Virtual Forensic Computing (VFC) was first launched to the digital forensic community in 2007. It is the original and still the go to virtualisation solution for the digital forensic investigator.
VFC makes it easy to create a Virtual Machine (VM) replica of a target system. This enables an investigator to recreate and interact with the “digital crime scene” without altering data on the original drive.
Built to follow accepted forensic practices VFC interrogates the target drive to gather relevant system information. From there it very quickly builds the specific VMware framework needed to create a forensically sound replica of the target system (the exhibit) as a VM. This process is automated by the VFC software to avoid Blue Screen of Death (BSOD) and driver errors, saving the user hours of manual diagnosis and repair.
VFC can virtualise Windows, Linux, Solaris, DOS & other OS platforms.
The VFC VM enables the user to navigate around the suspect’s desktop as if they had literally turned on their machine. This can be completed by working from forensic images (using mounting software such as VFC Mount) or can work directly from a write-blocked hard-drive.
VFC MOUNT IS FREE!
The forensic disk image must be “mounted” to make it visible to both VFC and later VMware. Our latest release, VFC 5.2, includes VFC Mount (introduced in VFC 5). However, VFC Mount is now also available as a standalone tool that can be downloaded free from our website. VFC Mount has been designed for use with VFC and optimised to avoid common compatibility problems with VMware. Although VFC Mount is designed to work with VFC, it can also be used as your everyday mounting tool.
Find out more at vfc.uk.com/shopuk/vfcmount.php
BYPASSING PASSWORDS
Generic Password Reset (GPR) was introduced in VFC 5 and this allows the user to change or remove the password completely. A new feature of VFC 5.2 allows you to choose to remove passwords during the VM generation process. This means less steps are required to access the VM.
LIVE → LOCAL
Since VFC 5, users have been able to bypass passwords on live ID accounts. This was accomplished by creating an exploit using the generic password reset tool. This was performed once the VM was virtualised in VMware.
A brand-new feature introduced in VFC 5.2 is the ability to convert live ID accounts to local accounts during the VM generation process. WHY. This conversion takes place at the same time as the password removal. Again, saving you time during the investigation.
MOUNT AND EXPLORE
Mount and explore was a feature added to VFC 5.1. this allows you to mount and view a VM as a file system tree. This allows you to insert files in and copying files out of the VM without booting the VM. This is useful for injecting antivirus software to do an antivirus scan, and other specialist software. This is can also be performed using a command-line interface (CLI) for integration with other systems.
For Further information on both VFC 5.2 or VFC Mount contact Tom Cross at Tom.Cross@md5.uk.com our New VFC Sales Manager, or Telephone on 01924 22099, or visit our website VFC.UK.COM
