Virtual Forensic Computing (VFC): Boot EnCase images

Virtual Forensic Computing (VFC): Boot EnCase images

What is VFC?

VFC (Virtual Forensic Computing) is a forensic application which can handle a variety of hard disk drive sources (physical disk, bit-for-bit disk copy or forensic image file) and successfully transpose over 95% of such images into virtual machines - without expensive physical hardware disk caches or time-consuming conversion processes.

Which Disk Formats are supported by VFC?

VFC continues to develop and currently supports:-

  • disks mounted using Mount Image Pro v2
  • disks emulated using Encase PDE (Physical Disk Emulator)
  • physical disks (IDE, SATA, USB, IEEE1394)
  • Unix style uncompressed 'dd' images and,
  • Vogon format uncompressed 'img' images.

Which Systems can be booted using VFC?

VFC has been used to successfully boot:

  • Windows 3.1
  • Windows 95
  • Windows 98
  • Windows NT
  • Windows 2000
  • Windows XP (32bit versions)
  • Windows Vista (32 bit versions)

What do I need to run VFC?

VFC utilises the freely available VMware Player and VMware Diskmount Utility, in conjunction with Mount Image Pro to mount forensic images files. VFC requires Windows XP or higher and also requires that you be logged in with Administrator level privileges.

Do I need to have Mount Image Pro or Encase?

No. VFC is wholly capable of using physical disks or 'dd' images.

Mount Image Pro is only required if you have forensic evidence files in the Expert Witness Format which you would like to access outside of any forensic suite.

Encase is only required if you wish to utilise the Encase PDE in order to emulate a physical disk.

How Do I Use VFC?

VFC is as easy to use as 1,2,3:

  1. Mount the evidence file (or attach the [write-blocked] physical disk)
  2. Select the disk (or dd image) and the relevant partition
  3. Generate the machine and use the Launch feature to start it in VMware.

These steps are also detailed in our demonstration video, here

What limitations does VFC have?

VFC will successfully boot 95% of Windows based disks / images it is presented with. VFC cannot dynamically fix machines that are 'broken' and unable to be booted in the original machine. Similarly, VFC cannot bypass software protection that is linked / licensed to the original hardware.

Will booting an image using VFC alter the original evidence?

Not at all. VFC dynamically creates a custom disk cache and directs all subsequent reads and writes 'through' this disk cache. The original evidence is only ever 'read' and cannot be directly written to. Additionally, mounted or emulated forensic image files are opened read-only by default, as are 'dd' and 'img' disk image files.

NB If you are using physical disks, it is imperative that you use a hardware write-blocking device to connect this disk to your own system, otherwise your system will almost certainly try to write to the physical disk and this will change the evidence.

Does VFC support partition only images?

Not at this time. Partition image support is under development.

Does VFC support multi-boot systems?

Not at this time. Multi-boot system support is under development.

I've used VFC but still get a BSOD halfway through the boot sequence!

It may be necessary to boot into safe mode and disable services specific to the original hardware, such as:

  • NVidia or ATI graphic drivers,
  • custom audio drivers or
  • OEM specific utilities.

Do I need to install the drivers for the New Detected Hardware?

It is not absolutely necessary to install these drivers, however the virtual machine may not function properly without them and you may find that the CD, mouse or floppy disk (for example) do not function at all. It is recommended that you let the VM detect and install the necessary files.

How can I improve the performance of the New Virtual Machine?

If you are using either VMware Workstation or VMware Server, you can install the VMware Tools Package to improve the performance of your virtual machine. This option is not directly available with the standalone VMPlayer.

Can I access the Internet from the New Virtual Machine?

VFC is designed to be a forensic application and does not add any network support to the New Virtual Machine to ensure it remains isolated from the 'real' world. It is possible to add network support and hence connect to other networks (including the Internet), but this is not recommended.

Can I transfer data between the New Virtual Machine and my own System?

Yes, you can use virtual (or real) floppy disks, USB devices and you can even connect a physical data disk as a raw device and write directly to that disk. You can also use CD/DVD media (or ISO files) to read data into the New Virtual Machine.

NB Not all of these methods are readily available with the standalone VMPlayer.

Why does the New Virtual Machine need to be activated?

Windows XP and above may require activation due to the number of hardware changes that are inevitable from changing between a physical and a virtual environment. Not all machines can successfully be activated but all machines can be accessed in 'Safe Mode' and this will enable at least a partial interaction with the original desktop.

Can I create additional Snapshots?

Yes, VFC allows the VM to create multiple snapshots.

What does VFC actually do?

VFC makes the minimum necessary modifications to an image to ensure that it can successfully boot in a virtual environment. The whole ethos behind VFC is to keep the underlying image as close as possible to the original and yet still make it function in VMware. In situ upgrades, which are advocated as one method of achieving the same goal, were deemed too intrusive of the 'forensic' process. The original manual methods on which VFC are based are available in PDF format here

If only VFC could... (I have a feature request, who do I contact?)

VFC continues to develop as research continues. If you identify something that you think VFC should be able to do, please contact us at support@md5.uk.com