MD5 Ltd helps police agencies present digital evidence – clearly


Company: MD5 LTD
Signature product: Virtual Forensic Computing (VFC)
Website: https://vfc.uk.com

Founded by a former National Crime Squad ‘Head of Digital Forensics’, MD5 Ltd offer Forensic Software, Data Recovery, eDiscovery, eForensics and traditional Digital Forensic Investigations.

MD5 Ltd are the makers of the original “Virtual Forensic Computing” software (VFC) which is used by investigative agencies around the globe. Their customers include the FBI, numerous County and State Sheriffs' Offices, the Australian Federal Police, the Metropolitan Police Service and Homeland Security agencies on every continent.

1. Where did your company name originate from?

MD5 was set up as a digital forensics business in 2003. An “MD5 hash” is a “digital fingerprint” for an electronic file and while it may be old hat now, back then, the name seemed apt! MD5 are well known and well respected in our community.

2. What was the inspiration behind starting your company?

MD5’s director and co-founder had served over 14 years as a financial investigator and digital forensics specialist, first for a local P.D. and then latterly for the National Crime Squad where he headed up digital investigations.

The wealth of knowledge and experience gained through working closely with law enforcement agencies around the globe (ranging from the FBI to the Spanish police) was put to good use, and MD5 was established to provide a bespoke digital forensics service to police agencies.

3. What is your signature product and how does it work?

MD5’s Virtual Forensic Computing software (VFC) essentially allows the user to boot up a computer from a forensic image in a forensically sound manner.

VFC very quickly builds a forensic replica of the target system (the exhibit) as a Virtual Machine (VM). The resulting VFC VM is launched in VMware to enable the user to navigate around the suspect’s desktop as if they had just turned on their machine.

Typically, within a minute, the user can have built and launched a working VM copy of the suspect's machine. The time this saves and the benefits it gives the user deliver exceptional return on investment.

VFC lets the user:

  • Build Windows, Apple Mac OSX, Linux and SunSolaris VMs
  • Bypass Windows User Account passwords
  • Collect password hashes to use with external hash-cracking tools
  • Add extra hardware to an existing VM (so you could for instance rebuild a tower system with multiple drives as a single VM)
  • Generate a standalone Virtual Machine clone (for further investigation without tying up the forensic workstation further)
  • ‘Rewind’ a VFC VM back in time using Restore Point Forensics

As a digital forensics specialist provider that has worked with law enforcement agencies since incorporation, we have found that using a virtualized copy of a suspect's computer can add real value to an investigation, offering visual support to technical reports and delivering technical solutions that would not otherwise be straightforward without access to the suspect's actual computer.

MD5’s analysts found that they were always encountering the same hurdles and fixing the same problems when building working VMs, so in 2005 the first code for VFC was developed to automate the VM generation and error-fixing process. In 2007, MD5 released Virtual Forensic Computing (VFC) software to the forensic community.

Today, VFC is often considered an essential tool for the forensic investigator. It allows for seamless recreation of the "digital crime scene" without requiring the original hardware.

“A picture speaks a thousand words”

Most citizens have interacted with a computer and so feel more at home seeing a PC desktop than reading or listening to technical notes. VFC delivers visual evidence (e.g. via screenshots, screen-capture video or live use in court) which is much easier to explain to a non-technical audience such as a judge or jury.

4. Why do you believe your products are essential to the law enforcement community?

Below are a couple of examples of how VFC has aided police investigations:

1. Sgt. Rob Holland of Oklahoma City PD secured a successful conviction in a 'no body' murder case, based on circumstantial evidence alone, when he used VFC to boot up the suspect's computer in court and show the judge and jury what files were on the suspect's computer and where they were located.

Holland told MD5,

“Virtual Forensic Computing (VFC) was directly responsible for the prosecution of a case I worked several years ago. The case involved a victim being reported missing after he failed to turn up for a weekend of military drills. His wife confided in a close friend that she had committed the murder, however the husband’s body was never found.

The wife was eventually arrested for the murder, but later denied knowing anything about the crime, the whereabouts of her husband, or the admission to her friend. No body was ever found. Everything in the case was based on circumstantial evidence found on the suspect’s computer, cell phone records, and the friend’s statement. The standard forensic tools were originally used back in 2007 but it wasn’t until a few years later when I came across VFC and we were able to get a much clearer view of what really happened.

I convinced the D.A. in this case to allow me to bring a laptop and projector into the courtroom and “boot” the suspect’s computer using VFC/VMware. This made all the difference in the world. Juries get stuck looking at our technical printouts and reports full of computer jargon and they are unfamiliar with it. Instead, we “booted” the image made of the hard drive in her computer using VFC and VMWare. With the judge, jury, and everyone else in the room, it was clear what had really happened. Everything from the way she organized her icons on the desktop (mostly .txt files showing how to dismember bodies, roast full size pig carcasses, etc.) to all of her internet history clearly re-assembled (using her original browser) detailing the searches made for items used in the commission of the crime was priceless. Internet chat programs, e-mail… it was all right there – and in a format that anyone who has ever used a computer could easily digest.”

