[Introduction]
VFC is one of the significant breakthrough's in forensic computing in the last
ten years. VFC enables investigators to:
• rapidly boot a forensic image of a suspects computer; or
• boot a physical write blocked hard drive.
A Virtual machine can be created from a forensic image, a write blocked physical
disk or a 'DD' raw flat file image.
New in VFC2:
• Bypass any Windows user account password;
• Rewind a machine to 'last week' utilizing restore point forensics.
The investigator can then experience the
'desktop' as seen by the original user in an entirely forensic manner. The
investigator can use the suspects computer in a read only virtual environment.
"VFC boots a mounted EnCase image in seconds..."
"I think the turning point was when the jury watched us boot his machine.
His desktop said it all."
There are numerous specialist software applications available to assist the
investigation and analysis of digital media which has been forensically
acquired. Whilst these tools can and do provide a great depth of analysis and
will reveal data fragments of material no longer readily available, it is often
the case that the 'scene of the crime' part of the examination process is
overlooked as an additional source of potentially invaluable information.
In the 'real' world, it is almost unthinkable not to examine in detail the
actual crime scene and then perform 'forensic' examinations on evidence gathered
from the scene. In the 'virtual' world of forensic Computing, the same is not
true and all too often it is only the underlying data and information that
resides on the storage devices that is examined in detail.
The VFC application utilises VMware's freely available Player and Mount
utilities, with the forensic disk mount tool Mount Image Pro, to re-create a
subject machine in a matter of seconds.
VFC enables an investigator to experience almost
any Windows based system within seconds of acquisition. With VFC:
• There is no need to have access to a full forensic application (such as EnCase)
or any additional disk emulation modules.
• There is no need to restore forensic image files to another PC to try and boot
them.
Once the forensic image has been acquired, simply mount it with Mount Image Pro,
and boot it with VFC in seconds!
VFC has been successfully applied to every Windows version from Windows 95
through to Windows 7.
[Quick Start Guide]
If mounting from a forensic image file, Mount the
physical drive will a mounting utility such as Mount Image Pro (www.mountimage.com).
1. Select the mounted physical disk from the VFC drop down menu (if VFC is
already running, you may need to use the Refresh button to ensure all mounted
drives are visible to the VFC application)
2. Select the boot partition
3. Adjust the OS, RAM and date / time (if required) [these values are
auto-populated by VFC and can be left alone]
4. Specify a name for the virtual machine (default is New Virtual Machine) and
specify a name for the virtual disk cache (default is New Virtual Disk)
5. Generate the Virtual Machine and use the Launch button to use the requisite
VMware application (alternatively the VMware application can be loaded
separately and the Virtual Machine can be launched manually)
[ScreenShots]
