VFC Version 2

vfc2In order to examine a suspect's computer, Law Enforcement professionals will usually undertake forensic cloning /imaging of the original storage device, effectively copying all the data stored on the suspect's computer for later analysis, using specialist forensic software. This secured data is rarely viewed within its original environment and the investigator can potentially miss vital 'scene of crime' information.

 

From forensic image to virtual machine in seconds

Re-create suspect's computer in a virtual environment

A vital addition to any digital investigator's toolbox

View the evidence just as it would have been on the original machine

Validate the findings of other forensic tools

 

 

VFC seamlessly and expeditiously re-creates a virtual scene from either the original evidence drive itself or the forensic copy of the suspect's system. The VFC process normally takes less than a minute, with average system start up times of the virtual clone ranging from between 2-5 minutes. Crucially for the forensic investigator, the process never alters the original evidence and can be repeated at will. Industry experts will be well aware how unique VFC is; it provides a straightforward and user friendly interface that can be used by any investigative agency, be it criminal or civil, in order to quickly ascertain the need for further examination of the system. The VFC method enables any legal professional to experience the suspect's system in its own 'virtual' environment, accessing the original data but leaving it wholly intact. How better to display evidence than by 'virtually' using the original machine and data? Descriptions of technical processes and file locations are easily and implicitly understood when visually demonstrated. VFC is a simple, cost effective tool designed to present evidential data in a virtual environment.

 

Password Bypass

 

 



 


VFC version 2 has a number of exciting new features in addition to the key features from version 1. Rapidly access any Windows based user account without the password using the new innovative password bypass feature. See what the user was doing last week by rewinding their machine to 'last week' and utilising restore point forensics. A virtual machine can be created from a forensic image, a write blocked physical disk or a 'DD' raw flat file image.

 

In development is hardware modification to add network capability and enhanced partition handling. For existing VFC users we have a discounted upgrade package.

Document Downloads



Virtual Forensic Data Sheet - Click Here!



Virtual Forensic User Guide - Click Here!

 



FAQ's



What is VFC?

VFC (Virtual Forensic Computing) is a forensic application which can handle a variety of hard disk drive sources (physical disk, bit-for-bit disk copy or forensic image file) and successfully transpose over 95% of such images into virtual machines - without expensive physical hardware disk caches or time-consuming conversion processes.

 

Which Disk Formats are supported by VFC?

VFC continues to develop and currently supports:-

  • physical disks (IDE, SATA, USB, IEEE1394)
  • disks mounted using Mount Image Pro v2
  • disks emulated using Encase PDE (Physical Disk Emulator)
  • Unix style uncompressed 'dd' images
  • Unix style uncompressed split 'dd' images
  • Vogon format uncompressed 'img' images and
  • EWFTool converted 'img' images.

 

    Which Systems can be booted using VFC?

    VFC has been used to successfully boot:

    • Windows 3.1
    • Windows 95
    • Windows 98
    • Windows NT
    • Windows 2000
    • Windows XP 
    • Windows Vista
    • Windows 7
    • Windows Server 2003 & 2008

    What do I need to run VFC?

    VFC utilises the freely available VMware Player and VMware Diskmount Utility, in conjunction with either Mount Image Pro or Encase PDE to mount forensic images files. VFC requires Windows XP or higher and also requires that you be logged in with Administrator level privileges.

     

     

    Do I need to have Mount Image Pro or Encase?

    No. VFC is wholly capable of using physical disks or 'dd' images. Mount Image Pro is only required if you have forensic evidence files in the Expert Witness Format which you would like to access outside of any forensic suite. Encase is only required if you wish to utilise the Encase PDE in order to emulate a physical disk.

     

    How Do I Use VFC?

    VFC is as easy to use as 1,2,3: Mount the evidence file (or attach the [write-blocked] physical disk) Select the disk (or dd image) and the relevant partition Generate the machine and use the Launch feature to start it in VMware. These steps are also detailed in our demonstration video, here

     

    What limitations does VFC have?

    VFC will successfully boot 95% of Windows based disks / images it is presented with. VFC cannot dynamically fix machines that are 'broken' and unable to be booted in the original machine. Similarly, VFC cannot bypass software protection that is linked / licensed to the original hardware.

     

    Will booting an image using VFC alter the original evidence?

    Not at all. VFC dynamically creates a custom disk cache and directs all subsequent reads and writes 'through' this disk cache. The original evidence is only ever 'read' and cannot be directly written to. Additionally, mounted or emulated forensic image files are opened read-only by default, as are 'dd' and 'img' disk image files. NB If you are using physical disks, it is imperative that you use a hardware write-blocking device to connect this disk to your own system, otherwise your system will almost certainly try to write to the physical disk and this will change the evidence.

     

    Does VFC support partition only images?

    Yes, VFC has been used to successfully recreate the MBR for both dd format and mounted partition only images and then analyse and create a bootable machine from the partition data.

     

    Does VFC support multi-boot systems?

    Not directly. Automated multi-boot system support is under development. At this time additional (data) hard disks need to be manually added as non-persistent drives to the VFC generated VM configuration.

    I've used VFC but still get a BSOD halfway through the boot sequence! It may be necessary to boot into safe mode and disable services specific to the original hardware, such as:

    • NVidia or ATI graphic drivers,
    • custom audio drivers,
    • pointing devices or

    • OEM specific utilities.


    Do I need to install the drivers for the New Detected Hardware?

    It is not absolutely necessary to install these drivers, however the virtual machine may not function properly without them and you may find that the CD, mouse or floppy disk (for example) do not function at all. It is recommended that you let the VM detect and install the necessary files.