2. Peter Solis, a computer forensics examiner for Ventura County Sheriff's Office in California, was investigating a suspect for child pornography offences. He used VFC to ‘boot up’ the suspect’s machine and then took screenshots of the desktop environment. He showed these screenshots in court and they were instrumental in securing a successful conviction and an 18- month jail term.

Solis told MD5,

“I was assigned a case where an individual was suspected of child pornography. This was part of [an] operation where the suspect had been downloading child pornography.

This case ended up going to preliminary hearing and I felt that it was important to virtualize his computer. Due to the items I discovered in plain sight on the desktop, I knew that capturing screenshots would be a great idea since it would show his desktop in the same nature he viewed it. I created copies of the captured items and went over it with the attorney.

Once I took the stand, I explained my examination process and listed the amount of items I discovered on the computer. Then we played the video and showed screenshots of the virtualization. I was able to show that the computer contained no password and booted right into the desktop.

The desktop consisted of a background with a child pornography image containing nude females whose ages averaged around 10 years old. Not only that, but he had folders created on the desktop that categorized his collection with common child pornography naming conventions ... [naming conventions removed but content was of young and very young children and known child victims] … Needless to say, everyone in the courtroom was repulsed by the screenshots showing the desktop.

Following the hearing, a quick plea was agreed to. The suspect was sentenced to nearly 18 months of prison time for being a first-time offender.

I have used virtualization for many things, but [in this] case … I was able to highlight … desktop contents that proved to be very important to the case. I possibly could have used another process to virtualize or boot up the computer, but none would have been as quick and simple as using VFC.”

5. What has been the biggest challenge your company has faced?

The biggest challenge for us has been raising product awareness outside of the UK. While it is already used by internationally recognized organizations such as the FBI, the Australian Federal Police, the British Metropolitan Police and the UK National Crime Agency, the digital forensics community is by its nature very guarded about the work they do. We have found that trade shows and exhibitions only reach a small minority of potential users and often those that do come to such shows are not decision makers or budget holders.

Most people who see VFC in action can immediately see the benefit of it, and most of our users speak very highly of it, but they don't necessarily share their knowledge of it. The FBI are a prime example of this - even within their own organization, there are still offices that have never even heard of the product.

VFC has in the past been confused with another (now obsolete) product called LiveView. LiveView was an opensource project based upon the original research for VFC but support ended in 2012 with WinXP.

6. What makes your company unique?

MD5 make the original - virtualization solution for the forensic investigator. VFC remains Forensic Software “agnostic” meaning that users can choose their companion imaging and mounting tools. Partnering with VMware offers stability and confidence in the end product.

For Law Enforcement, no further purchase is necessary to make VFC work. VMware invite “non-profit organizations” to take advantage of their free version, VMware Workstation Player (please note it is NOT free for commercial use). FTK Imager from AccessData is freely available to download and can be used as a no-nonsense mounting tool, allowing the user to mount multiple images at once.

VFC, by design, makes VMware do things it wasn't originally built to do, fixing errors automatically to save the user hours of complex problem-solving.

7. What do your customers like best about you and your products?

VFC will work from a mounted forensic image (e.g. E01) or a raw Unix-style DD image. It can also work directly from a write-blocked hard-drive, which gives the investigator maximum flexibility around how they work. This final use case can offer real value in triage situations.

Users report that VFC is the most reliable tool they know of to discover whether a user account is password protected and it also collects relevant system information which some customers use in their triage process.

Typically, within a minute, the user can have built and launched a working VM copy of the suspect's machine. The time this saves and the benefits it gives the user deliver exceptional return on investment.

8. What is the most rewarding part of serving the first responder community?

Knowing that MD5 and their products and services are helping to get “bad people” off the streets by assisting law enforcement agencies to secure early convictions is very rewarding. When MD5 are able to assist directly with an investigation, they are reducing lead-times to expedite the legal process and get them off the streets faster.

Helping grieving relatives to understand what happened to their lost ones can also be very rewarding, and explaining unexplained deaths can bring closure and restitution.

9. Do you support any charitable organizations?

MD5 support an annual Rotary Club golf day in Yorkshire, which helps a local charity that does great work in the community. They also sponsor a local junior rugby club, supplying their annual safety/community training and competitive kit.

10. Is there any fun fact or trivia that you'd like to share with our users about you or your company?

VFC is used in 68 countries around the world.

11. What's next for your company? Any upcoming new projects or initiatives?

MD5 invests in continual development and support of VFC and R&D to support frontline investigations.

Copyright © 2022 Police1. All rights reserved.