VFC is one of the significant breakthrough's in forensic computing in the last ten years. VFC enables investigators to:
A Virtual machine can be created from a forensic image, a write blocked physical disk or a 'DD' raw flat file image.
The investigator can then experience the 'desktop' as seen by the original user in an entirely forensic manner. The investigator can use the suspects computer in a read only virtual environment.
There are numerous specialist software applications available to assist the investigation and analysis of digital media which has been forensically acquired. Whilst these tools can and do provide a great depth of analysis and will reveal data fragments of material no longer readily available, it is often the case that the 'scene of the crime' part of the examination process is overlooked as an additional source of potentially invaluable information.
In the 'real' world, it is almost unthinkable not to examine in detail the actual crime scene and then perform 'forensic' examinations on evidence gathered from the scene. In the 'virtual' world of forensic Computing, the same is not true and all too often it is only the underlying data and information that resides on the storage devices that is examined in detail.
The VFC application utilises VMware's freely available Player and Mount utilities, with the forensic disk mount tool Mount Image Pro, to re-create a subject machine in a matter of seconds.
VFC enables an investigator to experience almost any Windows based system within seconds of acquisition. With VFC:
Once the forensic image has been acquired, simply mount it with Mount Image Pro, and boot it with VFC in seconds!
VFC has been successfully applied to every Windows version from Windows 95 through to Windows 7.
EnCase is the registered trademark of Guidance Software Inc.
VMware is the registered trademark of VMware Inc.
VFC is the registered trademark of MD5 Ltd.
Mount Image Pro is the registered trademark of GetData - www.mountimage.com