Exploring the Value of Virtualization in Digital Forensics

Why would you virtualize the suspect’s computer system?

Estimated read time: 1:20

    Summary

    In this episode of Cyber Sleuth, the host invites Blessed from MD5 to delve into the powerful tool of virtualization in digital forensics. They discuss various aspects, such as enhancing understanding through virtual desktops, maintaining forensic integrity, and the ease with which this technology can be applied, especially in law enforcement. They highlight the advantage of visualizing machine states for better communication in courts and emphasize how virtualization tools like VFC aid investigators in presenting clear, comprehensive evidence without compromising data integrity.

      Highlights

      • Virtualizing computers creates a safe 'sandbox' environment for investigation, keeping original data untouched. 🛡️
      • VFC was highlighted as an effective tool for helping law enforcement quickly assess suspect devices on site. 👮
      • The tool can even fast-track identifying a device’s latest usage details, aiding in suspect profiling quickly and accurately. 📋
      • Blessed emphasized how virtualization helps convey technical findings to non-technical audiences in legal settings, ensuring juries can follow the narrative. ⚖️
      • Coordinating with Blessed, they underscored the simplicity of VFC’s usage, making it accessible to those without deep technical expertise. 🤓

      Key Takeaways

      • Virtualization offers investigators a way to replicate suspect computer systems safely and without altering original data, ensuring forensic integrity. 🖥️
      • It simplifies presentations in court by providing a visual representation of the computer's state, making it easier for juries to understand the evidence. 🎯
      • The process of virtualization has been condensed to just a few minutes, making it highly efficient in investigation workflows. ⏱️
      • Tools like VFC allow for effective triaging of multiple devices at crime scenes, helping law enforcement prioritize which devices to analyze further. 🚔
      • The technology supports the examination of user activities, USB usage, browsing history, and more, offering a comprehensive view of a suspect's digital footprint. 🔍

      Overview

      The Cyber Sleuth show is all about breaking down complex forensic technology into digestible ideas for the everyday user. This episode shines a light on how virtualization changes the game for digital forensic investigations, especially within the spheres of law enforcement and legal trials. With guest expert Blessed from MD5, the exploration dives into why virtualization is such a critical tool.

        Virtualization allows forensic investigators to recreate the desktop experience of a suspect's computer system without the risk of altering any primary data. This tool is crucial when presenting evidence in court, as it aligns the technological findings with a jury's perspective of the digital environment without needing them to understand the code intricacies.

          In discussing the practical applications, the show highlighted how VFC streamlines forensic workflows by providing immediate access through virtualized environments. By bridging complex technical evidence into a comprehensible format, tools like VFC not only respect the nuances of forensic integrity but also enhance the storytelling aspect in digital investigations.

            Chapters

            • 00:00 - 01:00: Introduction The chapter titled 'Introduction' sets the stage for what follows, outlining the main themes and objectives. It provides context and background information relevant to understanding the material covered in the rest of the work. Key terms and concepts might be introduced to aid the reader's comprehension moving forward.
            • 01:00 - 03:03: Welcome and Overview Introduction to the course.
            • 03:03 - 08:00: Virtualization Benefits and Use Cases This chapter titled 'Virtualization Benefits and Use Cases' explores the various advantages of virtualization technology and provides practical examples of how it is applied in different industries. The core benefits discussed include cost savings, improved resource efficiency, scalability, and easy management of IT resources. The chapter also delves into specific use cases such as server consolidation, disaster recovery, and support for legacy applications, illustrating how virtualization can solve complex problems and enhance operational performance. Through detailed analysis and expert insights, the chapter highlights how businesses can leverage virtualization to optimize their IT environments and gain a competitive edge in the digital landscape.
            • 08:00 - 12:00: Training and User Experience The chapter begins with a lighthearted introduction to the Cyber Sleuth show, marking the beginning of a Friday session. The speaker humorously comments on the tongue-twisting nature of the show's title and reflects on the amusement around it.
            • 12:00 - 16:00: System Requirements and Compatibility The chapter titled 'System Requirements and Compatibility' begins with the host addressing a common question about the change in the name of the show from 'Hubcast' to 'Cyber Sleuth Show.' The host explains that the original name was not well understood by the audience, and the change was made to better align with the show's themes and for search engine optimization purposes. The host humorously thanks the viewers for their continued support. They also comment on the week's progress as they continue with the show, noting the presence of a few regular viewers.
            • 16:00 - 23:00: Q&A and Case Studies The chapter 'Q&A and Case Studies' discusses live interaction on a platform called X, which has introduced a new feature allowing a sidebar chat during live videos. The speaker interacts with the audience through this chat by asking participants where they are from and mentions the limitation of not being able to type responses back but being able to verbally engage.
            • 23:00 - 27:00: Conclusion and Farewell The chapter titled 'Conclusion and Farewell' discusses the limitations and possibilities of interacting with different social media platforms during a broadcast. It highlights LinkedIn's restriction on feedback due to its closed API, controlled by Microsoft, necessitating offline engagement for comments. In contrast, Facebook, backed by Meta, allows two-way communication during live sessions. Furthermore, YouTube is emphasized as the primary channel for the event, facilitating comprehensive interaction with the audience. The content underscores the need for awareness of platform capabilities to optimize social media engagement.

