Is More Efficient, Accessible Memory Forensics Possible?

Christa: Memory forensics is a mainstay of incident response. Its relevance and necessity only growing with time, as encryption technology has become more integrated, especially in consumer devices. Yet memory forensics is neither intuitive nor simple.

Looking to change that is a new startup, Trufflepig Forensics, founded by a team of ethical hackers in Pfaffenhofen an der Ilm, Germany. Co-founders Aaron Hartel and Christian Müller are with us today to talk more about it. I’m your podcast host, Christa Miller, and welcome Aaron and Christian.

Aaron: Hi Christa.

Christian: Hi Christa.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Aaron: Thanks for having us.

Christa: Of course, it’s a pleasure, likewise. So let’s start with a bit of an introduction. Since your company is a startup and you’re so new, Christian and your third co-founder, Olli, are ethical hackers, is that correct?

Christian: Yeah exactly. So what we mean by that is that we basically use hacking techniques but in a way that is legal and OK from a moral perspective, and we try to basically develop technologies for the blue team, if you want to call it that.

Christa: Of course. And Christian your college thesis formed the basis for Trufflepig’s Nexus product, and Aaron, your background is in business. So I wanted to find out more about how you got started in this industry and what has led you down this path?

Aaron: Yeah I think I might start, my story’s a bit shorter here. Basically I just met Chris and Olli at some point, approximately, was it three years ago now?

Christian: Yeah.

Aaron: It was three years ago when I still was in my Master’s. I was doing business, always with the dream in mind to start and own [a] company at some point. I didn’t really have any strong technical background at this point, I was basically introduced to those two guys, they were participating in a business plan competition and needed some assistance from a business perspective, first only on paper, because they thought maybe the team looks a bit more complete.

So I got introduced to them and didn’t really understand much of what they were talking, to be honest, because it’s such a technical and difficult topic to get into if you’re not really…if you don’t really have a informatics background. Still, of course I understood quickly that those guys are good at what they are doing (or that’s what I assumed, well we’ll assume it).

So I understood very quickly that they are very deep in a very technical topic, I found that fascinating, and decided to basically stick with them since we also understood that the team not only on paper, but also in reality, is probably a bit more complete if we not only have the the tech nerds, so to say, in there but also someone who might have an idea of how to also scale a business: you have to start a business and scale it.

So that’s my role now. I’m far from being able to call myself an expert in forensic technologies. I’m still learning every day. I think of course I understand more now with those three, or two years of full-time experience. But still I’m learning every day and my understanding for the market and for the different customer segments, of course, and for the technologies, is developing with every day here, and still a long and very interesting journey, and of course you’ll never really stop learning in such a fastly — rapidly developing field.

Christian: Yeah, so from my side, I was always interested in programming and learning new things. I think I learned the first little programming skills in C with 8, because I, of course, I wanted to implement a game. So my dad taught me. And when I was 15, I learned PHP, and with 19, I think, I got a job programming a backend for a company. They wanted to digitize basically their whole infrastructure.

And then with 21, 22 (something like that, I think), I got back to game programming, and I wanted to implement a multiplayer for a single player only game. And that was pretty hard. And I got to know Olli, and he knew reverse engineering and exploitation and stuff like that. So he taught me how to reverse engineer a game, and understand the concepts there and manipulate it to do what you want it to do. So that was basically the background for what we are still doing today, just understanding the concepts of huge projects and getting information out of them.

Christa: OK.

Christian: In 2016 then I was still doing my Bachelor thesis, and had some lack of motivation because game programming was more interesting! So I was looking for some motivation source, and I applied for a internship at the German Federal Police, and the forensics department accepted me, and I got into memory forensics there, and learned the concepts, and also problems they have with the current state of the art in that field. And basically I decided that I want to improve the technologies in that field, and get really deep into it, and that was basically the fundamental idea for the company.

Christa: I think that was what caught my eye about your value proposition, which includes incident response, but also law enforcement. That’s not something that I’ve seen extensively before in memory forensics, so I wanted to find out more about that. In particular your website describes some cumbersome technical challenges with memory forensics. Is this a problem for security operation centers and first responders, lab personnel, or both and why?

Aaron: I think as Chris said, our background is really the law enforcement sector, where Chris had to work with those tools that were available, which are also good (I mean we like the tools that are out there, we think they are grown by the community, they have a place and they’re good, they did a lot of good).

