I'm hearing some murmurs that Microsoft's acquisition of anti-rootkit startup Komoku could hit a patent hurdle.
My sources point to Patent #7,181,560, which was granted to Joe Grand (aka Kingpin from L0pht) and Brian Carrier of digital-evidence.org and covers a "Method and Apparatus for Preserving Computer Memory Using Expansion Card."
The concept covered in the patent has been used in Tribble, a hardware expansion card (See image) from Grand Idea Studio that can "reliably acquire the volatile memory of a live system to removable storage."
Not much is known about the actual technology and approach behind Komoku's hardware-based rootkit detection capabilities. When I profiled the company in 2006, the flagship CoPilot product was described to me as a PCI card capable of monitoring the host's memory and file system at the hardware level.
Grand Idea Studio has made it publicly known that it is looking for licensing opportunities for its patent and associated technology, and now that Komoku is owned by a deep-pocketed company, my sources say a legal/patent dispute could be brewing.
I'm very curious about what Microsoft will do with the hardware component of this acquisition. Komoku's software, which is aimed at aimed at businesses looking for a low-assurance utility, is useful for Redmond's consumer security offering (Windows Live OneCare). But the real value of this deal is in the .gov/.mil market, where CoPilot (the PCI card) is already in use.
In many respects, hardware-based RAM acquisition is the most reliable and secure way to sniff out sophisticated malicious rootkits, but, then again, this discussion may be moot. Just ask Joanna.