Virtual forensic computing: Boot forensic image files.

Introducing virtual forensic computing with Forensic Explorer Live Boot

Virtual forensic computing is a method by which an investigator can boot a forensic image of a suspects computer and operate it in a virtual environment. A virtual machine can be created from a forensic image, a write blocked physical disk or a 'DD' raw flat file image. Virtual forensic computing utilizes a mounted disk and VMWware to re-create a subject machine in a matter of minutes. The investigator can then experience the 'desktop' as seen by the original user in an entirely forensic manner and use it in a protected virtual environment.

"I think the turning point was when the jury watched us boot his computer
and saw what was on his desktop."

Live Boot is a component of GetData's Forensic Explorer software:


Forensic Explorer is a fully fledged forensic package. In addition to Live Boot it contains many other forensic features, such as shadow copy, registry and email analysis, and keyword and index searching (learn more at the Forensic Explorer website). Forensic Explorer and Mount Image Pro (a separate and stand alone program) are sold with an activation key for both products on a single Wibu Codemeter dongle.

Live Boot supports visualization of Windows 95 to Windows 10 and Unix. It can be used with Windows VMWare workstation or VMWare Player.

EnCase is the registered trademark of Guidance Software Inc.
VMWare is the registered trademark of VMWare Inc.
Mount Image Pro is the registered trademark of GetData -