Trufflepig Logo


  • Is­sues
  • 7
  • This Sprint
  • Is­sues
  • 11
  • Within 3 Months
  • Is­sues
  • 11
  • Within 6 Months
  • Is­sues
  • 12
  • On our ToDo List


We are cur­rently work­ing on it

Re­lease date

2021-09-13 - De­layed and stripped due to crit­i­cal patches

Ar­ti­factsUs­abil­itySta­bil­ityFile & Op­er­a­tion Sys­tem Sup­port
  • Shim­cache
    Shim­cache is ex­tracted from reg­istry and dis­played in the UI
  • Events View
    A new table view for the ex­tracted events (e.g. from shim­cache) is in­te­grated
  • Win­dows Heap Struc­ture In­for­ma­tion
    All al­lo­ca­tion in­for­ma­tion from process heaps is ex­tracted
  • Set­tings Page in Fron­tend
    Give users the op­tion to choose date/​time lo­cal­iza­tion and sim­i­lar set­tings
  • Reg­istry Key Ex­trac­tion
    A fix for a prob­lem where not all reg­istry keys were found in an analy­sis
  • VMware Snap­shot Sup­port
    VMEM snap­shots can be analysed
  • Win­dows 7 Sup­port
    Win­dows 7 is fully sup­ported for the ar­ti­facts that are cur­rently dis­played


Within 3 Months
Ar­ti­factsUs­abil­itySta­bil­ityFile & Op­er­a­tion Sys­tem Sup­port
  • Tor IPs API
    Via our API you can find out whether any found IP ad­dress is or was part of the Tor net­work
  • Win­dows Clip­board
    Win­dows clip­board con­tent is ex­tracted and dis­played in the UI
  • Process Mem­ory Ex­port
    The en­tire process mem­ory can be ex­ported as a crash dump
  • Data­base
    Analy­sis ar­ti­facts are stored in the data­base for fil­ter­ing, sort­ing, search­ing and per­sis­tence
  • Re­port a Bug
    Cre­ate a sim­ple way of re­port­ing a bug from the Nexus UI
  • Dump Process
    Un­map mapped PEs from VAD re­gion to get orig­i­nal PE bi­nary
  • IoC Vis­i­bil­ity
    The found IoCs are shown in the IoC view for all kinds of ar­ti­facts (cur­rently only process-re­lated IoCs are dis­played)
  • Global Views for Process Ar­ti­facts
    Cre­ate global views for process spe­cific ar­ti­facts like VAD re­gions
    • Hi­ber­na­tion File Sup­port
      Hi­ber­na­tion files can be an­a­lyzed
    • Win­dows 11 Sup­port
      Win­dows 11 is fully sup­ported for the ar­ti­facts that are cur­rently dis­played
    • Frag­mented Disk Im­ages
      Frag­mented disk im­ages can be added and an­a­lyzed


    Within 6 Months
    Ar­ti­factsUs­abil­itySta­bil­ityFile & Op­er­a­tion Sys­tem Sup­port
    • Virus­To­tal API
    • Win­dows Cre­den­tials Ex­trac­tion
      Ex­ctract­ing pass­words and hashes from lsass.exe
    • User and Ses­sion In­for­ma­tion
      In­for­ma­tion on cur­rently logged in users is ex­tracted
    • Truf­flepig IoC Heuris­tics
      Cus­tom Truf­flepig heuris­tics can be used to find IoCs
    • Ex­tract Cre­den­tials
      Ex­tract hashes and other cre­den­tials from lsass
    • Knowl­edge­base Ar­ti­cles
      Ar­ti­cles about processes, IoCs, (Win­dows) in­ter­nals etc.
    • Fron­tend Im­age Up­load
      For server in­stal­la­tions im­ages can now be up­loaded in the fron­tend
    • Crypto Con­tainer De­cryp­tion
      Crypto con­tain­ers for which the re­spec­tive keys have been found can be de­crypted
    • Process Icon Vis­i­bil­ity
      All sup­ported browsers can dis­play the process icons
    • Mod­u­lar Min­ion
      File parser plu­g­ins can be im­ple­mented
    • Win­dows 8 + 8.1 Sup­port
      Win­dows 8 and 8.1 are fully sup­ported for the ar­ti­facts that are cur­rently dis­played


    Will be added to the time­line
    Ar­ti­factsUs­abil­itySta­bil­ityFile & Op­er­a­tion Sys­tem Sup­port
    • Re­port Gen­er­a­tion
      Re­ports of the find­ings can be gen­er­ated from tem­plates
    • So­cial Me­dia Ar­ti­facts
      Chat his­to­ries/​ses­sion to­kens/​so­cial me­dia/​emails can be ex­tracted
    • Time­line View
      New time­line view to dis­play the or­der of events in­tu­itively
    • Col­lab­o­ra­tive Work
      Users can cre­ate ac­counts and work col­lab­o­ra­tively on cases
    • Nexus SaaS
      Truf­flepig Nexus can be used as SaaS
    • Process Tree Pre­view
      A pre­view of the process tree is shown whithin the process de­tails
    • Mitre Att&ck In­te­gra­tion
      IoCs are dis­played in the Mitre Att&ck ma­trix
    • IoC Ed­i­tor
      Cus­tom rules for IoCs can be cre­ated in an in­tu­itive UI
      • STIX/​TAXI In­te­gra­tion
        STIX IoCs can be im­ported via TAXI
      • Linux Sup­port
        Linux is fully sup­ported for the ar­ti­facts that are cur­rently dis­played
      • OSX Sup­port
        OSX is fully sup­ported for the ar­ti­facts that are cur­rently dis­played
      • FreeBSD Sup­port
        FreeBSD is fully sup­ported for the ar­ti­facts that are cur­rently dis­played