Walkthroughs

Walkthrough: How VFC 5 Can Exploit Windows Live ID (Inc PIN)

What is Virtual Forensic Computing?

Virtual computing transforms investigation of the digital crime scene.

Having access to the ‘digital scene of crime’ can offer huge benefits to an investigator. Whether investigating fraud, murder, child abuse or something else, seeing the computer through the eyes of the suspect can be invaluable. Building a virtual machine (VM) of the suspect’s computer is one easy way to get forensically sound access to the user’s environment. 

A VM allows an investigator to:

  • See the desktop and operating environment just as the user saw it
  • Navigate financial records within the native software (Sage, QuickBooks, Great Plains etc.)
  • Access emails and internet search histories, demonstrate interaction with installed software
  • Determine accessibility of illegal files

“I originally ordered VFC for **PD and have been using it since.… VFC has proven to be invaluable. I first searched for forensic virtualization software in 2008 after assisting with a financial crimes investigation.  

A computer with business records had been seized.  Data files with an obscure file extension were located during forensic examination.  I did not have a compatible viewer and couldn’t verify manually-parsed data. I did locate proprietary accounting software within the suspect image.  

In an effort to view the correctly-formatted data, I contacted the accounting software company and requested a copy of the software.  They generously sent a copy of the accounting program for use in this investigation. I installed the software on my forensic workstation and, after some tweaking, was able to view the formatted data.  While I was eventually able to review the data, the manual process of extracting the data, acquiring the correct version of the proprietary software, and finally hoping it would all work on my forensic workstation was cumbersome, at best.  

I… used VFC to show attorneys and investigators digital evidence as the user would have viewed it. ”  

– Digital Forensic Examiner, Charles County Sheriff’s Office

VFC simplifies the virtualisation process

As virtualisation platforms have improved, building a replica of a suspect’s system has become much easier. What once could take a few days now takes just a few hours if you are lucky. Most of this time is spent fixing driver errors (e.g. human input device drivers such as the mouse and keyboard) and overcoming driver problems and the infamous blue screen of death (BSOD). 

However, with the right tools, investigators can now do all this reliably in just a couple of minutes. 

‘Virtual Forensic Computing’ or ‘VFC’ allows the user to create a VM from a forensic image (or a write-blocked physical hard disk drive), automatically fixing common problems and  typically booting the VM in under a minute. VFC makes the virtualisation process smooth and hassle free. 

Among VFC’s valued customers, to “VFC a forensic image” has become synonymous with virtualisation since it was first released by MD5 in 2007.

“VFC has become an essential tool in our forensic investigator’s toolkit. It provides investigators an insight into the suspect’s perspective by actually seeing the user’s desktop, settings and user environment. Screen captures from the suspect’s ‎environment add significant weight to the forensic report when describing how the suspect utilized the computer to facilitate the crime. 

VFC is truly a tool that I rely upon and use in all my computer investigations!”

– D/Sgt Vern Crowley, Ontario Provincial Police eCrime Section

A picture speaks a thousand words

Using a VM to replicate the user’s computer, the desktop environment can easily be captured for presentation to a judge or a jury. This helps juries understand the more technical aspects of their reports, or enable powerful emotive images to be put before the judging panel. Using VFC, investigators can:

  • take screenshots and embed these in their reports.
  • record video screen-capture of an examination to playback in the courtroom
  • Create portable versions of VM to demonstrate live in court 

VFC is now used on every continent, in almost every aspect of digital forensic investigations, by law enforcement, military investigations teams, forensic and cyber investigation teams in both the private and public sector.

“VFC is a very useful tool for us as the screenshots we can show a jury far outweigh simply writing about a topic.”

– Graham Green – Suffolk Police

“The product is getting better by the day and is one of our main tools – a picture paints a
thousand words as they say – very powerful in court…”

– Mark Boast, Forensic Analyst, Suffolk Constabulary, UK

“I imaged a drive which had some positive keywords … and thought I would have a look at it using VFC. The results were extremely impressive.  It showed the suspect using shareazza to download illegal content and also showed the actual folders on his desktop. Makes proving this case really easy.”

– Computer Forensic Investigator, Durham Constabulary, UK

VFC 5.0 launched July 2019

VFC 5.0 integrates the VFC workflow directly into existing forensic analysis tools, making the creation of a VM even easier with its integration components for common forensic analysis tools:

  • EnCase Enscripts 
  • XWF X-Tension files

The integration components are provided with the standard VFC package and can be setup and used within minutes. Similarly, VFC now supports a command line interface to   support automated workflows. 

These exciting new features  now allow the analyst to launch a VM of their target image directly from within their standard forensic examination suite.

VFC Mount helps reduce common errors

VFC 5.0 now comes with its own mount utility, VFC Mount, to simplify the virtualisation process and remove reliance upon third party tools. VFC Mount currently supports .E01, .EX01, AFF4, .VMDK, .BIN, .IMG, .RAW, and .DD images.