            Why would you virtualize the suspect’s computer system? Transcription

            • 00:00 - 00:30
            • 00:30 - 01:00 hey hey hey
            • 01:00 - 01:30 hey hey hey
            • 01:30 - 02:00 all right hey welcome everybody to your Friday you made it it's uh it's Friday and uh welcome to the Cyber Sleuth show see I'm trying to say it without messing it up it's like I could have picked more of a tongue twister than that um but no I probably could have but that's that's what we settled on anyway and it's funny
            • 02:00 - 02:30 i get people that ask me "Hey why did uh why did you change the name wasn't it called a Hubcast before?" Yeah because nobody knew what a hubcast was um now granted you guys do because you you watch uh for whatever reason you hang out i appreciate it but the cyber sleuth show kind of makes a little bit more sense maybe maybe that much more so there we go um it's all for the Google algorithm isn't it yeah pretty much anyway I hope everybody's week is going uh going pretty well here um and as we uh as we cruise through here we got a couple of people uh hanging out with the
            • 02:30 - 03:00 live one and I'm hitting buttons to see things i'm curious where everyone is from uh so if you want to put that into chat now here's the chat that I can see i'll tell you that right now so if you're on X with us X is now doing their live videos a little bit differently there's a sidebar a full side chat now on X you have to type over there and I can see it i just can't type back but I can obviously talk back to you um and then
            • 03:00 - 03:30 on LinkedIn I can't see any LinkedIn at all that's a Microsoft closed API deal we can't get feedback from from LinkedIn i'll have to go read those posts later um for that facebook is where we're also broadcasting i can uh see those and reply back to those so Meta allows that two-way uh communication and then obviously YouTube where our home channel is um we can with full communication back and and back and forth because I can see obviously all the uh all the
            • 03:30 - 04:00 crazy chats that uh that come in and out so again just type where you guys are from um I'm just curious to to see where where everybody hangs out from on a Friday and kind of ducks out of work a little bit at least here in the US um so I'm going to move on forward here and talk about our sponsor which is again it's us um so um we're we're finally starting to promote this uh a little bit more slowly piece at a time um and it really only pertains to law enforcement if you're not law enforcement you can
            • 04:00 - 04:30 kind of just uh zone out I guess if you if you want to but what we've done is we built a uh internal um information sharing platform essentially um where law enforcement can share information back and forth internally from investigations down to uh patrol to crime analysts to uh public information officers so it looks kind of like a a social media app it's built on the same technology cyber social hub is believe it or not um but we also have some extra
            • 04:30 - 05:00 stuff that helps with external communications for the public information officers uh which makes things really nice uh and to manage that so um if you're in law enforcement or you know somebody in law enforcement we'd really appreciate if you forward this along to them or tell them about it say "Have you heard about it?" And uh and uh and check it out so let's go over here and uh check the chats real quick oh one more thing on on blue line over here is if you guys have heard of the um and I don't know those you guys in in
            • 05:00 - 05:30 law enforcement um I'm always torn to even mention the case because it's such a tragic case that I don't I don't feel right mentioning it all the time but Athens uh Clark County Georgia uh was one of our first clients we actually designed the platform originally for them um in the the Lake and Riley case um they've been our client now for about four years with this platform and um they used us heavily in that case um and I and I talked to them and they said yeah uh we there's no way we would have
            • 05:30 - 06:00 met the speed to solve this cases fast as we did without this technology um because it allowed investigators to quickly communicate with patrol patrol to communicate quickly with one another just communicate I don't want to say communicate it's share information how I think of it is like if you're a law enforcement and you plug yourself into your own department's private little matrix right so your brains can communicate like really quick back and forth everyone has something they're good at that's what we we helped with so
            • 06:00 - 06:30 um police work was phenomenal we didn't help with that at all we just helped the ability for them to make that uh make their skills uh in communication with one another and just rock it out so with that I'm going to slide over here to the chats let's see where everybody's from megan says "Yay Friday." Uh Vienna Virginia uh Megan of course Ohio um uh though you're from Ohio yeah you're you're somewhere else you're on the somewhere east this week I think um and
            • 06:30 - 07:00 then Oh clear over Washington awesome awesome uh so again post where you're from um and if you guys want to chat with me or my guest that's getting ready to pop up here please uh type right in there uh you can see how see uh wait it's mirrored so everything's kind of it's got the little YouTube symbol on it so that's where we can see everything coming from too uh so there's that now last week or no it was two weeks ago now
            • 07:00 - 07:30 goodness uh people did a secret word we started this new thing it's like if you watch the the podcast or even listen to the podcast um you have a chance to win some prizes we got all of this swag and I had my swag bag ah Megan I should have put the uh the picture of it up um some of the stuff and I and I didn't but we're again it's going to be a random piece i don't really know what it is but I can show this we're giving away prizes uh because
            • 07:30 - 08:00 number one I got a new uh laser machine literally over there where we make some really cool swag so here is uh one of them i'll kind of hold it up here and see if the camera will f There it it is so this is one and then this one happens to just say Blue Line Intel on it um a little glass here but we have them that says Cyber Social Hub here's one with actually some of the the black coating I have to put on it says uh Nerd Police on it it still has the black coating this comes off it washes right off i haven't put it through the washer yet and then
            • 08:00 - 08:30 Cyber Social we'll give some of this stuff out um I have you know these awesome little keychains right here it says forensicator on them and then uh I have a ton of these uh this is still in the plastic here people lie evidence doesn't and I got And then obviously on the back Cyber Social Hub stuff i got a whole bunch of those oh we got new stickers hold on I got to show you the new stickers um obviously we have our original Cyber Social Hub uh stickers uh here these are the smaller uh edition if it goes into focus there and then of
            • 08:30 - 09:00 course we have our blue line flags that we've given away for a long time here is the newest sticker into the Whoops focus on this uh got the blue line and the Punisher if you've seen our challenge coins we have those as well uh a bunch of stuff um but the whole point of this is that we give away a secret word during the the podcast um and then all you have to do is go to a website fill out your information because we got to be able to ship it to you um and we'll we may send you something in the drawing
