Case Study 0

In the investigation, VFC (Virtual Forensic Computing) v7 was employed to generate a virtual machine (VM) replica of the suspect's computer. This advanced capability allowed the forensic analysts to bypass any existing passwords and gain direct access to the suspect’s desktop environment. By creating an exact virtual clone of the suspect's computer, VFC v7 enabled the analysts to interact with the system as if they were physically present at the device. This included accessing files and analysing installed applications without altering the original evidence.


Using the VM it was identified that the Zune/Groove Music apps were not installed. The current version of Windows Media Player was installed; this new version replaced the legacy Groove Music app.


The Windows Media Player was opened and the IIoC was identified in the Recent Media. Using the in-built tool functions, it was possible to identify the file path and location for the original files. The analyst was then able to capture a screenshot of the images in the player and links to the original file path for use in his report.

This identified source for the images could then be searched in the Forensic Software for further information.


The other Forensic Software did not identify a link with the images cached by the Windows Media Player application and the original source of the files the images were cached from – using VFC alongside additional Forensic Software allowed the analyst to identify the link.


The ability to swiftly and effectively recreate the suspect's digital environment significantly expedited the forensic examination process, providing a comprehensive and accurate insight into the suspect's computer usage.