VFC (Virtual Forensic Computing)

VFC 5.0 makes Forensic Virtualisation easier than ever with a host of new features:

Integration with existing Forensic software, EnCase & X-Ways
VFC Mount to simplify the virtualisation process and remove reliance upon third party tools
Windows Live ID Exploit (including PIN accounts)

 

What is Virtual Forensic Computing?

Having access to the ‘digital scene of crime’ can offer huge benefits to an investigator. Whether investigating fraud, murder, child abuse or something else, seeing the computer through the eyes of the suspect can be invaluable. Building a virtual machine (VM) of the suspect’s computer is one easy way to get forensically sound access to the user’s environment.

 

A VM allows an investigator to:
  • See the desktop and operating environment just as the user saw it
  • Navigate financial records within the native software (Sage, QuickBooks, Great Plains etc.)
  • Access emails and internet search histories, demonstrate interaction with installed software
  • Determine accessibility of illegal files

 

VFC simplifies the virtualisation process

As virtualisation platforms have improved, building a replica of a suspect’s system has become much easier. What once could take a few days now takes just a few hours if you are lucky. Most of this time is spent fixing driver errors (e.g. human input device drivers such as the mouse and keyboard) and overcoming driver problems and the infamous blue screen of death (BSOD).

However, with the right tools, investigators can now do all this reliably in just a couple of minutes. ‘Virtual Forensic Computing’ or ‘VFC’ allows the user to create a VM from a forensic image (or a write-blocked physical hard disk drive), automatically fixing common problems and typically booting the VM in under a minute. VFC makes the virtualisation process smooth and hassle free.

Among VFC’s valued customers, to “VFC a forensic image” has become synonymous with virtualisation since it was first released by MD5 in 2007.

 

A picture speaks a thousand words

Using a VM to replicate the user’s computer, the desktop environment can easily be captured for presentation to a judge or a jury. This helps juries understand the more technical aspects of their reports, or enable powerful emotive images to be put before the judging panel. Using VFC, investigators can:

  • take screenshots and embed these in their reports.
  • record video screen-capture of an examination to playback in the courtroom
  • Create portable versions of VM to demonstrate live in court

VFC is now used on every continent, in almost every aspect of digital forensic investigations, by law enforcement, military investigations teams, forensic and cyber investigation teams in both the private and public sector.

 

VFC 5.0

VFC 5.0 integrates the VFC workflow directly into existing forensic analysis tools VFC 5.0 makes the creation of a VM even easier with its integration components for common forensic analysis tools:

  • EnCase Enscripts
  • XWF X-Tension files

The integration components are provided with the standard VFC package and can be setup and used within minutes. Similarly, VFC now supports a command line interface to support automated workflows.
These exciting new features now allow the analyst to launch a VM of their target image directly from within their standard forensic examination suite.

 

VFC Mount helps reduce common errors

VFC 5.0 now comes with its own mount utility, VFC Mount, to simplify the virtualisation process and remove reliance upon third party tools. VFC Mount currently supports .E01, .EX01, AFF4, .VMDK, .BIN, .IMG, .RAW, and .DD images. VFC Mount helps reduce instances of common Windows errors when dealing with mounted images such as the very common “The physical disk is already in use” error in VMware.

 

Password bypass (PWB) gives quick access to suspect accounts

VFC also gives the ability to clearly demonstrate that something doesn’t work – for instance, if a suspect insist the password they have provided is correct, VFC provides a quick way to prove them wrong without affecting the original data.

Historically VFC PWB only worked on local Windows user accounts, however, now VFC 5.0 adds support for Windows 8/10 ‘live’ accounts with the Generic Password Reset (GPR) feature.

 

New from September 2019 – Windows Live ID Exploit (including PIN accounts)

Generic Password Reset (GPR) tool
New to VFC 5.0, the GPR tool can be used to help makenpowerful system-level changes. With GPR,the investigator can:

  • List User Accounts (including password status)
  • Change ‘online’ accounts to traditional ‘local’ accounts
  • Reset account passwords to known values (including PIN accounts)
  • Open a SYSTEM level command prompt (at the logon screen)
  • Easily reboot the guest VM

Early feedback from a select group of active police investigators, that have been given pre-release access to the Live-ID feature has been very positive

 

Continual investment ensures continued development

With additional support for Linux and other Operating Systems, VFC has continued to deliver new features since it was introduced. The newest features (for ease of reference) include:

  • Windows ‘Live ID’ (online) password reset feature – gives the user a simple method to get around even the latest in Windows user security
  • VFC Mount – simplifies the user experience and minimize common VMware problems
  • Generic Password Reset – gives users a simple and fast way to access a specific account or make systemlevel changes. It is portable, powerful and user friendly.
  • Command Line functionality and inclusive components – seamlessly integrate with EnCase Forensic and XWays Forensics allowing VFC to be used alongside existing, trusted forensic software.
  • 64-bit host system support – brings VFC fully up to date, giving it a rightful place in today’s forensic laboratory

 

Other significant features include:
  • Standalone Clone VFC VM gives the user the option to export a copy of their VM that can be reviewed by an investigator away from the forensic analyst’s workstation, without the need for a VFC dongle (license).
  • Modify Hardware allows VM hardware to be amended including adding extra drives or network support
  • Password Bypass (PWB) feature for Windows user accounts – VFC 5.0 has increased the number of discrete PWB routines to over 2000, up considerably from 500 with VFC 4.0.
  • Patch VM / Restore Points feature – allows the investigator to patch problematic virtual machines or repair a VM after using the Windows system restore feature to ‘rewind’ a VM to an earlier historic state.
  • The VFC Log File – keeps a forensic log of all steps taken by the software (effectively contemporaneous notes) and makes VFC a powerful weapon in the forensic investigator’s arsenal.
  • Updates and upgrades have enhanced the product more, including further OS support, new password bypass routines and slicker processes.

 

Part No:
AP-VFC-LE