            • 09:00 - 09:30 now last time we did this was two weeks ago and I didn't announce this yet um so I apologize for that everyone who signed up or even attempted it at two weeks ago uh which was a few people quite a few people I'm sending you stuff uh I'm going to send you some stuff uh it may not be the whole package of everything that you just saw but you're going to get something from us so uh just for hanging out with us and uh
            • 09:30 - 10:00 and and going for it now here it is i can't do the same thing this week because it's going to catch on right because I just gave it away that everybody it may get something out of here and I can't I can't do that so what's going to happen here is we're going to do a drawing from this um and the secret word is obviously right hang on i'm going to get this wrong because anyway I'm mirrored it's right below the the stinking QR code there and this should work hopefully the QR code is working okay on this um I did not test it which is something I should
            • 10:00 - 10:30 not do i should probably test it but it's just blue line intel that's it spaces no spaces we don't We don't really check your spelling all that because I think the week two weeks ago it was PFIC and people spelled PFIC wrong i know made me laugh anyway doesn't matter it was a close it was good attempt so that's uh that's good enough for uh for us in in rocket science so off we go there so if you head over there um again I don't have the URL but if you're listening on uh
            • 10:30 - 11:00 Spotify because obviously we put this on Spotify Apple podcast all of those things it will be in the description the link that you need from this now the catch I have to throw the catch in there so this is airing when is what is what is today i don't even know what today is oh today is Friday April 4th um right now when we're airing this live um so the Monday we turn that off so if you're hearing this sometime today or over the
            • 11:00 - 11:30 weekend you still can go and enter for this secret word prize all right um but if not uh if you catch it afterwards uh now you have to come to a live event or sometime over the weekend to listen to an event um and then uh you might get something there it is there's the basics all right I think I'm done and I'm sorry I went longer told my guest hey it's usually about five minutes now it's now officially 11 minutes that I I went
            • 11:30 - 12:00 through uh but that's that's okay i I tend to talk a little bit too much so I'm going to bring on my my guest now and it is blessed and I'm going to push the right button because uh I just went through all of these from Oops wrong one of course hey let's try this one hey there we are uh welcome to the show my friend how are you today i'm good Kevin thank you for having me yeah yeah no problem i love I love the background that you have going there no
            • 12:00 - 12:30 thank you i'm a bit of a collector yeah i am curious though where are the other shoes are those just the right ones those are the perfect ones gotcha yeah yeah yeah uh and man uh see I Yeah I'd be wearing the shoes i didn't know if you just mix matched them or since you had
            • 12:30 - 13:00 just like one or the other anyway they're both pairs of shoes oh okay i can only see one megan says "Yeah nice shoes top shelf." Yeah very good very good stuff um anyway um you're with MD5 and uh I think the product probably just giving people a little bit of context of what they're known for is uh VFC is that is that accurate
            • 13:00 - 13:30 that's correct that's like the you can say the golden goose of the company but they do provide we do provide other eforensic um and disclosure services so VFC is the is the main bread winner but we're trying to well they they provide other services as well yeah yeah and there's a lot and I'll I'll I'll show the the website here in a little bit and you know and I know that uh you haven't been
            • 13:30 - 14:00 with them all that long when they kind of well we twisted their arms a little bit hey we need somebody to come on the show and then you kind of like got thrown under the bus sort of get the the phrase I guess yeah I kind of do the short stro but it's it's part of the the job description I I believe so I'm here to you know show you all the glorious things that we can do as MD5 i've only been with MD5 since December 24 so okay give or take four months now ah you're an expert now at this point the learning
            • 14:00 - 14:30 curve it's been a kind of a steep not but kind of you know manageable learning curve yeah well you're working with a a good crew over there uh Lindsay oh they're great they're great yeah no the great crew over there they've uh been hanging out with the with us for about a little over a year now um so yeah and like I said I I my goal is to not put you on the spot here because I know this is a live show the last thing I want to do is uh you know you've been on for four months is uh is torment you too
            • 14:30 - 15:00 terribly much but um one of my flaws is I'm pretty transparent so I just say things how it is um so anyone have any questions as we get talking about uh some of the topics uh please feel free to to drop it into the uh into the chat here and I'm going to pop up some of the uh the screen so I can see the number of people okay great so I'll have that all standing by i guess the first thing blessed is tell me a little bit about
            • 15:00 - 15:30 um your intro into the crazy world of digital forensics right how did you um what's your interest here how how you got started in this in this wonderful area that we're in okay so my main my main role within MD5 is to push the sales and push the marketing of the products so I got this
            • 15:30 - 16:00 job I would say 70% based on my sales acument and sales experience i previously worked in for a company that wasn't in the same industry but it worked towards the same certification you know they're accredited by the same UK body that accredits MD5 for the type of work that that they do so my main entry into MD5 and into the e forensics world is basically based on my sales
            • 16:00 - 16:30 acument yeah okay okay that's pretty cool to to charm to charm and u and make people understand what what it is that they we're providing them yeah that's that's the reason right right yeah so you have and it's funny a lot of the um when I I I usually ask that to most of my guests that come on and it's it's funny the wide range of responses that we typically hear sometimes it's um well
            • 16:30 - 17:00 even in my case it's how did you get started in the in the tech in this forensic field is like I could turn the computer on to the workstation that they had just bought so that was that was my qualifications way back in the uh in the uh oh crime it was the the 90s at this point yeah when when I got started in it so it's funny how how that how that works well we're glad to have you in uh in the space uh I tell you what I don't
            • 17:00 - 17:30 I've never met anyone like horribly bad in this space they're all just great people willing to help out and answer any questions and I know obviously you're the same way from our interactions uh that are willing to help folks out with uh with VFC and MD5 um obviously the title of the podcast had to do with virtualization um and why why would somebody want to do
