Orders, Prices:
  Credit card
  Online upgrade
Find out more about X-Ways Forensics X-Ways Forensics
Integrated computer forensics software
Find out more about X-Ways Investigator X-Ways Investigator
Investigator version of X-Ways Forensics
Find out more about WinHex! WinHex
Hex editor, disk editor, RAM editor
Find out more about X-Ways Imager X-Ways Imager
Disk imaging
Find out more about X-Ways Capture X-Ways Capture
Seize evidence
Find out more about X-Ways Trace X-Ways Trace
User activity
Find out more about Davory Davory
Data recovery
Find out more about X-Ways Security X-Ways Security
Permanent erasure

Contact X-Ways Contact X-Ways
User forum
Corporate info Corporate info
Find us on Facebook Find us on Facebook
  X-Ways Software Technology AG

X-Ways Capture: 成功获取所有硬盘、文件和RAM数据

 Windows 2000/XP* + Linux

X-Ways Capture
not updated any more for a long time


 X-Ways Captures是一套专业的计算机取证工具,用于在证据采集阶段,获取正在运行的Windows 和 Linux 系统下数据。 X-Ways Capture 将正在运行状态下计算机中的所有数据采集到外置USB硬盘中,这样,在目标系统被获取的当时,一些处于解锁状态下的、原来被加密保护的数据,可以被成功获取下来。 当你发现某些硬盘数据被加密时,可以利用 X-Ways Capture数据获取软件,配合热插拔移动硬盘,制作硬盘镜像,避免徒手而归! 此外,你可以利用X-Ways Capture 软件所获取的内存数据中发现有价值的口令信息。

  • 通过多种方法搜索已知或未知加密软件,并生成报告。
  • 检测发现活动状态的 ATA 加密硬盘保护。
  • 获取物理内存和虚拟内存中所有正在运行的进程。
  • 完整获取当前系统所有的存储介质,可以以raw images 或.e01证据文件格式保存(物理镜像获取)。即可以强行采用此种获取方式,也可根据软件对加密方式的自动检测结果决定采用何种拷贝方法。
  • 将所有磁盘、目录下的可读文件拷贝至目标磁盘 (逻辑拷贝),即可以强行采用此种获取方式,也可根据软件对加密方式的自动检测结果决定采用何种拷贝方法。 
  • 所有执行步骤和配置可由用户预先自定义,并可以随时启用或停止。
  • 用户可自行添加、扩充 X-Ways Capture 软件所能检测的加密软件种类。
  • 软件工作同时自动创建操作日志。

    如果当前系统内驻留有加密软件,如PGP Desktop 、BestCrypt 等软件,X-Ways Capture可以根据加密程序的名称和以及文件签名把它们检测出来。加密后的虚拟磁盘,当前可能正处于解锁状态,逻辑盘符可见,因此可以利用“逻辑拷贝”方式,成功地将加密的文件拷贝出来。利用同样方法可以解决NTFS/EFS加密文件。对于一些专用硬盘加密软件,如 SecureDoc、CompuSec等,X-Ways Capture软件可以被自动检测出来。如果系统当时处于解锁状态,可以采用物理镜像方式成功获取未加密硬盘数据。

    X-Ways Capture 包含两个模块。一个用于 Windows 2000/XP* 系统,另一个用于 Linux 系统(Intel x86 架构)。X-Ways Capture 是一个命令行程序,仅占用极少的内存,软件支持英语和德语。 X-Ways Capture 使用非常简单,一旦配置了好各种设置,它将自动完成所有需要在现场完成的任务。

Compared to X-Ways Forensics, the specialties of X-Ways Capture are that it

  • runs under Linux also, not only Windows
  • runs preconfigured steps automatically without additionally user interaction
  • automatically detects various encryption schemes/password protection
  • can optionally based on that make an intelligent choice about whether to acquire the system immediately and automatically while still running


Newsletter subscription
Would you like to be kept informed of updates? Please enter your e-mail address:

X-Ways Capture 许可协议为你赢得 忠诚奖励点.


    用户应该注意:在一台正在运行着的计算机上使用其他存储介质,并执行X-WAYS Capture 进行数据获取时,会使系统微小的改变,至少是占用了一小部分内存。因此,X-Ways Capture 软件设计得的非常小,而且没有图形界面,这样它被加载起来后会尽可能少地占用内存。为了获取加密状态时受保护的数据,除造成轻微改动之外,你没有任何其他的办法。同时还要注意的是:从操作系统的角度来说,在活动状态下进行数据获取,系统不是一个非常稳定的状态 (因为暂存文件可能正在使用中)。 获取物理内存和物理镜像需要管理员(administrator/root )权限。

    X-Ways Capture

*Known limitations under Windows Vista and Windows 2008 Server: DumpPhysicalMemory and HPACheck do not work.

Contribution from Mark McKinnon: “I recently have been testing using capture accross the network. What I did was map 2 network drives on a virtual server back to my machine and ran capture and was able to image the virtual server sitting from my desk. This could come in handy for having to image a pc when the person resides accross the country in a remote office.

“What I did was create a batch file that maps 2 drives, one to the executable directory of capture and the other to where I want the output to go to, and then do a psexec.exe on it with the option to copy the file to the computer. I know this is changing the system somewhat but the nice thing is the file is small enough to reside in the $MFT and not actually written to disk. The only other changes to the system is to the registry and also the prefetch (if xp is being captured). I also created a frontend using autoit so that you could put in the parameters to call the batch program, there is no echo on the batch file so you cannot see the admin password that is being used which is another bonus for administrators who do not want to hand out a password.

“Just thought I would pass it along as a bonus to using capture that makes it a excellent buy compared to buying other more expensive (much more) packages to do remote imaging. I have attached the Autoit script and executable and the batch files if you are interested. You can also put them on your site as wel to show how to remote image a server/pc (the script probably needs some help though).” Download.


X-Ways Forensics • EvidorX-Ways Trace