VFC works with write-blocked physical drives, Unix-style DD images or mounted E01 files. The software interrogates the target drive to gather relevant system information so that it can very quickly build the VMware framework for a Virtual Machine (VM) forensic replica of the target system (the exhibit). VFC achieves this by following accepted forensic practices while simultaneously and automatically fixing a multitude of known problems to avoid BSOD and driver errors and save the user hours of manual diagnosis and repair.
The resulting VFC VM is then launched in VMware to enable the user to navigate around the suspect’s desktop as if they had literally turned on their machine. Any network connections are disabled by default to ensure a secure environment.
The newly upgraded version 4 offers the option to add hardware to an existing VFC VM (e.g. to rebuild a tower system with multiple drives) and the capability to export a standalone clone of a VM for further investigation without tying up the forensic workstation further.
VFC4 aids forensic investigators in performing the following tasks:
• Boot a forensic image of a suspect’s computer.
• Forensically Launch a suspect machine in its native environment.
• Experience the “desktop” as seen by the original user.
• Take screenshots of key evidence such as folder structure, evidence location, recently accessed files, browsing history & saved passwords, P2P shares and virus definitions among others.
• Interact with fully licenced software to view files and data in its native environment (e.g. Sage or QuickBooks) without the need to invest in a copy of the often-expensive software.
• Interact with connected devices (e.g. iPhones with inherent iTunes accounts or encrypted USB drives)