            • 17:30 - 18:00 that um can you talk about uh uh a couple of the benefits like I'm an investigator why would I want to do that why wouldn't I just want to throw it in my forensic software go what's the benefits so the main benefits of um virtualizing you know devices computers hard drives is that in a given any given scenario where you're obviously um running an investigation you do not
            • 18:00 - 18:30 want to compromise the evidence that you've collected so VFC provides users the ability to be able to in a way clone that device and then work off of that clone meaning that the the integrity of the original device or hard drive or data is not compromised in any way whatsoever so going on from that once you've cloned it you can now share it
            • 18:30 - 19:00 with a number of people and bear in mind the original data is still untouched so once you've shared it um I think the step that I've missed is the fact that virtualizing a machine means that you're seeing it in the state that the original user would have seen it in yeah say for example before VFC um what users or investigators what they had to put up with was they'll turn up to court with a
            • 19:00 - 19:30 stack of papers and code to explain oh this this is the guy you want because ABC look at this code look at this page etc etc now to the to the normal person that makes no sense whatsoever but once you virtualize the machine you've actually duplicated it and everyone knows what a computer looks like you can now go to their browsing history say there you go they were downloading manuscripts for for making I don't know dirty bombs or whatever or they were
            • 19:30 - 20:00 they're the ones they're the culprits so effectively virtual virtualizing a machine allows investigators users to be able to replicate the same environment like for light yeah yeah and that's and I think a lot of people examiners including myself um over the years now granted I haven't actually done an examination in a in a long time now but um when I was it's we tend to forget that that's an option for us and
            • 20:00 - 20:30 we get stuck in in it it's called multiple things depending on what the angle you're looking at it for and I'll see if you you agree with this we call it curse of knowledge at least in the business side of things it's like when we're talking about something like if I'm talking to you about you know you know something to do in in technology and forensics then we'll just know each what we're talking about because we're we're going to pass geek terms back and on back and forth i call it Yeah yeah yeah um I've made up a funny term with
            • 20:30 - 21:00 it i call it uh geekines the language of geeks uh so you know we're going to speak that but we forget that um you know the you know someone who's who's my mom's age right sitting on a jury is going to just look at us with blank stare like what just happened it's like I can barely use Facebook how how am I supposed to know what this person's talking about exactly exactly
            • 21:00 - 21:30 and that's really where the virtualization takes place is that kind of a a decent picture of what I just painted there 100% because like I said before everyone knows how to use Facebook but not everyone's going to know you know tech speak not everyone's going to know oh that code has been derived from this so it means this vfc allows the data to be seen in its original format so your mom can
            • 21:30 - 22:00 literally understands what a you know what a web browser is she knows what Google is so this is what VFC does she knows what a folder looks like on a computer so VFC will allow you to even see everything that's on that computer as it was so if there are any pictures on there especially in cases where it's is to do with pictures or videos or any crime related to location wise she'll she'll be able to understand that your mom my mom anyone who's used the
            • 22:00 - 22:30 computer for 5 minutes they'll be able to understand oh I see what that is that makes sense as opposed to the to the alter to the alternative of just pure code where all the other tools have you know have fallen short but that's not to say VFC replaces them but rather acts as an aid to all these other tools you know 100% it has to enhance because I am well I mean you know just your short interaction with me um I think we've
            • 22:30 - 23:00 known each other a week now and it's apparent I'm not the smartest guy in the world so I need all the help I could get especially when you know I was on a stand trying to explain some of these forensic concepts it's much easier to like like you just pointed out to show in an environment that everyone's already familiar with it's like hey this is what happened because of this this correct because of this uh a lot a lot easier makes people's lives so much
            • 23:00 - 23:30 better much much easier and as well to just to add to that as well it's it's VFC is also a time-saving tool so you find let's say in the in an instance where you're faced with for example there was a case where there were 15 computers that were found you know at the crime scene using the new portable VFC you're able to run VFC off of each machine individually and just do a quick
            • 23:30 - 24:00 quick diagnosis what the what we call the triage feature and see who the laptop belongs to so if it's a case of we are able to determine okay this laptop was not used within this time frame because it tells you in the triage that's brought up by VFC that this laptop was last booted up at this time you know this is what was accessed was a USB used etc you name it so in that case we were able to save you know save time in terms of what we needed to bring back
            • 24:00 - 24:30 to the DFU yeah other laptops as well yeah if you're triaging something quick peek at it whether you need to bring it in to the to the lab or not it actually sees it um no that I didn't know it did that that makes awesome sense it's going to save save a lot of time for sure 100% yeah for sure it even shows you what each individual user accessed if it's a laptop that's used by more than one user
            • 24:30 - 25:00 so it will tell you everything every user will have a different account of course and we just show you what they accessed at any given time hm that's interesting now I know you had mentioned this um in the beginning but I wanted to to to visit it again about the essentially the sandbox type environment um and a lot of examiners are always kind of hesitant to run it um anything but you're actually creating a good a nice safe sandbox you're not touching the original
            • 25:00 - 25:30 information or not altering the original information to the point where Yeah all the hashes and then uh Megan I see your your chat up there of that hex is uh forensics but the hashes are in hex believe it or not and uh so she's like uh she thinks of color codes you can tell she has a marketing background and not the forensic background um but and that's what I know a lot of examiners are hesitant because
            • 25:30 - 26:00 of that and then that's just not the case it's safe you're you're fine right very safe because like I said you've you've actually um made a copy of the original so in that sandbox environment whatever changes you make to that data do not apply to the original data so we can go as far as to say create a standalone copy that's independent of that hard of the original data so the standalone copies have been used in courtroom cases whereby you actually go
