GMG Systems, Inc.

KnTTools with KnTList



Welcome to the home of GMG Systems, Inc. KnTTools with KnTList, the award winning ( main computer memory acquisition and analysis tools for select Microsoft Windows operating systemsKnTTools with KnTList are command line tools.


What is KnTTools Basic Edition?


The KnTTools Basic Edition includes KnTDDKnTDD is a next generation tool for the acquisition of physical memory evidence from select Microsoft Windows operating systemsKnTDD's principle features include:


·        Acquisition of physical memory (main computer memory) evidence from systems running select Microsoft Windows operating systems, including Windows Vista. 

·        Acquisition to a removable USB or firewire drive based on the volume label of the destination drive.

·        Acquisition to the network with or without bandwidth throttling.

·        Cryptographic integrity checks and audit logging.

·        Output compression using a variety of formats.

·        Bulk encryption of output using X-509/PKCS#7 certificates, including self-signed certificates created using makecert.exe.

·        Conversion of binary memory "image" to Microsoft crash dump format.

·        Acquisition of certain system state information including active processes, loaded modules and listening endpoints using user mode api's (for later use in cross-view detection algorithms). 

·        Acquisition of system swap or pagefiles.

·        Acquisition of NVRAM, standard CMOS and the IOAPIC table.

·        Integration with KnTList for analysis and cross-view fusion.

·        Support for both 32 and 64-bit versions of Microsoft Windows.


What is KnTTools Enterprise Edition?


The KnTTools Enterprise Edition builds on the features of the Basic Edition and adds support for the acquisition of physical memory evidence from select Microsoft Windows operating systems in a distributed computing environment or that contains sensitive content, including:


·        Evidence acquisition over a SSL/TLS tunnel.

·        Evidence acquisition to a WebDAV-enabled web server.

·        Evidence acquisition to an anonymous FTP server.

·        A remotely deployable version that runs as a system service (KnTDDSvc).

·        A remote deployment module (KnTDeploy) that is able to pull and deploy encrypted evidence collection "packages" from a SSL enabled web server or push the packages out to a remote Admin$ share on the "suspect" machine.

·        Acquisition of the firmware and reserved sectors from select hard drives.

·        Acquisition of VRAM, SRAM or NVRAM from select video and network adapters.



What is KnTList?


KnTList is a command line tool for the analysis and extraction of evidence from physical memory that was acquired from select Microsoft Windows operating systems using the KnTTools.  KnTList analyzes main computer memory by reconstructing the principle operating system-defined metadata elements that structure the memory, including the virtual address space of the system and other processes.  KnTList  output is produced in both text and XML format.  XML output is designed to permit the independent development of secondary analysis based upon an open format.  The XML schema that is used by KnTList  included with the distribution.


The approach taken by KnTList  is intended to complement the approach developed by Andreas Schuster which scans physical memory for specific byte-patterns that identify important metadata elements. supports Andreas Schusters PTFinder XML output format for use with a cross-view detection algorithm.  Please consult the 2005 DFRWS memory challenge for examples of KnTLists capabilities as of two years ago.


National language support.


KnTTools and KnTList are national language aware but are not fully localized.  Error messages or prompts that are generated by the operating system will appear in the current users default language.  Output specifically generated by KnTTools or KnTList will be in American English.  KnTTools and KnTList are Unicode applications and are designed to run on localized versions of Microsoft Windows, including Asian versions.




The KnTTools and KnTList are currently available to the military, civilian law enforcement and other civilian governmental agencies, and higher educational institutions.  The KnTTools and KnTList are available on a case-by-case basis to private security professionals and corporations.  Please use the contact information on the order page to inquire further about product availability. 


The KnTTools and KnTList are exclusively distributed by GMG Systems, Inc. Bundling of the KnTTools and/or KnTList with a third party software package is not being contemplated at this time.




Please see our price list page for an appropriate schedule.


How do I place an order?


Please see our order page for further details on how to place an order.


Copyright 2007-2011 GMG Systems, Inc. All rights reserved.  The KnTTools and KnTList are furnished under license and may not be used except in accordance with the terms of the license agreement. 




The KnTTools and KnTList are commercial computer software programs developed exclusively at private expense.  Use, duplication, and disclosure by civilian agencies of the U.S. Government shall comply with FAR 52.227-19 (c), or other comparable provision(s), as may be applicable. Use, duplication and disclosure by DOD agencies is subject solely to the terms of standard software License Agreement as stated under DFARS 227.7202.


Copyright © 2007-2014 GMG Systems, Inc.