What is new in Version 7
VFC v7 features a streamlined workflow making it simpler to progress from forensic image to virtual machine but still allows the experienced user to perform a detailed exploration of the mounted image.

Single Volume Images
VFC v7 now supports non-bootable single volume images. These are images that contain a complete file system but lack components removed found in a whole disk image. VFC v7 can now emulate seamlessly the missing components and allow such images to be converted to a bootable virtual machine.

Virtualising a single volume image involves setting up a virtual environment where the contents of the single volume image can be accessed and interacted with as if it were a physical storage volume. A virtual machine provides a controlled and isolated environment to work with the contents of the image, making it easier to analyse and manipulate the data without affecting the original image.

VFC does all this for you which makes it an invaluable tool that can be used for various purposes such as Cyber\Digital Forensic testing, development and analysis.

This is particularly useful for images that were captured as a single volume or where an image has been converted from another volume based format such as a device that is TPM(TCM) encrypted, “BitLocker” and “VeraCrypt” encrypted, or any supported image format that can be converted in this way.

Using VFC to Virtualise a TPM, BitLocker or VeraCrypt encrypted single volume image enables controlled access and analysis of the decrypted data without modifying the original image

VFC enables a Cyber\Digital\Incident Response Investigator to follow the best practices of maintaining the integrity of the digital evidence with confidence and ensures that a proper chain of custody is maintained throughout the analysis process.

(Please note VFC does not support L01 logical images. These do not contain file system information and cannot be converted to a bootable virtual machine.)

Access computers configured with S-Mode
Windows S Mode is primarily used in specific environments where a more locked-down and controlled computing experience is desired. Here are some of the common scenarios where Windows S Mode is used:

Education Sector: Windows S Mode is often used in educational institutions, such as schools and universities. Its streamlined nature and restriction to installing apps from the Microsoft Store can provide a more secure and controlled environment for students and educators.

Enterprise and Business Environments: Some businesses may choose to use Windows S Mode on their devices to enhance security and manageability. The restricted app installation can help prevent the installation of unauthorized or potentially harmful software.

Devices for General Consumers: In some cases, manufacturers may pre-install Windows in S Mode on certain devices targeted at general consumers. This is less common compared to the use in education and business sectors, but it provides a simplified and secure computing experience for individuals who do not need to install software from outside the Microsoft Store.

VFC enables the system to operate like a standard operating system without the controls and security restrictions of S-Mode.

Inject files
This very powerful feature allows you to inject third party analysis software into a VM while VFC is generating it. Whether you are a Cyber Forensic; Digital Forensic; Incident Response Investigator you will have your favourite suite of tools to aid and carry out analysis of a device in your enquiries, using this feature you can use the generated VM to get the answers more efficiently and effectively in the field or in the lab.

VFC Triage
Being able to quickly triage a computer device on scene or in the Lab can prove vital prioritising items can save time and an organisation money. When conducting on scene triage, you want to be in and out as quickly as possible, while collecting sufficient evidence to warrant bringing the device back to the lab or even decide it does not meet the case parameters. VFC triage allows you quick and safe access to the device, within 30 seconds of selecting the partition, you will be able to view the VFC Triage log that can provide you with the following:

• Recently accessed files
• Recent app
• Recent URLS
• Installed applications
• Installed documents
• Windows history
• Chrome history
• Windows links
• List of previously connected USB devices
• List of user accounts
• Last user logged on
• Last used date

 » VFC政府及執法單位版 (VFC Law Enforcement & Government) 
 » VFC企業版 (VFC Corporate)
 » VFC5 升級 ( Upgrade from VFC4 to VFC5 ) 

VFC has the following technical requirements:

 » PC running Windows 7 SP1 or later *
 » 1024x768 display or better
 » Minimum 100MB free space
 » VMware Workstation/Player v12 or later †
 » Hardware meeting VMware minimum requirements:
 » 64-bit x86 Intel or AMD Processor from 2011 or later
 » 1.3GHz or faster core speed
 » 2GB RAM minimum/4GB RAM recommended
 » Admin permissions to install VFC and mount/unmount images
 » VFC Mount software (provided) or appropriate third-party mount tool
 » USB port (for dongle)

* It may also possible to run VFC on other UEFI based operating systems with an appropriate Microsoft Windows virtualisation / compatibility tool. We understand that this may work well but are unable to formally support this at this time.