            • 26:00 - 26:30 there and you you open up the computer as it was without the original data but you've just because you've made that sandbox environment so you're playing around with it and seeing what was what was done the history the files on there you name it jump lists I don't know if that everyone's familiar with what jump lists are but I wasn't especially when I joined but I knew what you know when you know what something is but you don't know what it's called that's what I had to um I got familiar with jump list when I joined um MD5 so
            • 26:30 - 27:00 you can get access to jump list as well so VFC is very very thorough and very effective i just want to say one more thing as well in terms of like going back to triage you would expect that triaging a a system or booting up um a system to see what has happened on that laptop would take hours with VFC it takes a couple of minutes really that fast if it takes If it takes five minutes it that's too long
            • 27:00 - 27:30 wow that's That's pretty amazing yeah before you even virtualize the machine it gives you the the ability to to try Azure it so that takes a couple of minutes going up the system virtual machine that's probably about five minutes wow so very fast yeah heck yeah and and I'm curious to to those that are kind of tuning in or if you're watching this later on in the in the recording post essentially um uh leave something in the
            • 27:30 - 28:00 comments or those of you there now put something in the chat if you're currently virtualizing if you're not why i want I'm just curious because you know I I should have done it more than what I did i'll I'll admit um we did do some virtualization in in the lab back in the in the day but you know it made life so much easier and I can I can think explaining because I don't know how many
            • 28:00 - 28:30 well I said how many people that you run into that have like in law enforcement obviously that's where I can speak from because that's where I I came from was my supervisor um one of them not not all of them um was uh not techy at all he was an investigator even the even the detectives or the actual investigators who we were doing this for um and you know part of my my st and I'm going to preface this ahead of time so no I don't
            • 28:30 - 29:00 get any hate uh emails that I was in narcotics and they're not known for being the brightest bunch in the bulb and then I was on SWAT on top of that so it takes my IQ down to here i'm just saying if they could break something or not necessarily understand it we were the ones doing it and I needed to explain these complex pieces of information to other investigators that weren't tech um
            • 29:00 - 29:30 especially my supervisors as well um this is a huge thing for them to be able to do that relatively easily um so I use I know I use the example of of my mom but now let's put it to applicable use to uh to other investigators that's really where this thing will rock out or they can understand a little bit better 100% i mean on a day-to-day basis I my the remit of my job is to follow up with all
            • 29:30 - 30:00 users of VFC and as you just said rightly said law enforcement is a large portion of our clientele when I do speak to them it's rarely do I ever get any any negative feedback maybe if someone's doing something wrong they clicked the wrong button somewhere hence why I'm required because I now and again I'll go in and do a demonstration and just refresh them on what VFC can do because we always release you know soft updates
            • 30:00 - 30:30 now and again you know from time to time um at the moment we're on version seven an update was released in January so you know now and again when they when they not when they're not too well verssed with the software itself just the wrong button clicked then that's when they report some some issues however nine out of 10 times people have all the best things to say that's not my sound effect that's all you that's my 7:30 alarm apologize that's right yo you're
            • 30:30 - 31:00 in the UK right yeah we are in the UK if you saw I may have jerked my hands back a little bit from my control panel because I was like did I hit because I got all kinds of fun see I got noises and that was all you not me someone's won a prize just to go back so nine out of 10 times they literally just have all the best things to say in terms of like you know VFC it's effective it does what it does and it's so easy to use and the
            • 31:00 - 31:30 fact that it's it's easy to use makes it such a joy to to to be using on a daily basis because most people that's literally their their job their 9 to5 is they go into the office and they're virtualizing stuff for cases and then like I said most people they use it 50/50 because they're relying on other tools but however it's it's effective and it's easy like it makes it makes all the it takes the complexity
            • 31:30 - 32:00 out of You know when I first joined MD5 I was blown away because initially about cuz MD5 has been they've been running for 17 years now and when they first went into development of VFC my understanding is that to virtualize a machine would take hours but now like I said it's 5 minutes you That's awesome i've got Kevin's laptop i know what Kevin's got in his folders that's scary
            • 32:00 - 32:30 you You don't want to see what's in my folders let's just stay on the right side of the low yeah we got you no I'm good there good there but so it's it's effective and powerful yeah no absolutely absolutely it is um and we're going to dive into this just a little bit but I I noticed um Joe Lopez had said that they had done some virtualization in the past is this the same Joe that I know i was just curious here because I can never tell just a name that anyway I'm just curious I won't put it up on the screen if if you
            • 32:30 - 33:00 know me but you can throw it in the chat um so there's also you have some different ways right you had mentioned that which I wasn't aware of kind of the the triage right um if you have uh on scene right yes what other ways can you virtualize because back in the day again I keep saying that it was a and you already mentioned this you already alluded to it was a pain in the rear to virtualize anything um I was creating an image then
            • 33:00 - 33:30 trying to explode back to a hard drive and I was I was stomping all over that copy changing stuff and it's just easy now but what are those what are those ways that now that an examiner maybe who's thinking about this can uh can do this okay so in order there's three ways three main ways to um in which VFC works so the first one is that you run it from a like you just
            • 33:30 - 34:00 mentioned from an image and the second one is you run a hard drive from a right block device or you run a computer through a hard uh sorry a right block device so meaning that it's all forensically sound so it's only one way information only goes one way there are no changes that will be made to the original data so that's what um a right blocking device does so the
