We’re excited to announce a significant update to THOR, our comprehensive digital forensic scanner, which now extends multi-threading capabilities to both the standard version and THOR Lite. Previously exclusive to our forensic lab license holders, this enhancement allows users across all versions to leverage multiple CPU cores to expedite their scans.
Multi-threaded scanning is now available in THOR TechPreview 10.7.15 and THOR Lite 10.7.15 for both standard and free licenses.
Adjusting the number of threads in THOR is straightforward and adaptable. By default, THOR operates with a single thread—a decision made to prioritize system load and stability over scan speed. Users can specify the number of threads using the --threads flag; for example, --threads 2 sets it to two threads.
However, two other options may prove more practical, considering the actual number of CPU cores available.
Using --threads 0 configures THOR to utilize all available cores. Note that this setting can significantly load the system, potentially affecting other applications or services.
Alternatively, setting the number of threads to a negative value lets users reserve some cores for other tasks. For instance, --threads -4 would use all cores except four. If a system has only four cores, then only one core would be used for THOR.
New Lab License Feature: Audit Trail
We’re pleased to introduce a new feature for our lab license holders, with more exciting updates on the horizon. The feature, called “Audit Trail,” can be activated during a scan using the --audit-trail flag. This generates a comprehensive log file in JSON format, capturing detailed output for each module and documenting every element that THOR interacts with during a scan.
The Audit Trail feature is currently available in TechPreview version 10.7. The output format isn’t finalized yet, as it will be refined for THOR v11, but this early version allows you to explore the kinds of elements it includes. The audit trail is ideal for forensic analysts conducting manual investigations, providing a detailed record of the scan process.
We’re also developing tools to further enhance the audit trail’s utility. These tools will help transform the data for use with your preferred timeline tools and enable correlations within its contents. For example, you can analyze whether a file was created within a relevant time frame, executed shortly after, and is still running as a process.
