new enhanced and improved features due to requests by our valuable customers.
VFC utilises the freely available VMware Player or Workstation and works in conjunction with any Computer Forensics disk mount tool such as FTK Imager; which recreates a suspect’s machine in a matter of seconds!
MD5 uses VFC in every computer investigation as part of our standard operating procedure.
Features & Benefits
- Work directly from a DD image, a write-blocked physical drive or a mounted E01 file.
- Support for Windows 3.1 – Windows 10.
- Additional support for Apple Mac OSX, Linux and SunSolaris platforms.
- Support for parsing partitions on GPT formatted disks.
- Bypass Windows User Account passwords in seconds.
- Rewind a subject machine back in time utilising restore point forensics from VSS Shadow Copies.
- Add in additional hardware to load external or multiple drives into an existing VM to then rebuild a suspect’s machine as last viewed by them.
- Generate a Standalone VFC Virtual Machine which enables sharing with non-technical departments.
- Identify recent files and activity from jump lists, internet history and P2P software.
- Use screen-grabbed images to help explain technical evidence plus enhance reports to avoid unnecessary verbal description.
- Run scripts and/or install software on the guest system (VM).
- View database software e.g. Sage and QuickBooks in its native environment allowing you to export spreadsheets, reports and/or files.
- Use inherent P2P software to view active downloads or seeded files.
- Retrieve plain-text passwords from browser caches to help access additional password-protected exhibits.
- Use on-system encryption tools to remove encryption from linked exhibits.
- Check for the presence of Cleaning software or Anti-Virus software and identify auto-run schedules and up-to-date virus definitions.
VFC has become an essential tool in our forensic investigator's toolkit. It provides investigators an insight into the suspect's perspective by actually seeing the user's desktop, settings and user environment. Screen captures from the suspect's environment add significant weight to the forensic report when describing how the suspect utilized the computer to facilitate the crime. VFC is truly a tool that I rely upon and use in all my computer investigations!