            • 34:00 - 34:30 third way is what I previously mentioned with the um when using the portable version of VFC which is pretty much a dongle that you take on site plug it into to the machine the desired machine you boot up from the USB rather than booting up from the actual hard drive okay I see and yeah once you've booted up from the USB you now you're now in a virtual environment you're already in a virtual environment now you mount the hard drive off that device so that it's now
            • 34:30 - 35:00 forensically sound so no changes once again can be made to the machine that you're on so hence why you can now be able to determine whether that laptop was used when it was last used and the rest of it so obviously if it's your laptop that you want to use in a in a case you want to take it to court you want to you want to actually investigate it no one can then say "No but you guys turned it on when you're on the scene crime crime scene how do I know you didn't make those changes?" It's the
            • 35:00 - 35:30 fact that you're right blocking everything you're protecting your it's forensically sound from the point of contact so those are the three ways uh that VFC works yeah and you could you could now let me ask you this how hard is it to actually train someone who doesn't have forensic background to utilize like um the dongle or I'm guessing it's a USB stick since you're booting up from it how how hard is it to to teach someone to to do
            • 35:30 - 36:00 that not very i think that the only for me when I was shown it made sense instantly i mean my my IT acument goes as far back as to just what did I do i did database systems in uni you know for my undergraduate um nothing heavy it was a watered down version of computer science so the technicalities of computers I don't really know it's what I've learned as I've grown up but once I was shown how to run from BIOS because you just have
            • 36:00 - 36:30 to force start the computer to just open up from BIOS and once you know get that in your head and you just set it so that it runs from USB that's it you're using it's normal you're the the portable VFC actually just creates you're in in a Windows environment and then on that environment you've got the VFC software on the on the USB so now once you're in that US in the in that in that mode you can now actually
            • 36:30 - 37:00 inject your own investigation files onto VFC onto that machine gotcha got you and that's that's important because you know I don't know how many times I was called to scene now obviously times have changed a little bit people a little bit more aware that this happens but I'd get called out to a uh a residential search warrant or
            • 37:00 - 37:30 something like that where sure enough soon as I would get there investigators were already going through the computer system no VFC they were just like "Oh what did this person do?" And they're opening up email i'm going like ordering dominoes for themselves yeah this uh the pain my soul leaves my body as I see this happening I'm like no but this is something they could do um you know with you know not much skill
            • 37:30 - 38:00 set required where they're still keeping the integrity of the data um that's that's needed and that's what people forget I guess you know mistakes happen you can long as you can explain yourself but man you're hurting you're walking on your evidence and hopefully you'll you'll fly by it that with that portable stick that you're talking about that's going to make lives a lot easier yeah very very easy in terms of just saving time saving
            • 38:00 - 38:30 resources cuz you can imagine I I know you can you can attest to this the amount of backlogs that you know you have in DFUS for you know mounted up laptops or computers you name it because you don't know what's what but when you're triaging things on site you're eliminating a lot of unnecessary um evidence yeah now and this is something I don't know um you said it was Windows based is
            • 38:30 - 39:00 Windows kind of what we're limited to there or can we use can we see other operating system do you know do you have that information sorry just ask me that again um with other operating systems say like uh um I'm running well I'm going to give you the most challenging one probably Mac or Linux um or anything like that are we are we limited to the Windows-based environments with VFC or will it do you know if it'll handle the other operating systems out there right
            • 39:00 - 39:30 so it's Windows uh for the time being okay um perfect there are a lot of challenges when it comes to uh Mac uh Linux I do remember just going through an old hard drive that was running Linux but I don't know as far to say if they're still sort of like keeping up with all the latest softwares of Linux at the moment i have seen a I have booted up a virtual m virtualized
            • 39:30 - 40:00 machine of Linux you know an image when I was when I first joined the company you know when I was ramaging through all the hard drives and trying to understand how VFC works right so yeah so right but I can 100 I can 100% say at the moment with Windows we're up to don't take my word for it but I'm sure we're up to 10 if not 11 for Windows okay okay i'm not a Windows user so I don't I don't know what the latest one even is said uh to say but that it makes sense because Windows is kind of the most
            • 40:00 - 40:30 popular operating system out there on computer systems so does make sense so Sam if you don't know Sam I I'll tell you a story i'll wait till I'm offline so Sam doesn't hear me talking about him kidding Sam i'm kidding um so he mentions that in the Bin Laden computer um and I remember him actually telling the story it's been a number of years ago Sam that you told me this story but um you can actually see the artifacts uh and being booted up multiple times after
            • 40:30 - 41:00 pin lock was already dead so uh it's like oops somebody was walking on that evidence for changing some date and time stamps um in that mess and had that investigator had this tool problem solved well assuming they're going to use it that is but we can't force them yeah i I just want to jump on on on that um jump in on that what Sam just said there um so one of the um scenarios that I've seen when I was
            • 41:00 - 41:30 reading up and from my predecessor's notes is that um there was a case where a computer was brought in or it was a laptop it was brought in to um to MD5 and when it was opened up it seemed yeah it appeared well it had the latest software on there you know Windows software however a using VFC it was restored to an earlier point
            • 41:30 - 42:00 wow in terms of Okay and then they realized that on in the earlier point it actually had older Windows uh operating system on it and then they were able to see folders and evidence of terrorist activity oh that's curious i wonder if that was done through a restore point that's interesting yeah yes it was done through a restore point obviously with the with the assistance of VFC that's correct
            • 42:00 - 42:30 yeah oh that is phenomenal that's actually kind of crazy that that could be done in all in a virtualized environment which is Yeah which is cool because I mean some of the use cases for this um you know especially with the triage part of it you can get usernames what else what what else could uh be potentially used in the in the triage environment just to see if you know you need to take a take that
            • 42:30 - 43:00 system into the lab for further analysis or not so try try like so you can see um you can see links that have been accessed you can see if USBs have been used on that machine and importantly once you identify that a USB was used there can be a case where if that same USB is is is has been acquired in evidence you can