VFC Mount helps reduce instances of common Windows errors when dealing with mounted images such as the very common “The physical disk is already in use” error in VMware.

VFC 5.0 contains numerous other tweaks and upgrades to make the VM-generation more stable and effective. Early feedback has been very positive:

“I have downloaded version 5 and have used it on a couple of occasions recently, I find it
more successful in running the VM than version 4, I get less error messages than before especially the one relating to the drive being already in use. So far very happy with the upgrade

– Kevin Mount, Queensland Police, Australia

Password bypass (PWB) gives quick access to suspect accounts

VFC also gives the ability to clearly demonstrate that something doesn’t work – for instance, if a suspect insists the password they have provided is correct, VFC provides a quick way to prove them wrong without affecting the original data.

“VFC allows me to try passwords first, show they don’t work, and then bypass …”

– Special Agent, DHS ICE, US

Historically VFC PWB only worked on local Windows user accounts, however, now VFC 5.0 adds support for Windows 8/10 ‘live’ accounts with the Generic Password Reset (GPR) feature.

New from September 2019 – Windows Live ID Exploit (including PIN accounts)

Generic Password Reset (GPR) tool

New to VFC 5.0, the GPR tool can be used to help make powerful system-level changes. With GPR, the investigator can:

  • List User Accounts (including password status)
  • Bypass security on Windows online (Live ID)
  • Reset account passwords to known values (including PIN accounts)
  • Open a SYSTEM level command prompt (at the logon screen)
  • Easily reboot the guest VM

Early feedback from a select group of active police investigators, that have been given pre-release access to the Live-ID feature has been very positive.

“[VFC5] Was a dream to use. Easy to follow the prompts in the GPR. I converted the live account …, used the GPR password reset, and voila, I got in.

I will be adding some very convincing evidence to my investigation by being able to show the Judge/Jury what the User was seeing instead of just my forensic analysis.”

– Cst. Chad Seidel, Saskatoon Police Service, Canada

Continual investment ensures continued development

With additional support for Linux and other Operating Systems, VFC has continued to deliver new features since it was introduced. The newest features (for ease of reference) include:

  • Windows ‘Live ID’ (online) password reset feature – gives the user a simple method to get around even the latest in Windows user security
  • VFC Mount  – simplifies the user experience and minimize common VMware problems 
  • Generic Password Reset – gives users a simple and fast way to access a specific account or make system-level changes. It is portable, powerful and user friendly.
  • Command Line functionality and inclusive components – seamlessly integrate with EnCase Forensic and X-Ways Forensics allowing VFC to be used alongside existing, trusted forensic software.
  • 64-bit host system support – brings VFC fully up to date, giving it a rightful place in today’s forensic laboratory

Other significant features include:

  • Standalone Clone VFC VM gives the user the option to export a copy of their VM that can be reviewed by an investigator away from the forensic analyst’s workstation, without the need for a VFC dongle (license). 

“I really like the standalone VM option that VFC has now.  Giving a VM to a case agent to use on a review station has always been an issue.  The standalone VM solves that problem.”

– Special Agent, DHS ICE, US

  • Modify Hardware allows VM hardware to be amended including adding extra drives or network support 

“The addition to be able to stitch in a second drive is … brilliant … as we are … able to fully replicate the users environment rather than just their Windows installation drive.”

– Paul Ripley – Cleveland Police

  • Password Bypass (PWB) feature for Windows user accounts –  VFC 5.0 has increased the number of discrete PWB routines to over 2000, up considerably from 500 with VFC 4.0.
  • Patch VM / Restore Points  feature  – allows the investigator to patch problematic virtual machines or repair a VM after using the Windows system restore feature to ‘rewind’ a VM to an earlier historic state.
  • The VFC Log File – keeps a forensic log of all steps taken by the software (effectively contemporaneous notes) and makes VFC a powerful weapon in the forensic investigator’s arsenal.
  • Updates and upgrades have enhanced the product more, including further OS support, new password bypass routines and slicker processes. 

Development continues at a pace at MD5 Ltd; our constant aim and goal is to continue delivering a product that solves even more of our customers’ needs:

“Absolutely loving this version, there hasn’t been a password it hasn’t cracked!

Had absolutely no problems putting accounts offline and changing the passwords either through the password bypass… and it worked with password and PIN protected accounts, even 1 which defaulted to a picture based login it changed the local password without a hitch.

Can’t wait for this one to launch as I suspect it will prove uncommonly useful for us.”

– Peter Bayly, Digital Forensic Investigator, Northumbria Police

Download V5 Windows LiveID full article

To purchase or find out more about VFC visit the website www.vfc.uk.com or email: sales@md5.uk.com

About Scar de Courcier

Scar de Courcier is Senior Editor at Forensic Focus.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,271 other followers

%d bloggers like this: