Tribble
Tribble is a hardware expansion card that reliably acquires the volatile memory of an active computer system and retains critical information necessary for forensic analysis in the event of a computer misconduct. The device accesses the target’s memory directly through a hardware interface and does not require any software or drivers to be loaded.
The technology is protected by U.S. Patent #7,181,560, Method and apparatus for preserving computer memory using expansion card.
Documentation:
- Video: Using Tribble to Extract RAM from an Active Computer System
- Paper: A Hardware-Based Memory Acquisition Procedure for Digital Investigations
The acquisition of volatile memory from a compromised computer is difficult to perform reliably because the acquisition procedure should not rely on untrusted code, such as the operating system or applications executing on top of it. In this paper, we present a procedure for acquiring volatile memory using a hardware expansion card that can copy memory to an external storage device. The card is installed into a PCI bus slot before an incident occurs and is disabled until a physical switch on the back of the system is pressed. The card cannot easily be detected by an attacker and the acquisition procedure does not rely on untrusted resources. We present general requirements for memory acquisition tools, our acquisition procedure, and the initial results of our hardware implementation of the procedure.
Published in the Digital Investigation Journal 1(1):50-60, ISSN 1742-2876, February 2004.
This work was selected as the Best Academic Paper of the Year for 2004 by the Digital Investigation Journal Editorial Board.