A media blog about gadgets, media, software, and technology.
Key questions investigators must ask themselves include: Given the situation, will the case investigation benefit from the capture of physical memory? and Can I capture this information in a least-intrusive manner? Armed with the answers to these questions and an understanding of the effects on the evidence made by their action and tools, investigators can [...]
Tribble is a hardware expansion card design to reliably acquire the volatile memory of a live system. Acquired memory is captured and extracted to a removable storage system. The hardware device accesses memory directly, and because it does not require software to be loaded, it overwrites possible evidence.
When accessing volatile memory one of the first things a computer forensics investigator may recall is the basic scientific principle that the very act of observing something changes it. Certainly there is no exception to this principle in the case of accessing volatile memory.
With the system running, the investigator is usually limited to collecting data such as the Secure Audit Log data, which has been logged onto remote devices such as syslog servers. Most network appliance and router devices do provide a physical configuration port (usually a serial connection) from which to run a terminal session.
A third memory component in Cisco routers, the Non-Volatile RAM (NVRAM), contains the startup configuration files. The BootROM, much like the Complementary Metal Oxide Semiconductor (CMOS) and BIOS of a personal computer, contains code for power-on self-test (POST), IOS loading, and so forth.