Frequently Asked Questions
Which Disk Formats are supported by VFC?
VFC continues to develop and currently supports:
• Forensic image files mounted using AccessData FTK Imager 3
• Forensic image files mounted using Mount Image Pro
• Forensic image files disk emulated using Guidance Software Encase PDE (Physical Disk Emulator)
• (write blocked) original physical disks (IDE, SATA, USB, IEEE1394)
• Unix style uncompressed ‘dd’ images and,
• Vogon format uncompressed ‘img’ images.
Which Systems can be booted using VFC?
VFC has been used to successfully boot:
• Windows 3.1
• Windows 95
• Windows 98
• Windows ME
• Windows NT
• Windows 2000
• Windows XP
• Windows Vista
• Windows 7
• Windows 8
• Windows 8.1
• Windows 10
• Windows Server 2003
• Windows Server 2008
• Linux (experimental)
• MAC OS X (10.5 and above) (experimental)
• Sun Solaris
What do I need to run VFC?
VFC utilises the freely available VMware Workstation Player/Workstation Pro, Virtual Disk Development Kit (VDDK) and a Mount Utility to mount forensic images files. VFC requires Windows XP or higher and also requires that you be logged in with Administrator level privileges.
Do I need to have a mounting utility or Encase?
No. VFC is wholly capable of using physical disks or ‘dd’ images.
FTK Imager/Mount Image Pro is only required if you have forensic evidence files in the Expert Witness Format which you would like to access outside of any forensic suite.
Encase is only required if you wish to utilise the Encase Physical Disk Emulator (PDE) in order to emulate a physical disk.
Please note, if using EnCase PDE, you will only be able to mount one image at a time so the options for adding drives via Modify Hardware will not be available.
How Do I Use VFC?
VFC is as easy to use as 1-2-3:
1. Mount the evidence file (or attach the [write-blocked] physical disk)
2. Select the disk (or dd image) and the relevant partition
3. Generate the machine and use the Launch feature to start it in VMware.
What limitations does VFC have?
VFC will successfully boot 95% of Windows based disks / images it is presented with. VFC cannot dynamically fix machines that are ‘broken’ and unable to be booted in the original machine. Similarly, VFC cannot bypass software protection that is linked / licensed to the original hardware.
Will booting an image using VFC alter the original evidence?
VFC dynamically creates a custom disk cache and directs all subsequent reads and writes ‘through’ this disk cache. The original evidence is only ever ‘read’ and cannot be directly written to. Additionally, mounted or emulated forensic image files are opened read-only by default, as are ‘dd’ and ‘img’ disk image files.
NB If you are using physical disks, it is imperative that you use a hardware write-blocking device to connect this disk to your own system, otherwise your host system will almost certainly try to write to the physical disk and this will change the evidence.
Does VFC support ‘partition only’ images?
Yes. Partition image support is included. Development continues to implement multi-partition image support.
Does VFC support multi-boot systems?
Full multi-boot system support is under development. Multi-boot system virtualisation is possible by simply generating a separate VFC for each bootable partition.
I’ve used VFC but still get a BSOD halfway through the boot sequence!
It may be necessary to boot into safe mode and disable services specific to the original hardware, such as:
• NVidia or ATI graphic drivers,
• custom audio drivers or
• OEM specific utilities.
If you are stuck in a repair-cycle boot-loop it may be necessary to change some settings using the “Options” button on the home-screen.
Do I need to install the drivers for the New Detected Hardware?
It is not absolutely necessary to install these drivers; however, the virtual machine may not function properly without them and you may find that the CD, mouse or floppy disk (for example) do not function at all. It is recommended that you let the VM detect and install the necessary files.
How can I improve the performance of the New Virtual Machine?
If you are using either VMware Workstation (Pro) or VMware Server or VMware (Workstation) Player 3 or above, you can install the VMware Tools Package to improve the performance of your virtual machine. This option is not directly available with the standalone VMware (Workstation) Player 2 or earlier.
Can I access the Internet from the New Virtual Machine?
VFC is designed to be a forensic application and does not add any network support to the New Virtual Machine to ensure it remains isolated from the ‘real’ world. It is possible to add network support and hence connect to other networks (including the Internet), but this is not recommended. Adding Network support is currently a manual process undertaken at the discretion of the user.
Can I transfer data between the New Virtual Machine and my own System?
You can use virtual (or real) floppy disks, USB devices and you can even connect a physical data disk as a raw device and write directly to that disk. You can also use CD/DVD media (or ISO files) to read data into the New Virtual Machine.
If VMware Tools have been installed, you can drag and drop from the VFC virtual machine to your own Host machine and vice versa.
NB Not all of these methods are readily available with the standalone VMware Workstation Player.
Why does the New Virtual Machine need to be activated?
Windows XP and above may require activation due to the number of hardware changes that are inevitable from changing between a physical and a virtual environment. Not all machines can successfully be activated but all machines should be able to be accessed in ‘Safe Mode’ and this will enable at least a partial interaction with the original desktop.
Can I create additional Snapshots?
Yes, VFC allows the VM to create multiple snapshots. Snapshot creation is dependent upon the version of VMware being utilised.
What does VFC actually do?
VFC creates a disk cache that is used by VMware to intercept any changes to the underlying original disk, whether this is a physical device, mounted forensic image or a full bit-for-bit image file.
VFC makes the minimum necessary modifications via the disk cache in order to ensure that it can successfully boot in a virtual environment.
The whole ethos behind VFC is to keep the underlying image as close as possible to the original and yet still make it function in VMware. In situ upgrades, which are advocated as one method of achieving the same goal, were deemed too intrusive of the ‘forensic’ process.
How do I get Additional Support?
You will find the most up-to-date version of the VFC User Guide and other useful documentation available to download here.
Please check the User Guide in the first instance. For other enquiries not answered by the User Guide, please:
• e-mail email@example.com or
• call us on +44 (0)1924 220 999 between 08.30 and 16.30 GMT
We aim to respond to all requests within 24 – 48 hours.