Tribble is a hardware expansion card that can reliably acquire the volatile memory of a live system to removable storage. The hardware device directly accesses memory and does not require any software to be loaded (which could overwrite possible evidence).

The volatile memory in an active computer system contains information about current processes executing on the system, the state of user activity, temporary data items, and other components that aid in digital forensic analysis in the event of a computer misconduct. When a computer misconduct on a system has occurred and the system powered off, the volatile memory contents are lost; losing information that may be critical to a criminal investigation. Storing the volatile memory image contents on the computer system’s hard drive should be avoided, as the process will overwrite erased data on the hard drive which might contain useful information or evidence. However, if the computer system remains active, a malicious user could return and cause further damage.

The solution is an expansion card that is installed into a client’s critical servers. It has a physical switch that, when pressed by the administrator, will save the system state by retrieving and storing the current memory image and processor registers. After an attack has occurred on a system, the card can simply be activated, ejected from the system, and sent to a third-party for proper forensic analysis and incident response.

On February 20, 2007, Joe Grand of Grand Idea Studio and Brian Carrier of digital-evidence.org were granted patent #7,181,560 by the U.S. Patent and Trademark office. The patent, entitled “Method and Apparatus for Preserving Computer Memory Using Expansion Card,” is based on work related to the Tribble product and concept.

We are currently looking for licensing opportunities for our patent and associated technology.

Documentation:

• Paper: A Hardware-Based Memory Acquisition Procedure for Digital Investigations

The acquisition of volatile memory from a compromised computer is difficult to perform reliably because the acquisition procedure should not rely on untrusted code, such as the operating system or applications executing on top of it. In this paper, we present a procedure for acquiring volatile memory using a hardware expansion card that can copy memory to an external storage device. The card is installed into a PCI bus slot before an incident occurs and is disabled until a physical switch on the back of the system is pressed. The card cannot easily be detected by an attacker and the acquisition procedure does not rely on untrusted resources. We present general requirements for memory acquisition tools, our acquisition procedure, and the initial results of our hardware implementation of the procedure.

Published in the Digital Investigation Journal 1(1):50-60, ISSN 1742-2876, February 2004.


This work was selected as the Best Academic Paper of the Year for 2004 by the Digital Investigation Journal Editorial Board.