It’s just that I think in law enforcement specifically, it can be challenging, and that’s also the experience that we had when we talked to people in the field, to even do memory forensics with what is out there, because it requires you to have such a good understanding already of basically working with Linux based systems to even run those tools sometimes.

And also in general, how to process data when you just have a command line interface maybe, to work with other…And even of course you can maybe build in front-end, or or get a front-end open source and build an own system. But it’s all rather manual, you have to do a lot of manual work there.

And I would say for someone that is maybe new to law enforcement, or forensics in law enforcement, which is the case at least in Germany to for a lot of people that work there (they were basically doing something else before, then they got training and kind of started like that), it can be pretty hard, and so currently memory forensics is only being done in, say, the most sophisticated law enforcement agencies in Germany, because they have the people that are skilled enough to do it.

And this is, I think, something that should change, because memory is such a rich source of data (of course if you can get it, you cannot always get it, and of course computers will be running or just shortly being shut down), but if you can get it, you can get lots of value out of it, more value than probably from any other source of data and that’s what made it really interesting for us to to make it more accessible to make it more user friendly to use, also faster.

We think there’s a lot of potential to implement memory analysis technologies faster way than what is currently out there. And those were kind of the initial motivations. So having a fast tool, or fast technology, one that is (of course always depending on the product that you build on top of it, but the user interface) that is easy to use that is automated, and of course also forensically sound, this is something what we were really chasing after with our technology development when we started back in 2019.

I think I should…You asked about also other segments of incident response. There probably the challenges are a bit…in memory forensics are a bit different, being that you’re not only looking at maybe one laptop, one machine, that you want to analyze and that you really want to go on a deep dive in, but you’re looking at potentially hundreds of thousands of machines.

And when you’re facing such a challenge, it’s just not practical to do, or with the current setup of tools and what is out there, you have to focus on maybe individual machines, one or two machines that you that you are analyzing at a time. You cannot just screen maybe a whole network with forensic integrity in a fast way, and then assess whether or where to conduct or to continue with the investigation, which is something that optimally from our perspective should be done. So fast triage of as many machines as possible, fast results and then a decision on where to go further.

So to do that with the current tooling is a challenge. Of course you can script stuff, you can use some of the open source scripts also that are out there, but still it’s error-prone, in some sense. And building a stable solution that is able to screen potentially thousands of endpoints, this is something that we think would be of high value for many incident response teams.

So the challenges are a bit different, we started with the basic technology, so with this memory analysis technology, implementing our own heuristics, our own algorithms there, so we haven’t copied anything there, just built everything ourselves, because we want to make the core of the technology our own.

And then from this point on we want to publish different products for different sectors: so for law enforcement, something that helps them really focus on maybe the analysis of individual machines in-depth; for incident response teams, that will take it some more time (we can go into that in a bit).

But we want to really focus on delivering solutions for fast initial triage of lots of machines, so deployment of some data collection tool, and then aggregation of data and analysis of data. And for the fraud sector, which for us is the kind of newest use case that we are still kind of getting into, of course we will be more about analyzing user behavior data that can be found in memory.

Christa: OK.

Aaron: And maybe, I want to say that right now already, we don’t want to only focus on memory of course we see memory as a core source of data, but we know that of course it’s not always available so we want to integrate also other sources of data. And we are working on that already even though we started with memory.

Christa: So, such as what other kinds of data…or can you not say that yet?

Aaron: I think Chris, maybe you want to elaborate a bit on that.

Christian: Yeah, of course. So we already have kind of a disk integration, actually with SleuthKit.

Christa: OK, yep.

Christian: At the moment, we have some problems with that, but in general it works. And we want to add sources from disk as well. So right now, for example, we have our registry parser to get an artifact from memory, and the structure on disk is a bit different, but a very tiny bit.

So we can relatively easily change our algorithms to also be able to get that data from disk to have more registry keys that might not be in memory at the moment, and also see differences. So, just as an example, there are some malware strains who change registry keys in memory but don’t flush them back to disk, things like that.