            • 43:00 - 43:30 now actually mount it and boot it up in the VM as well so you've got the Yes you've got the complete package of what the user was accessing so as long as you can see okay they accessed this this USB and you identify that USB you can now boot it up as well and no kidding so you can bring it into your already virtualized environment yes where it's safe see now you're messing with my brain so VM and then you're bringing in other
            • 43:30 - 44:00 virtualized items okay I get it i'm I'm tracking with it like I said I'm not the brightest so browsing history you can see that uh document list installed software as well so someone could have installed something it's taken it off but you can now see that as well and you can see when it was installed you can see when it was uninstalled you can see if there was a software update all the rest of it yeah and and I can see I'm going to pay play kind of the devil's advocate i'll
            • 44:00 - 44:30 play the opposite side if if I'm an advanced which I'm not forensic examiner um you know I'm just going to use my other tools right and and they're not it's not designed to replace those it's designed for I think what what you just said like quick triage plus the court side of things too or being able to explain explain and explain yeah how that suspect saw the machine right i mean it's different from I don't know let me
            • 44:30 - 45:00 think of something like a desktop environment right if you're dealing with I don't know uh terrorists of some type right and maybe they have some incriminating desktop with their icons all positioned a certain way i don't know i'm just thinking of some weird thing you would never see how the icons are positioned in a forensic exam right the only way to really see that recorded Yeah yeah has to be in a virtualized environment right um yes you can in a
            • 45:00 - 45:30 virtualized environment you can see all of that is there the benefit you can see images that they had and it it's it's it's very impactful once it's in a courtroom situation isn't it all you have to do is actually open up and then if the desktop has got some propaganda or type of imagery then case shut open and cut and shut case Johnson right absolutely absolutely um I'm gonna take a small break here for a second and
            • 45:30 - 46:00 I'm gonna bring up um Oops hold on let me make sure I get this right i'm gonna bring up the website it's just gonna move us down i got I'm really just like wanting to see our fancy graphics everything move around here uh but this is the website right it's just md5.uk.com um and for those of you who are interested and want to see anything I don't I don't want to do a commercial on this but this is going to help someone out there that um is going to be curious you can go in here and and check it out now what I just saw
            • 46:00 - 46:30 um is this little gem here this is all the kind of the the case studies i think it's probably some of the ones that you were maybe talking about in here that if somebody want to see like hey how was it used what what are some of the other things they could do like I see a Brave browser uh one here which is which is interesting no it wasn't but if you're curious go ahead sorry
            • 46:30 - 47:00 no no go ahead i know there's a small delay even between you and I because you're clear over Okay across the uh the pond so to speak very true it's a lot of miles isn't it in between yeah yeah and the way it's fun it's funny the way this software works is it's not like um when we do like a Zoom call or a Google Meet or something like that you're actually connecting to me directly to my Mac and that's why you see you see it as a
            • 47:00 - 47:30 browser and I see it as this it's a control center for me um it it's really bizarro looking and then the delay back and forth is different and then by the time we go out to YouTube another 15 seconds has passed so you my friend and me are living in the future a little bit so just so you know we are here we are here yeah absolutely okay anyway uh case studies there's a lot of them that that people can go and see here yeah correct i just wanted to um just highlight the
            • 47:30 - 48:00 the brave browser one that you mentioned cuz um basically I just wanted to highlight the power of VFC so most forensic softwares are not able to retrieve all the things that I've mentioned so you know how on um on Windows or you don't use Windows so I'll excuse you on Windows you can have notes you can have sticky notes on Windows on your desktop right and you can write notes on there vfc has got the power to even retrieve sticky notes as I
            • 48:00 - 48:30 mentioned it can retrieve jump lists and you can bypass passwords but you can also reset passwords so in the example where you reset a password once you're in the the virtual machine and you're now browsing you you go on the web browser you're not bear in mind you're in a sandbox environment so you're not connected to the internet so let's say you you enter the password that you've created and you're in a browser it then shows you it can actually open up
            • 48:30 - 49:00 accounts so in this case of this Brave browser one uh crypto crypto information was able to be accessed on the Brave browser and for those I'm sure you know but for those in the know Brave browser is meant to be um supposedly one of the uh the secure website so it's not easily retrievable but VFC is able to retrieve um Brave browser and on top of that you can even access things that the previous user was using so crypto wallets were
            • 49:00 - 49:30 were opened although obviously no information was was seen no not too much information was seen but you could see track and see that they had crypto information you know so in in cases like this it's it's it's it's important in terms of like being able to to deliver a case you know in terms like this critical evidence yeah no that's that that's actually really good information i would even
            • 49:30 - 50:00 considered uh something like that so no that's uh that's great hey real quick also I got to push one of my new buttons there you go so there you go so I like my new little button down there um so if you guys are not subscribed to the channel if you want to hear more awesome stuff uh just like this topic that blessed was nice enough to come on here and it's your evening Friday evening no less like you have nothing better to do on a Friday evening but hang out with us here in the US
            • 50:00 - 50:30 um then you get alerted uh so make sure you subscribe to the channel um hit the little bell every time we go live um you'll get um an alert and then um also you can see whenever we schedule a new live you'll be able to get that information too and and it helps really uh with the with the algorithm of you know our our mission at cyber social hub is to just share knowledge um because oh crime you can't know it all and I I definitely don't I I learned so much new
            • 50:30 - 51:00 in just this talk that that you and I have had here um especially with the triage stuff I hadn't considered that and it's important to share that information so with that too and I know um I don't know if you're in Cyber Social Hub yet as of not but we're going to we're going to fix that uh we'll get you we'll get you in there um is if you're listening to this right now um and you're not a member of the hub make sure you come in and join because it's conversations just like this um that you
            • 51:00 - 51:30 may not have considered it's like "Hey how do I get this or this out of a Brave browser?" Um and then Blessed could answer you right back instantly and say "Hey this is how you would do it through through VSC." So it's really designed to help examiners and investigators share and and get that type of information so again shameless plug here at cyersohub.com to get it um out there so again thank you for that quick pause there i wanted to make sure I got that in i told Megan it's like "Hey I always forget to tell people to join and I got
            • 51:30 - 52:00 to do that and make sure it gets done." So there now it's done so thank you for that great so what um people are always a little curious what part of the uh the UK are you in so we we are well myself I live in South Yorkshire but I work MD5 is based in uh is where's Yorkshire i mean I live in Doncaster okay okay i'm trying to picture that is in in my head i'm geographically impaired here in my own state much less
            • 52:00 - 52:30 just above the Midlands area okay so we're like kind of in the heart of the UK there okay so is it is that the area that it's constantly gray and gloomy or is that more south um it's we're getting we're getting we're close to the gloomy area yeah I would say Manchester is more glooier but it's England it's all gloomy
            • 52:30 - 53:00 but I would say that today was a today was a beautiful day i think we experienced 19 degrees at one point okay but sorry I know you guys operating Fahrenheit i don't know fahrenheit so Fahrenheit probably it's 60 i don't know i'm guessing I'm I'm doing the conversion now cuz I don't know you said it was 19 196 degrees so that's really nice Fahrenheit wise holy moly yeah cuz right now it's 52 here it's actually pretty
            • 53:00 - 53:30 warm right now here in Northern Ohio so I'll do the conversion back for you 11 there you go so now you have it back okay okay i should I should always put that screen up uh yeah conversions yeah so I'll tell you what if if someone's interested do you guys have trials do you have like demos that you can give people if someone watching right now or down in the future are are interested in this kind of technology is
            • 53:30 - 54:00 it uh how how do they go about getting a hold of you or seeing it what what kind of steps should they take okay yeah so definitely we do provide demos and that's my main job to be honest with regards to VFC yes so I believe it is sales at md5.uk.com okay I'm going to I'm going to do this contact us and see if it's uh down here
            • 54:00 - 54:30 i don't think it is um on there but yeah um looks like you can head over to the website too but sales uh at md5.com okay there's a few dots so I'll put this into the show notes whether wherever you're watching or listening to this um I'll put it down in the show notes somewhere uh you should be able to find
            • 54:30 - 55:00 that so uh so you can get a hold of blessed and uh and get that demo and take a look at it because there's so many I mean so many practical uses and I looked at the time and obviously when I start planning for like the podcast the the goal is to get at least 30 minutes um out of a podcast and it's 54 minutes in as of right now can you believe it went by that fast i can't believe it to be honest with you i was I
            • 55:00 - 55:30 was slightly nervous i know yeah and I I told you it was easy uh it everybody who watches regularly knows that uh we don't take ourselves too seriously you can't in this industry um and uh and if you don't mind I'll I'll tell the story a little bit uh blessed that since you're you know you're fairly new with the company obviously and then coming on a podcast it's it's never fun coming with
            • 55:30 - 56:00 on all your peers anyway right you're always worried that it's like oh I don't want to misspeak or say something wrong and here everybody generally they're usually focused on making fun of me anyway so you you're always safe here number one um but it's really here just to help each other out you never have to worry about it's it's such like it's the best industry ever uh to be involved in so if you guys ever make it to a US-based show um which I I don't know if
            • 56:00 - 56:30 you you come to too many of them but um if you ever do make sure you you come find us and say hi because we're generally at some of the US shows um so yeah be be sure to do that it was funny when I I was trying to reassure Blessed that hey that it's I'm not going to you know kind of twist your arm on some of the questions or pick your pick your brain for all of knowledge and things like that it's just casual conversation of
            • 56:30 - 57:00 how technology helps law enforcement and and you know we don't get down too far in the weeds here but we talk about the concepts and and that's really what the the main thing is is like give somebody some that extra little bit of information they may not have had before and I I think you definitely succeeded with me i didn't know some of this before so I think you did a great job I'm I'm happy I I've imparted some knowledge to the the to to yourself with
            • 57:00 - 57:30 all your experience yeah well again uh I I it's not a high bar for me personally because I'm not I wasn't the brightest one in there so but no you did uh that was really good and now I'm going to actually uh dig down into into VFC a little bit more myself personally and read the website so again if you guys want to uh check out the software or you're a little bit more curious about it you can definitely go to md5.uk.com
            • 57:30 - 58:00 um check everything out if you have a question i am going to get blessed into cyberocial hub um where you can just find him in the hub if you got a question and you can ask him directly there too because uh he'll get a direct message he doesn't know it yet but he's going to sign up so um we'll we'll we'll go from there i think uh I think Lindsay might be in there already too though um so I don't know if she kind of drowned in there as well so hey sir thank you so
            • 58:00 - 58:30 much don't go anywhere yet i number one I want to say I appreciate you taking the time especially I I always forget the time difference um and you you take your time in the evenings to come and uh and do this so much appreciated to share your knowledge and information with us so thank you it's been a pleasure i'll be here next week oh excellent excellent uh everyone else thanks so much for hanging out with us again it was Friday uh and you're almost through the Friday here in the US well at least East Coast we're at 3 getting creeping up on 3:00
            • 58:30 - 59:00 p.m california yeah you're at lunch it's the way it works and then Hawaii and Alaska it's even worse so it is what it is sam though thank you very much sir i appreciate it um uh make sure you guys visit visit the hub join up don't forget secret word what it was i forgot already blue line uh intel so go check it out um we'll put the link down below uh if you're listening that way you can still hit the link um from this as well um so again till next week we'll talk to you
            • 59:00 - 59:30 guys later again blessed thank you very much it's much appreciated thank you Kevin thank you
            • 59:30 - 60:00 we