THOR’s Power Unleashed: Multi-Threading for the Masses

by May 3, 2024

We’re excited to announce a significant update to THOR, our comprehensive digital forensic scanner, which now extends multi-threading capabilities to both the standard version and THOR Lite. Previously exclusive to our forensic lab license holders, this enhancement allows users across all versions to leverage multiple CPU cores to expedite their scans.

Multi-threaded scanning is now available in THOR TechPreview 10.7.15 and THOR Lite 10.7.15 for both standard and free licenses.

Adjusting the number of threads in THOR is straightforward and adaptable. By default, THOR operates with a single thread—a decision made to prioritize system load and stability over scan speed. Users can specify the number of threads using the --threads flag; for example, --threads 2 sets it to two threads.

However, two other options may prove more practical, considering the actual number of CPU cores available.

Using --threads 0 configures THOR to utilize all available cores. Note that this setting can significantly load the system, potentially affecting other applications or services.

Alternatively, setting the number of threads to a negative value lets users reserve some cores for other tasks. For instance, --threads -4 would use all cores except four. If a system has only four cores, then only one core would be used for THOR.

New Lab License Feature: Audit Trail

We’re pleased to introduce a new feature for our lab license holders, with more exciting updates on the horizon. The feature, called “Audit Trail,” can be activated during a scan using the --audit-trail flag. This generates a comprehensive log file in JSON format, capturing detailed output for each module and documenting every element that THOR interacts with during a scan.

The Audit Trail feature is currently available in TechPreview version 10.7. The output format isn’t finalized yet, as it will be refined for THOR v11, but this early version allows you to explore the kinds of elements it includes. The audit trail is ideal for forensic analysts conducting manual investigations, providing a detailed record of the scan process.

We’re also developing tools to further enhance the audit trail’s utility. These tools will help transform the data for use with your preferred timeline tools and enable correlations within its contents. For example, you can analyze whether a file was created within a relevant time frame, executed shortly after, and is still running as a process.

If you have questions about these features or want to report any issues, please join our community Discord server.

About the author:

Florian Roth

Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.

Newsletter

New blog posts (~1 email/month)

GDPR Cookie Consent with Real Cookie Banner