Trufflepig Logo

Nexus
by Truf­flepig

Truf­flepig Nexus was built by prac­ti­cioners to make mem­ory foren­sics more ef­fi­cient and eas­ier ac­ces­si­ble to a broader au­di­ence.

The heart of the soft­ware is the so-called “Min­ion”, an analy­sis en­gine who de­rives ar­ti­facts from mem­ory dumps. Other parts of the soft­ware are the back­end, the fron­tend and the data­base. Nexus is a dis­trib­uted client-server ap­pli­ca­tion which can be run on Linux and Win­dows ma­chines.

The Min­ion

The Min­ion does the heavy lift­ing.

It in­cludes cus­tom-built pat­terns and heuris­tics which are used to ex­tract ar­ti­facts from mem­ory dumps and later dis­play them in the fron­tend of the soft­ware.

For ef­fi­ciency rea­sons it is writ­ten in C++.

Cur­rently the Min­ion only sup­ports the analy­sis of x86-64 Win­dows mem­ory dumps, it will soon how­ever be ex­panded to other op­er­at­ing sys­tems.

The Ar­chi­tec­ture

The Back­end

The Back­end processes the data gen­er­ated by the Min­ion, stores it in the Data­base and ex­poses an in­ter­face to the Fron­tend. It is im­ple­mented in Go.

The Fron­tend

The Fron­tend dis­plays the ar­ti­facts in a sin­gle-page ap­pli­ca­tion. It runs in Chromium-based Browsers (e.g. Google Chrome, Mi­crosoft Edge etc.) and uses mod­ern web tech­nolo­gies for a good user ex­pe­ri­ence.

The Data­base

The Post­greSQL Data­base stores the ar­ti­facts and al­lows for sort­ing and fil­ter­ing.

Sys­tem Re­quire­ments

Server

  • 8 GB RAM
  • SSD Stor­age for Im­ages (Highly Rec­om­mended)
  • Amd64 CPU Sup­port­ing AVX, AES & AES-NI In­struc­tion Sets, at Least Four Cores Rec­om­mended (In­tel, Amd)

Client

  • 8 GB RAM
  • Full-HD Dis­play (Highly Rec­om­mended)
  • Chromium-based Browser like Chromium, Chrome, Brave, Opera, Mi­crosoft Edge (Fire­fox works par­tially)

If both the client and the server are run­ning on the same sys­tem (de­fault win­dows in­stal­la­tion) 16 GB of RAM are rec­om­mended.