http://www.knoppix.net/wiki/Cheat_Codes states
"The "noswap" option is useful for a forensic analysis without touching existing swap partitions."

How is the forensic research done then after booting with the noswap option? What can be achieved with it?

All that statement means is that the noswap option will keep Knoppix from overwriting the swap file. This may let you take a quick look around without changing anything. While the swap file might contain information of interest, Knoppix has no special forensic tools to help you pick through it (at least that I know of). If you are interested in a forensic Live CD, you might want to look at the Helix Live CD.

Welcome to the forums.

I'll check that out, thank you :) .

http://www.knoppix.net/wiki/Cheat_Codes states
"The "noswap" option is useful for a forensic analysis without touching existing swap partitions."

How is the forensic research done then after booting with the noswap option? What can be achieved with it?

Many unix programs could be used to a "sort" of forensic tools, for examples:

dd if=/dev/hda | hexdump -C | grep -i bank
or
dd if=/dev/hda1 of=/somewhere/hda1.img
cat hda1.img | strings | grep -lsi robbery
or
mount -o loop hda1.img /media/test
find /media/test | xargs grep -lsi mysecret

etc. etc.

have a look a the sleuthkit and autopsy for something "like" encase: http://www.sleuthkit.org/

Ciao

max