KnTTools 實體記憶體獲取工具

What is KnTTools Basic Edition?
The KnTTools Basic Edition includes KnTDD. KnTDD is a next generation tool for the acquisition of physical memory evidence from select Microsoft Windows operating systems. KnTDD's principle features include:
  Acquisition of physical memory (main computer memory) evidence from systems running select Microsoft Windows operating systems, including Windows Vista.
  Acquisition to a removable USB or firewire drive based on the volume label of the destination drive.
  Acquisition to the network with or without bandwidth throttling.
  Cryptographic integrity checks and audit logging.
  Output compression using a variety of formats.
  Conversion of binary memory "image" to Microsoft crash dump format.
  Acquisition of certain system state information including active processes, loaded modules and listening endpoints using user mode api's (for later use in cross-view detection algorithms).
  Integration with KnTList for analysis and cross-view detection.


What is KnTTools Enterprise Edition?
The KnTTools Enterprise Edition builds on the features of the Basic Edition and adds support for the acquisition of physical memory evidence from select Microsoft Windows operating systems in a distributed computing environment or that contains sensitive content, including:
  Support for the AMD x64 versions of Microsoft Windows.
  Bulk encryption of output using X509/PKCS#7 certificates, including certificates created using makecert.exe.
  Evidence acquisition over a SSL (TLS 1.0) tunnel.
  Evidence acquisition to a WebDAV-enabled web server.
  A remotely deployable version that runs as a system service (KnTDDSvc).
  A remote deployment module (KnTDeploy) that is able to pull and deploy encrypted evidence collection "packages" from a SSL enabled web server or push the packages out to a remote Admin$ share on the "suspect" machine.
　

What is KnTList?
KnTList is a command line tool for the analysis and extraction of evidence from physical memory that was acquired from select Microsoft Windows operating systems using the KnTTools. KnTList analyzes main computer memory by reconstructing the principle operating system-defined metadata elements that structure the memory, including the virtual address space of the system and other processes. KnTList output is produced in both text and XML format. XML output is designed to permit the independent development of secondary analysis based upon an open format. The XML schema that is used by KnTList included with the distribution.

The approach taken by KnTList is intended to complement the approach developed by Andreas Schuster which scans physical memory for specific byte-patterns that identify important metadata elements. http://www.dfrws.org/2006/proceedings/2-Schuster.pdf. KnTList supports Andreas Schusters PTFinder XML output format for use with a cross-view detection algorithm. http://computer.forensikblog.de/2006/09/ptfinder_0_3_00.html. Please consult the 2005 DFRWS memory challenge for examples of KnTLists capabilities as of two years ago.


National language support.
KnTTools and KnTList are national language aware but are not fully localized. Error messages or prompts that are generated by the operating system will appear in the current users default language. Output specifically generated by KnTTools or KnTList will be in American English. KnTTools and KnTList are Unicode applications and are designed to run on localized versions of Microsoft Windows, including Asian versions.
　

Availability?
The KnTTools and KnTList are currently available to the military, civilian law enforcement and other civilian governmental agencies, and higher educational institutions. The KnTTools and KnTList are available on a case-by-case basis to private security professionals and corporations.

The KnTTools and KnTList are exclusively distributed by GMG Systems, Inc. Bundling of the KnTTools and/or KnTList with a third party software package is not being contemplated at this time.