     

    How can I improve the performance of the New Virtual Machine?

    If you are using either VMware Workstation or VMware Server, you can install the VMware Tools Package to improve the performance of your virtual machine. This option is not directly available with the standalone VMPlayer.

     

    Can I access the Internet from the New Virtual Machine?

    VFC is designed to be a forensic application and does not add any network support to the New Virtual Machine to ensure it remains isolated from the 'real' world. It is possible to add network support and hence connect to other networks (including the Internet), but this is not recommended.

     

    Can I transfer data between the New Virtual Machine and my own System?

    Yes, you can use virtual (or real) floppy disks, USB devices and you can even connect a physical data disk as a raw device and write directly to that disk. You can also use CD/DVD media (or ISO files) to read data into the New Virtual Machine. NB Not all of these methods are readily available with the standalone VMPlayer.

     

    Why does the New Virtual Machine need to be activated?

    Windows XP and above may require activation due to the number of hardware changes that are inevitable from changing between a physical and a virtual environment. Not all machines can successfully be re-activated but all machines can be accessed in 'Safe Mode' and this will enable at least a partial interaction with the original desktop.

     

    Can I create additional Snapshots?

    Yes, VFC allows the VM to create multiple snapshots. NB If additional hard disks are added in non-persistent mode, the creation of snapshots will be affected.

     

    What does VFC actually do?

    VFC makes the minimum necessary modifications to an image to ensure that it can successfully boot in a virtual environment. The whole ethos behind VFC is to keep the underlying image as close as possible to the original and yet still make it function in VMware. In situ upgrades, which are advocated as one method of achieving the same goal, were deemed too intrusive of the 'forensic' process.

     

    If only VFC could... (I have a feature request, who do I contact?) VFC continues to develop as research continues. If you identify something that you think VFC should be able to do, please contact MD5 at  This e-mail address is being protected from spambots. You need JavaScript enabled to view it.

    VFC2 QuickStart Guide


    1. Select the mounted physical disk from the VFC drop down menu (if VFC is already running, you may need to use the Refresh button to ensure all mounted drives are visible to the VFC application)


    2. Select the boot partition


    3. Adjust the OS, RAM and date / time (if required) [these values are auto-populated by VFC and can be left alone]


    4. Specify a name for the virtual machine (default is New Virtual Machine) and specify a name for the virtual disk cache (default is New Virtual Disk)


    5. Generate the Virtual Machine and use the Launch button to use the requisite VMware application (alternatively the VMware application can be loaded separately and the Virtual Machine can be launched manually)


    VFC Screenshot

     


    6.Once booted you will be able to operate the imaged computer as a user in a VMware forensic session.


    VFC Screenshot1

    Could VFC be doing more for you?

     

    In order to fully understand the innovative concept of Virtual Forensic Computing (VFC) and how to extend the VFC method to efficiently deal with 'troublesome' machines, we strongly recommend that at least one investigator from each computer department attend MD5's one-day training course, "The VFC Method".

     

    The vital characteristic of using VFC is the ability to experience the subject system in almost the same environment as was the original. VFC will seamlessly create a virtual environment for your subject system within seconds, and in over 95% of cases, this virtual machine can be started without issue within a few minutes.

     

    With extended use of VFC, you will encounter machines that either fail to start on first attempt or which require logon passwords. The majority of known boot issues relate to changes in the underlying hardware, such as from a physical laptop computer to a virtual desktop computer. The VFC method encompasses a host of known issues and how to resolve them, including activation and password retrieval.

     

    If you have experienced your virtual machine encountering any of the following, attending one of our training days would be particularly beneficial:

    • A frozen black screen
    • Windows activation issues
    • Unexpected Blue Screen of Death
    • Logon password problems
    • The need to add additional hard disks



    Training days are held at MD5's Head Office in Normanton, West Yorkshire which is easily accessible via the M62.

     

    The cost per delegate for 'The VFC Method' one day training package is £300. This includes a structured, informative day that presents the methodology and capability of VFC using both an instructor-led and workshop approach.

    Michael Penhallurick

     

    Michael Penhallurick holds a Master of Science Degree in Forensic Computing from the Royal Military College of Science / Cranfield University and was a regular visiting lecturer at that establishment between 2002 and 2005.  He has also been involved in the development of training packages with the National Specialist Law Enforcement Centre Hi Tech Crime Training Team.

     

    Michael joined MD5 in November 2006 having previously served as a police officer with the South Yorkshire Police for almost 13 years, the last four years of which were as Computer Forensic Manager for their Hi-Tech Crime Unit.  He also undertook a year as Computer Forensics Manager in a corporate environment for The Risk Advisory Group based in the centre of London.

     

    In both roles he was responsible for undertaking and overseeing major criminal investigations for a variety of criminal activities ranging from indecency through to fraud and murder. He was also responsible for ensuring the smooth day-to-day running of the unit including staff development and identification of training needs, as well as liaison with external agencies such as the Crown Prosecution Service, the Probation Service and the Courts and regular client conferences.

     

     

    Michael has been involved in computing in general since 1986 and prior to joining the Police Service, he lived and worked in Dubai, United Arab Emirates, working as a freelance computer systems consultant for both small and large businesses including financial advisors, several oil companies, an aerial survey company, the Dubai Ports Authority and the Government of Dubai Water Department.

     

    Michael Penhallurick has been involved in Forensic Computing since 1997 and has had extensive training and first hand use of the Vogon, Encase, AccessData and iLook suites of forensic tools.



    Download Michael's Thesis Summary



    Download VMWare Forensic Clonning Methodology - Abridged