Virtual Forensic Computing 4 (VFC4)

Announcing the new Virtual Forensic Computing 4 (VFC4) by MD5

Regarded as a leader in Digital Forensic Software development, MD5 has created a new version of its tried and tested Virtual Forensic Computing software suite.  VFC version 4 (VFC4) includes some great new features, as requested by users. These enhanced features come alongside a faster, more powerful version of VFC.

Virtual Forensic Computing software is often considered an essential tool for Forensic Investigators. It allows for seamless recreation of a virtual crime scene using the original evidence.

MD5’s Virtual Forensic Computing software uses VMware’s Workstation Player or Workstation Pro and Virtual Disk Development Kit (VDDK), combined with image mounting tools to replicate the subject’s desktop in a virtual environment in no time.

MD5 Logo

VFC4 SoftwareVFC works with write-blocked physical drives, Unix-style DD images or mounted E01 files. The software interrogates the target drive to gather relevant system information so that it can very quickly build the VMware framework for a Virtual Machine (VM) forensic replica of the target system (the exhibit). VFC achieves this by following accepted forensic practices while simultaneously and automatically fixing a multitude of known problems to avoid BSOD and driver errors and save the user hours of manual diagnosis and repair.

The resulting VFC VM is then launched in VMware to enable the user to navigate around the suspect’s desktop as if they had literally turned on their machine. Any network connections are disabled by default to ensure a secure environment.

The newly upgraded version 4 offers the option to add hardware to an existing VFC VM (e.g. to rebuild a tower system with multiple drives) and the capability to export a standalone clone of a VM for further investigation without tying up the forensic workstation further.

VFC4 aids forensic investigators in performing the following tasks:

• Boot a forensic image of a suspect’s computer.
• Forensically Launch a suspect machine in its native environment.
• Experience the “desktop” as seen by the original user.
• Take screenshots of key evidence such as folder structure, evidence location, recently accessed files, browsing history & saved passwords, P2P shares and virus definitions among others.
• Interact with fully licenced software to view files and data in its native environment (e.g. Sage or QuickBooks) without the need to invest in a copy of the often-expensive software.
• Interact with connected devices (e.g. iPhones with inherent iTunes accounts or encrypted USB drives)

  • Bypass Windows User Account passwords using at least 276 password bypass routines.
    • Includes PassWord Bypass (PWB) Routines for Windows 7, Windows 8 & Windows 10.
    • The latest update* includes PWB routines for 42 variants of Windows 10 OS alone.
    • PWB routines now externalised from the main program for faster, independent updates.
    • PWB process expedited for quicker analysis and implementation
  • User Account Password hashes are now always extracted to the splash screen
    • These are also embedded in the VMX annotation.
    • The provision of password hashes enables the use of external hash-cracking tools to identify the original system-password (helps with programs that require EFS access)
  • Point-and-click option to add in additional hardware to load external or multiple drives into an existing VM (to rebuild the suspect machine as last viewed by them).
  • Point-and-click generation of a standalone Virtual Machine for sharing with non-technical departments.
  • Restore Point Forensics allows the user to ‘Rewind’ a VFC VM back in time.
  • Larger GUI and bigger splash screen on home tab
  • Supports GPT formatted disks.
  • Support for Windows 3.1 – Windows 10.
  • Additional support for Apple Mac OSX, Linux and SunSolaris.
  • Heavy investment in R & D resulting in regular updates.
  • Full phone and email support.

Request A Quote