The same is valid for other data sources, so for example, event logs. We just had a Master’s thesis on event logs, so that will be in the product relatively soon hopefully. So we want to add those, and later down the road, we also want to add online sources. So, for example, if we find access keys for cloud storage and things like that in any of our other data sources, that we can access them and also integrate them into the analysis workflow.

Christa: With that in mind I wanted to focus on one particular subset in the law enforcement use case, which is encryption. So I know that you’ve been working on this product for a few years now, but in July this year, the German Federal Police announced more than 750 arrests along with seizures of drugs, weapons and other assets associated with the mobile EncroChat platform.

So I don’t know whether Nexus was used in that case, or whether it’s still too soon, or you can’t talk about it, but I did want to find out more about how the solution would be valuable for similar kinds of cases with those kinds of encrypted mobile platforms.

Christian: OK, so our current focus is disk encryption, actually. So we don’t support mobile yet.

Christa: Gotcha.

Christian: That’s not really a focus, so EncroChat is a bit too early, maybe in a few years! So the current focus, as I said, like containers like VeraCrypt, TrueCrypt, and also BitLocker. That’s one thing that I’ve learned also in the Federal Police: they often have the case that they have such a container and the computer is running, but they can’t access it. And that was the main idea of the product, that it should be really easy to just click and decrypt the device because the key is in memory, if you get the memory it should be really easy to decrypt the device.

Christa: I see.

Christian: Yeah, and that was my initial idea.

Christa: OK. Thank you for clarifying that.

Aaron: I think we need to say…I mean, while we speak at this point, we still are re-implementing or implementing some of those encryption features. I mean, we had it at some point as a work proof of concept already in there since our launch. We took it out for stability reasons, but we are working on adding it back in a more stable state.

Christa: OK. Are you able to share what kind of feedback that you’ve received about Nexus and its usefulness for law enforcement in particular, but any other user groups that are working with it?

Aaron: I think we can say that the most amount of feedback in general we got from the law enforcement sector so far (since we started with the law enforcement sector in mind when we developed the product), I think it’s clear that the usefulness is probably at the highest at the moment for the law enforcement sector. Not saying that anyone else might not be interested in that, but definitely the most feedback we got from law enforcement.

We had some initial problems, to be honest, with the Windows version of our product because we are… Chris in particular is a Linux developer, we are general Linux developers. Some of our initial pilot projects that we ran with with first partners (or some of the initial feedback that we got) was that we wanted to build, or should build, maybe a Linux based application for bigger server setups, so for bigger corporation that would maybe… or also an agency, they should be able to use our product on their Linux server, and then access the user interface on some endpoint.

So that’s how we designed the whole thing. Then kind of the majority of the initial parties that were interested wanted some Windows version, so Chris started working on that, but some things are a bit different there, so we had some initial stability problems on Windows, had to extend…or we also extended, then some of the early trials for that.

Christian: By the way that’s also the problem with the disk image stuff right now. So that’s still a Windows problem. So on Linux everything works, but on Windows it’s still kind of not that stable.

Aaron: So we focused now in the past couple of months on really stabilizing the Windows version. On getting also the the last pieces of the product together, which is mainly the proper database for filtering and searching results in the tables. So this is also something that is being added now very soon after the recording of this podcast, or hopefully, it’s very likely that it’s out when this podcast gets published.

Christa: OK.

Aaron: But apart from that, most of the people we talked to were, I would say, excited about the product. Still saw that there needed to be some more features maybe in some areas, so some of them wanted, for example, a hibernation reader, which is also currently being (a combination file reader), which is currently being finalized.

So I would say the early feedback, apart from the stability problems with Windows, was good, and something we can build on. We are also seeing the first commercial results now so I think this direction is right. We generally try to be as transparent and open about what we are doing and where we are going as we can. Also speaking with potential users, or customers, as much as we can to really go into the right direction.

And so for that, I would also encourage everyone who sees this podcast, of course, always check out our webpage, go to the roadmap (we have a roadmap there), which gets updated with every of our product updates, and it should give you a good idea of where we’re going, where we are at the moment. And of course if in doubt, always just download the product and test it out. It’s available with a limited image size for free on the website.

Christa: Good to know. It sounds like you’re very, very deeply focused on development. I was curious about whether you’ve given any thought to various EU initiatives. We’ve been covering some of those this year. There’s Hansken at the Netherlands Forensics Institute, the FORMOBILE and LOCARD projects on an international level, the CASE Ontology. Are you looking to integrate your product with any of those, or thinking about that just at a very basic level at this point?

