We are proud do announce the version 10.6 of THOR, which is the first one that gets released as a TechPreview. We’ve discussed the split-up into THOR and THOR TechPreview in a previous post.
The following post describes the most important new feature of the THOR v10.6 TechPreview version.
THOR 10.6 is the first version that support a new mode of operation – a RESTful web API service named THOR Thunderstorm. THOR Thunderstorm is able to receive thousands of samples per minute via web requests, scans them and returns a scan result.
We’ve outlined many use cases and features of THOR Thunderstorm in a separate blog post.
THOR Thunderstorm requires a separate license named “service license” to run.
Especially the customers with a lab license should be happy to hear that we’ve implemented multi-threaded scanning.
From now on, THOR can use multiple threads to process elements (files, registry keys, events in eventlog etc.).
This can boost the scan speed on mounted images significantly. Our tests on a 16 Core system showed a scan speed improvement of 1400%.
Reworked Quick Scan
Quick scan (–quick) is used when fast scan results are crucial. It usually takes less than 25 minutes to complete. This is achieved by skipping elements in the scan. Quick in versions previous to 10.6 do the following: they skip the Eventlog scan and scan only a set of 40+ highly relevant folders on disk.
The new quick scan doesn’t skip whole modules or directories anymore. For all previously skipped elements the new quick scan evaluates if they have been modified or created within the last 72 hours and scans only these elements.
This way the new quick scan is much more intense but should be only slightly slower.
- We’ve changed the ambigious “–fsonly” flag to “–lab” to indicate the best settings for scanning in a forensic lab (the old flag is still usable but hidden in the usage description)
- Virtual drive name mapping (used in lab scans to map the actual mount point to the original one)
- Minor changes to some log lines (extended field values)
Customers can download the THOR TechPreview version 10.6 in the Downloads section of the customer portal or use thor-util in it’s newest version to download that version with the flag “–techpreview”. ASGARD version 2.5.3 also supports scan runs with THOR TechPreview.