VMware Workstation 虛擬平台軟體

VMware Workstation Pro 能夠在同一部PC同時執行多個 x86 作業系統，改變了技術專業人員開發、測試、示範與部屬軟體的方式。Workstation Pro 榮獲超過 50 個業界獎項，以15年專業的虛擬化經驗，提供使用者廣泛的作業系統支援、豐富的使用者體驗和絕佳的效能，成為技術專業人員最佳選擇。

建立功能強大的虛擬機

您可以建立具備最多 16 個虛擬處理器或 16 個虛擬核心、8 TB 虛擬磁碟和最多 64 GB 記憶體的虛擬機，在虛擬環境執行最高要求的桌面平台和伺服器應用程式。 若要額外加強圖形密集應用程式，只要配置最多達 2 GB 的視訊記憶體到虛擬機即可。

欲瞭解更多有關 VMware Workstation 產品資訊，請前往產品介紹網頁。

HDD Regenerator 硬碟檢測修復工具

HDD Regenerator是一個獨特的應用程式，用來重組嚴重損壞的物理硬碟。他不會隱藏或隔離壞軌的區域，而是確實將硬碟回覆到健康的原始狀態。

主要優點
硬碟是每台電腦必要的組成部分。它儲存您的所有資訊。碟片表面上的壞軌是硬碟最常見的缺陷之一。壞軌是碟片表面的一部分，其中包含無法讀取但經常需要的資訊。壞軌將導致您難以從您的硬碟讀取和複製資料、您的作業系統變得不穩定，最後，您的電腦可能無法正常開機。硬碟有壞軌時，碟片不僅變成不適合使用，而且也有遺失儲存在其上資訊的風險。HDD Regenerator 可以修復損壞的硬碟，而不會影響或變更現有資料。修復結果可以還原以前無法讀取和存取的資訊。

欲瞭解更多有關 HDD Regenerator 產品資訊，請前往產品介紹網頁。

Mount Image Pro 數位鑑識工具

Mount Forensic Images

Mount Image Pro is a computer forensics tool for Computer Forensics investigations. It enables the mounting of forensic images including:

• EnCase .E01, EX01, .L01, .LX01
• AccessData .AD1
• DD and RAW images (Unix/Linux)
• Forensic File Format .AFF
• NUIX .MFS01
• ProDiscover
• Safeback v2
• SMART
• XWays .CTR

and other common image formats including:

• Apple DMG
• ISO (CD and DVD images)
• Microsoft VHD
• VMWare

image files as a drive letter under the Windows file system.

Key Features

• Map images as a single drive letter to explore "Unused/Non partitioned" disk space or map specific drive letters to any or all partitions within the image files.
• Use third party tools without the need to restore images to another PC. Now you can develop or use your own tools without the limitations a scripting language.
• You do not need to have EnCase installed nor do your require an EnCase dongle to use Mount Image Pro. This gives you and your clients total flexibility when dealing with EnCase evidence files.

Forensic Explorer – Facts Sheet
Forensic Explorer是一種用於保存，分析和呈現電子證據的工具。該軟件的主要用戶是執法部門，政府部門，軍隊和企業調查機構。

Forensic Explorer將靈活的圖形用戶界面（GUI）與高級排序，過濾，關鍵字搜索，預覽和腳本技術相結合。它使調查人員能夠：

在案例文件結構中管理來自多個來源的大量信息的分析;
訪問並檢查所有可用數據，包括隱藏和系統文件，已刪除文件，文件和磁盤空閒以及未分配的集群;
自動執行複雜的調查任務;
製作詳細的報告; 和，
為非法醫調查員提供一個輕鬆審查證據的平台

iOS Forensic Toolkit

對存儲在iPhone / iPad / iPod設備中的用戶數據執行完整的取證操作。Elcomsoft iOS Forensic Toolkit允許符合條件的客戶獲取設備文件系統的點對點圖像，提取設備機密（密碼，密碼和加密密鑰）並解密文件系統影像。立即提供對大多數信息的訪問。

Please note that not all devices and iOS versions are supported

• 一體化，完整的採集解決方案
• 物理採集（32位器件）：獲取完整的，精確的器件圖像
• 物理採集（64位設備）：與邏輯或云採集相比，提取更多信息
• 從鎖定的設備中提取信息（限制適用）
• 解密鑰匙串項，提取，設備密鑰（僅限32位設備）
• 快速文件系統採集：32 GB模式20-40分鐘
• 零佔用操作不會留下任何痕跡，也不會改變設備的內容（僅限32位傳統設備）
• 完全負責：記錄和記錄每一步調查
• iOS最高支持9.0.2
• 密碼不是必需的
• 簡單的4位密碼在10-40分鐘內恢復
• Mac和Windows版本可用
• 提供自動和手動模式