Trufflepig Logo
Free TrialBuy Now

We re­de­fine Mem­ory
Foren­sics

Free TrialBuy Now

Nexus

  • Truf­flepig Nexus analy­ses Win­dows mem­ory im­ages fast and re­li­ably with an in­tu­itive Web-UI. It gives a com­pre­hen­sive overview of ar­ti­facts, IoCs and their con­text which al­lows for an ef­fi­cient triage.
    To keep up with the rapid tech­no­log­i­cal ad­vance­ments, Nexus is built to be ex­tend­able and mod­u­lar and pro­vides out of the box fea­tures like auto-de­cryp­tion and a lu­cid process tree.
  • Pro­jects can be cre­ated quickly and eas­ily by se­lect­ing a mem­ory im­age and, if avail­able, the cor­re­spond­ing hard drive im­age. The analy­sis process is op­ti­mized to fin­ish within sec­onds.
    Truf­flepig Nexus cur­rently sup­ports Win­dows 10 mem­ory im­ages in raw, crash-dump & ELF for­mat and hard drive im­ages in all for­mats that are sup­ported by Sleuthkit, ad­di­tion­ally also qcow2.
  • The processes are dis­played in a table view and a process tree view. Processes are high­lighted in color as "sus­pi­cious" or "in­fected" us­ing Yara rules (pro­vided by the user).
    The process de­tail view of­fers a com­pre­hen­sive overview over the IoCs that have been found, opened net­work con­nec­tions and loaded mod­ules and han­dles.
  • Truf­flepig Nexus is built to al­low for the in­te­gra­tion of cus­tom Yara rules. They can be con­ve­niently im­ported us­ing the web UI.
    In­ter­est­ing processes can be ex­ported with one click and used for furhter in­ves­ti­ga­tion in other re­verse en­gi­neer­ing tools.

Use cases

Law en­force­ment

Law en­force­ment agen­cies have to deal with an in­creas­ing amount of dig­i­tal ev­i­dence. Find­ing ef­fi­cient ways to process it and iden­tify the im­por­tant in­for­ma­tion is cru­cial. Truf­flepig sup­ports them with a has­sle-free mem­ory foren­sics so­lu­tion for ex­am­ple in find­ing sus­pi­cious processes and net­work ac­tiv­ity as well as de­crypt­ing en­crypted ob­jects.

Learn more

In­ci­dent re­sponse

A more dig­i­tal econ­omy means more cy­ber­at­tacks. The time that it takes com­pa­nies to re­spond to an in­ci­dent is the de­cid­ing fac­tor for mit­i­gat­ing the dam­age. Truf­flepig helps DFIR Teams gen­er­ate de­tailed in­sights fast based on a com­put­ers mem­ory and as­so­ci­ated data sources. The so­lu­tion helps to de­tect and re­verse en­gi­neer mal­ware and an­a­lyze hacker ac­tiv­ity and user mis­con­duct.

Learn more

Fraud ex­am­i­na­tion

As tech­nol­ogy be­comes more preva­lent in our day-to-day lives, so does the like­li­hood of fraud­u­lent be­hav­iour dis­guised within the folds of seem­ingly end­less elec­tronic data. As a re­sult, fraud in­ves­ti­ga­tions have be­come heav­ily re­liant on elec­tron­i­cally stored ev­i­dence, mak­ing mem­ory foren­sics an es­sen­tial part of mod­ern-day in­ves­ti­ga­tions.

Learn more

Why Nexus

Au­toma­tion & Com­fort of use

Us­ing au­toma­tion, Nexus re­duces hu­man er­ror and en­sures more ac­cu­rate in­for­ma­tion and smoothly com­pleted tasks and processes.

The frame­work sup­ports analy­sis on all Win­dows on x86_64 sys­tems (in fu­ture OSX and Linux on x86_64) with­out the need of spec­i­fy­ing hard­ware pro­files. Re­sults are cross-cor­re­lated with dif­fer­ent data sources (e.g. disk im­ages) and ad­vanced mal­ware de­tec­tion al­go­rithms ap­plied. Nexus also sup­port de­crypt­ing en­crypted con­tain­ers.

Per­for­mance & Ro­bust­ness

Nexus is ready to meet to­day's chal­lenges; it's faster and more ro­bust to fa­cil­i­tate the in­creas­ing num­ber of mem­ory foren­sics cases world­wide.

Truf­flepig Foren­sics uses pat­tern re­dun­dancy to in­crease the ro­bust­ness of the re­sults. The data-ori­ented C++ im­ple­men­ta­tion sig­nif­i­cantly speeds up the analy­sis. Truf­flepig Foren­sics can be eas­ily in­te­grated into ex­ist­ing work­flows. The re­sults can be ex­ported as JSON or sim­i­lar for­mats.

Com­pata­bil­ity & User-friend­li­ness

Its ease of use ex­ceeds that of its com­peti­tors and is con­tin­u­ously im­proved; Nexus is com­pat­i­ble with your needs whether you op­er­ate a small, medium or large or­gan­i­sa­tion.

It sim­pli­fies the train­ing needed for your in­ves­ti­ga­tors and al­lows you to fo­cus on train­ing for other mat­ters. We are ready to help you all the way, de­velop pos­si­ble train­ing for you, have tech­ni­cal sup­port avail­able, and we are open to dis­cus­sions to make fea­ture op­ti­mi­sa­tions for you.

Pi­lots

Thank you for your ac­tive par­tic­i­pa­tion and in­puts in the pi­lot pro­gram.

  • Tecleo
    Difose
    Insig2
    ics