Gadgets, Games, Software, News -Techno Nerd
A media blog about gadgets, media, software, and technology.
Accessing Volatile Data (2)
Tribble is a hardware expansion card design to reliably acquire the volatile memory of a live system. Acquired memory is captured and extracted to a removable storage system. The hardware device accesses memory directly, and because it does not require software to be loaded, it overwrites possible evidence.
Although the Tribble system presents a compelling solution to the problem of live memory access, the device would most likely require preinstallation, causing difficulties in incident-response situations where system engineers had not planned for this type of investigation.
As the need for forensically clean extraction increases, system manufactures may be compelled to offer integrated memory access such as that offered by Tribble. For some time now manufactures have offered monitoring ports, or taps, on network switches.
The need for this type of access has even shown up in recent U.S. legislation through the Communications Assistance for Law Enforcement Act (CALEA) [fcc01], which outlines requirements for communications carriers to provide access to law enforcement agencies. The reduced ability to access physical memory without making some changes by displacing or changing content does not immediately negate the value of the content’s capture.
Computer forensics investigators must make the determination whether the value of potential evidence in physical memory justifies collection. This type of determination often needs to be made on-site based on the parameters of the case.
Related posts: