THOR Forensic Lab License Features

by Nov 11, 2020

THOR version 10.6, which is currently available as TechPreview, introduces several new features that facilitates the use of THOR in a digital forensics lab. Since not all of the features provided with the “Forensic Lab” license type are well-known, we would like to introduce all features that are unique to that special license type in this blog post.

Forensic Lab License Features

  • Multi-threaded scanning (improves scan speed significantly on multi-core systems)
  • Multi-instance scanning (run multiple THOR processes on a single machine)
  • Memory dump scanning (use the so-called DeepDive on dumped data, e.g. memory images)
  • Dropzone mode (monitor folder for new files, scan them and generate events) 
  • Hostname replacement (replace hostname in log messages with a given string)
  • Virtual drive mapping (Map a mounted drive e.g. S: to a virtual drive e.g. C: to allow lookups for files mentioned in analyzed entries; more info here)

Multi-Threaded Scanning

Multi-threaded scanning allows users on forensic workstations to make full use of the system’s CPU cores. Multi-threading isn’t available in all modules but the ones with the biggest run time: 

  • File Scan
  • Registry Scan
  • Eventlog Scan

It is also available in DropZone mode, which means that dropping dropping 12 files in the monitored folder would create 12 threads scanning these files in parallel. 

We plan to refactor the following modules to support multi-threading:

  • DeepDive

Multi-Instance Scanning

Multi-instance scanning means that you can start multiple executables of THOR on a single workstation.

This is often needed in lab environments to process mounted disk images in parallel and create separate reports for these two cases. 

Memory Image Scanning

We provide a module named “DeepDive” that analyzes files of any size by reading big chunks of data and applying YARA rules to the chunks of data, showing YARA matches within that data with offset and matching strings / bytes. 

It is not meant for the analysis of disk images but memory dumps, crash dumps or even PCAP files.  

Dropzone Mode

The drop zone mode allows you to monitor a given folder for new files. All files dropped to that folder will be scanned and then deleted. Customers use  text and syslog output to report back findings.

The drop zone mode helps you to integrate THOR in a bigger analysis environment. We recommend dropping files in their original form with the correct filename and extension, since some of the rules make use of these meta data values.

Side note: If you like the idea of a drop zone, you’ll love THOR Thunderstorm.

Other Comfort Features

Other features relate to command line parameters that help you with different aspects of disk image scanning your forensic lab. We’ve added these features over the years based on a lot for feedback from DFIR specialists and BETA program users. 

About the author:

Florian Roth

Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.


New blog posts
(~1 email/month)

GDPR Cookie Consent with Real Cookie Banner Experienced a Breach?