Virtual Forensic Computing by MD5

VFC was first introduced to the it forensic community in 2007. It enables the simple creation of a virtual machine of a target system, allowing an investigator to recreate the "digital crime scene" and interact with it as if they were sitting in front of the PC in question.

Using recognized it-forensic techniques, VFC examines the target drive to gather relevant system information so that it can very quickly build the VMware framework to create a forensically secure copy of the target system (exhibit) as a virtual machine (VM). This process is automated by the VFC software to avoid BSOD and driver errors and save the user hours of manual diagnosis and repair.

Why VFC ?

Here are just a few important possibilities for digital evaluation with VFC:

  • Bypass Windows passwords and convert Windows Live accounts to local accounts
  • Create a VM and start it up in seconds
  • Create an independent digital copy that can be used in court (no data is changed on the PC to be examined)
  • Check the affected PC system for malware (Trojans, malware, spyware, etc.)
  • Start VFC from a boot stick to create an it-forensic image ( E01, DD, RAW, VHD, VHDx, etc. ) bypassing the Windows password

...and much more!

VFC enables the virtualization of Windows, Linux, Solaris and other operating system platforms.

The VFC VM allows the user to move around the suspect's desktop as if they had literally turned on their computer. This can be done by working with forensic images using the integrated mounting tool VFC Mount™ or directly from a read-only hard disk. Due to its simplicity, VFC enables it forensic and non-it forensic professionals to examine computers in a forensic manner, not in hours but in minutes!

VFC can also be used to help an investigator navigate incriminating and exculpatory data. It allows an investigator to visualize a suspect's desktop in a format that can be understood by anyone. This can either be done live in court, using a portable standalone clone of the virtual machine, or captured as still images for reports. This can be of great benefit in cases where even a non-technical person such as a judge, lay assessor or lawyer can understand and recognize the data.

Another very important feature for investigators to consider is the "Restore Point Forensics / Patch VM". This allows an investigator to "reset" a PC to a previous state in order to detect links that were stored on the PC in an earlier version of the machine, such as links to websites of dubious or criminal activity that have since been removed.

Source & more information at:


MD5 products are also available directly in our online store: