X-Ways Capture
Specialized computer forensics tool for the evidence collection phase of a forensic investigation which captures Windows and Linux live systems. X-Ways Capture gathers all data from the running computer e.g. on an external USB hard disk, such that during the analysis even encrypted or otherwise protected data can be examined that was unlocked at the point of time when the system was acquired. X-Ways Capture saves you from returning empty-handed after pulling the plug and imaging hard disks the conventional way when you discover that the relevant files are encrypted! Plus you may be able to find passwords in main memory that X-Ways Capture dumps for you.
Resident encryption software such as PGP Desktop or BestCrypt can be detected by known program names or signatures. Encrypted, but currently unlocked containers/virtual drives will be successfully acquired when copying files logically. The same holds true for NTFS/EFS-encrypted files that the logged-on user can read. Fully encrypted hard disks (such as provided by software products like SecureDoc or CompuSec) or fully encrypted volumes (such as used by TrueCrypt or BitLocker) will be detected as such generically and successfully acquired by physical imaging, if currently unlocked.
X-Ways Capture consists of two modules, one for Windows 2000/XP*, the other for Linux (Intel x86 architecture each). X-Ways Capture is a command line program that utilizes little main memory. The language can be switch between English and German. X-Ways Capture is easy to use because once you have tailored its logic to your needs, it will always do all the work for you on its own when on site.
Compared to X-Ways Forensics, the specialties of X-Ways Capture are that it
