White Paper

The Software Solution that Saves Time, Money & Resources In the Fight Against Financial Crime

 

Virtual Forensic Computing

Digital forensic investigations can be costly, particularly when a number of devices are involved. Crucial evidence may be stored on these devices therefore an investigator requires access to this data without the risk of changing any existing data – this means the device cannot be accessed by simply pressing the power button.

MD5's forensic virtualization software, Virtual Forensic Computing (VFC), provides a cost-effective solution, allowing investigators to examine computer/laptop devices in a forensically sound manner. VFC is created, developed and sold by MD5.

How does it work?

VFC creates a virtual image of a computer which is a replica of the original device. It enables the user to navigate around the computer to identify evidence as if they had literally turned it on themselves.

  • Material can be examined without compromising the original evidence or affecting the metadata of the files within it.
  • Everyday computer skills can be used to experience the “desktop” as seen by the original user – seeing names of files, where things were stored, items in the recycle bin etc.
  • Explore the content of a PC using the usual Microsoft facilities e.g. File Explorer, Office (e.g. Excel), browser history. Logs and connections can be investigated.

VFC Triage - save time, money and effort by using VFC to quickly view and eliminate computers and material that are outside the scope of the matter so that you are able to focus your investigation on relevant material on specific computers.

Using the VFC triage functionality an investigator is able to quickly identify if a machine contains any potentially relevant information that may assist their case. This is particularly useful when a number of devices are involved as it can quickly eliminate non-relevant devices saving time and money allowing investigators to concentrate on the devices of interest. A triage of a device will provide the following information:

  • Usernames & profiles
  • Last used date
  • Installation date
  • Recent files accessed
  • Installed programs such as Sage, QuickBooks and other applications
  • Recent internet history including recent searches
  • LNK files (a shortcut to a recently accessed Windows file)

For example:

  • Identify Key Custodians' devices quickly eliminating non relevant Custodians' devices
  • Use VFC Triage properties such as “last used date” to reduce devices not in scope of the investigation
  • Identify important installed programs (financial databases) to help prioritize devices

VFC Triage is a simple non-technical exercise that allows you to reduce the number of devices that go forward to analysis. This is particularly useful when a number of devices are involved as it can quickly eliminate non-relevant devices saving time and money allowing investigators to concentrate on the devices of interest. A triage of a device will provide the following information.

Password Bypass

VFC enables a user to bypass a user's logon password and get straight to the desktop as the end user would have accessed it.

VFC Desktop Investigation

This can help an investigator to identify undisclosed expenditure or activity. For example:

  • Desktop background picture shows Custodian next to undisclosed sports car, yacht or overseas property.
  • Review internet searches/ browsing history to identify overseas trips, connections to undisclosed financial institutions and/or lifestyle spending.
  • Identify recently accessed files, saved documents and deleted documents.

Furthermore, the content or file properties (metadata) could be invaluable to the ongoing investigation or help attribute when an event took place that has ultimately led to this investigation.

VFC also allows you to do the following:

  • Transfer Original files from the virtualized computer to the investigator's computer for further examination or upload to data analytics software. Files can be simply dragged and dropped onto local computer for data to be printed or saved as part of the investigators report.
  • “A picture speaks a thousand words” - Screen-shots can be easily acquired from the virtualized device and can be used as key evidence or ways of simply showing/explaining to non-technical individuals the intelligence/evidence that has been found and where it resided.
  • VFC is particularly useful if ultimately the material might go to a criminal or civil court.
  • Bespoke and proprietary software can be launched in the usual way, just as they could have been in the custodian's computer environment, even if the device has been unused for a period of time and the software license has expired. There is no need to install software, purchase additional licenses or to identify and acquire the correct software versions. This feature can be especially useful for insolvency, regulatory and law enforcement investigations (see Case Study below).
  • Recover evidence from database and accounting software (e.g. Sage/QuickBooks). VFC allows you to use the accounting or other software's reporting and analysis which can be applied in the virtual environment to investigate transactions in exactly the same way as on the original computer. The resulting report can be transferred as mentioned earlier to your own local device.

Case Study: Accessing evidence in QuickBooks accounting records using VFC:

QuickBooks, Sage etc. can be a very valuable source of evidence, especially when investigating fraud, internal business problems, staff investigations and IP theft. Extracting information in a user-friendly format that can be easily understood by everybody involved in a case can often prove challenging. Accounting programs such as this require a proprietary file format that can be difficult to view outside of the native application.

This case required MD5 to assist the investigation of a number of computers that were running several instances of QuickBooks. MD5's used its VFC software to create virtual copies of the computers. These enabled the investigator to immediately run QuickBooks in its native environment on each virtual computer. The investigator was thus able to browse, identify and extract a significant volume of key evidence which directly related to the case and was in a format that would otherwise have been unintelligible.

The data that had been identified as relevant was extracted within the virtual computers to Excel spreadsheets. It was then exported to the investigator's computer for upload into data indexing/processing software and online review platforms for further analysis and investigation.

To conclude all these exploratory and investigation actions on recovered devices can be carried out (and more) with the software VFC without a costly digital forensic or IT expert being involved meaning this saves an organization whether it is an insolvency, regulatory or law enforcement investigation, time and probably most importantly money.

 * - required fields