googleba88693c99e7e8ce.html
tel. 22 813 10 29 email: biuro@gravsoft.pl
pon-pt w godz. 8-16

Gravsoft informatyka śledcza

Home Informatyka śledcza - ForensicNarzędzia - analiza › X-Ways Capture

X-Ways Capture

Dostępny powyżej tygodnia
W magazynie: Dostępny (100 szt.)

X-Ways Capture

Specialized computer forensics tool for the evidence collection phase of a forensic investigation which captures Windows and Linux live systems. X-Ways Capture gathers all data from the running computer e.g. on an external USB hard disk, such that during the analysis even encrypted or otherwise protected data can be examined that was unlocked at the point of time when the system was acquired. X-Ways Capture saves you from returning empty-handed after pulling the plug and imaging hard disks the conventional way when you discover that the relevant files are encrypted! Plus you may be able to find passwords in main memory that X-Ways Capture dumps for you.

  • Searches for indications of known or unknown resident encryption software with different methods and reports them.
  • Detects active ATA hard disk password protection.
  • Dumps the physical RAM and the virtual memory of all running processes.
  • Acquires all connected media as either “dd” raw images or evidence files/.e01 files (physical acquisition), either mandatorily or depending on the results of the encryption and password protection checks.
  • Copies all readable files from all drives and directories to the target disk (logical acquisition), either mandatorily or depending on the results of the encryption checks.
  • All steps and settings are fully user-configurable in advance and can even be completely enabled or disabled.
  • You can expand the list of known encryption software products that X-Ways Capture will detect.
  • Creates a thorough log of all findings and actions.

Resident encryption software such as “PGP Desktop” or “BestCrypt” can be detected by known program names or signatures. Encrypted, but currently unlocked containers/virtual drives will be successfully acquired when copying files logically. The same holds true for NTFS/EFS-encrypted files that the logged-on user can read. Fully encrypted hard disks (such as provided by software products like “SecureDoc” or “CompuSec”) or fully encrypted volumes (such as used by TrueCrypt or BitLocker) will be detected as such generically and successfully acquired by physical imaging, if currently unlocked.

X-Ways Capture consists of two modules, one for Windows 2000/XP*, the other for Linux (Intel x86 architecture each). X-Ways Capture is a command line program that utilizes little main memory. The language can be switch between English and German. X-Ways Capture is easy to use because once you have tailored its logic to your needs, it will always do all the work for you on its own when on site.

Compared to X-Ways Forensics, the specialties of X-Ways Capture are that it

  • runs under Linux also, not only Windows
  • runs preconfigured steps automatically without additionally user interaction
  • automatically detects various encryption schemes/password protection
  • can optionally based on that make an intelligent choice about whether to acquire the system immediately and automatically while still running


  • Brak komentarzy