Christian: Yeah, so first of all, we are not affiliated with them, or we are not actively working on any integration so far. But in general, of course, it looks interesting, especially the LOCARD project. I’ve taken a look at that a bit more in depth, and it seems to align with what we envisioned for our product. So from my perspective, it looks really interesting, but of course, as Aaron already said, we are really focused on feedback. And actually we got zero feedback that anyone would be interested in an integration so far in any of these projects.

Aaron: It might be because they’re a bit too early, they are still being developed, some of them.

Christa: Right.

Christian: And also we are really early, so I guess those questions will come at some point, and then we will probably also work towards an integration.

Christa: OK.

Aaron: So in general we like, of course, integrating other concepts that are out there, other frameworks. This is definitely something that we are looking into. Of course it has to make sense, it has to serve a purpose for certain customer groups. But, I also want to say that some of the European funding projects: I mean it’s great that they exist, and it’s good that there is European funding because it’s such a technical area that it’s hard to explain to anyone quite frankly. Also to investors or whoever wants to get active, like they need to hire experts to even understand the basics.

Christian: Try to tell an investor that you need, like, five years of development before you can start making revenue!

Aaron: So it’s great that they’re out there, and we’re also looking into cooperating with other partners and apply for some of those calls that are out there. I think those programs were still under Horizon 2020, which was a big funding scheme, which ended in 2020.

Now there’s Horizon Europe which is for the next seven years, until 2027. I think it got even bigger, the deep tech funding in there. So we’re also looking into that. And we already connected with some universities in Germany at least that form consortium that can participate in those things. So could be that you hear from us in that regard as well, but can’t make any promises yet.

Christa: Yeah, no, of course. So as you’re bringing more, I guess, users on board, more potential customers, what kind of background or training should the users have to be able to use Nexus successfully?

Christian: Yeah, that is also one thing that we want to improve in the field of memory forensics, because right now you need a pretty deep understanding of the technology, of course. And that’s also the case with Nexus. I mean it’s simpler to get started in general because it’s pretty simple to set up, and then just add an image and you can analyze it.

So right now the difference is not that big, so you need a background in, at least IT security and understand malware concepts, depending on the use case of course, if it’s more law enforcement or more incident response. But we want to work on that, and integrate a very…or deeply integrate a knowledge base that you can basically click on any artifact type and any indicator of compromise or whatever we display in the front end, and you get additional information to that and can read up what’s going on there, what what does it mean.

But that’s as you can imagine, pretty a lot of work, so we are just getting started with that. It will probably take a while, but it’s one of our focused topics that we want to give memory forensics, or the possibility to do successful memory forensics, to more people.

Christa: OK. I have a final question… oh, go ahead.

Aaron: Sorry, just just one addition to that. I think it’s, as Chris said, easy to get some initial data, just to see results, not interpreting the results of course still remains some issue that also probably can never be fully solved. I mean you always have to be able to understand some of the process information that you get from looking at the memory dump. This is something we cannot take away at any point, but the hurdle should be lower, the entry point should be… it should be easier to familiarize with those topics, and that’s what we try to achieve.

Christa: OK. That makes sense. So I have a final question for you. The name Trufflepig is very distinctive. Where does it come from?

Christian: Yeah so, that is actually a story that comes from Oli. So, he was working in a IT security startup before. I think it was at an incident, and so they were also handling some incidents, mostly Linux systems. And he was looking for some stuff, or a team member of his was looking for things, and he didn’t find it within like two hours or so. And he was sitting down and “yea, what’s the problem?” and like five minutes later, “yeah here it is!” And he was like “OK, yeah you’re a truffle pig, you find the truffles.” And that somehow stuck with us.

Christa: I like it!

Aaron: We think it describes what we try to do, of course very well. Looking for the truffles and in the vast amount of data out there.

Christa: Exactly, yeah. Well, Aaron and Chris, thank you again for joining us on the Forensic Focus podcast.

Aaron/Christian: Thank you, Christa.

Christa: Thanks also to our listeners. You’ll be able to find this recording and transcription along with more articles, information and forums at www.forensicfocus.com. Stay safe and well.

Leave a Comment