We’ve released a CLI utility that converts THOR logs into a Timesketch-compatible format. This allows analysts to import and visualize THOR’s forensic findings as timestamped events on a unified timeline, together with data from other sources.

The thor2ts utility addresses a common limitation in compromise assessments: although THOR produces detailed, structured output, analysts often have to review it log-by-log or post-process the data to use it in a broader investigation. With thor2ts, these findings can now be directly transformed and imported into Timesketch’s timeline analysis workflows.

Use Case and Benefits

The key advantage of integrating THOR scan results into Timesketch is the ability to correlate findings both over time and across different data sources. Many attack traces—such as privilege escalation, credential dumping, and lateral movement—only become apparent when viewed in context. Timesketch provides a timeline-based interface that helps analysts to identify related activity across multiple hosts and sources, enabling a more comprehensive understanding of attacker behavior.

By aligning THOR results alongside logs from endpoint agents, Sysmon, audit logs, or forensic images, analysts can:

• Investigate temporal relationships between artifacts (e.g., when a dropped file, registry modification, and suspicious login occur in close sequence)
• Identify suspicious events not flagged as findings, based on proximity to confirmed alerts
• Link secondary timestamps (e.g., last_logon, created, accessed) into the investigation by parsing all known time fields from THOR results

Each event derived from a THOR log is assigned a timestamp_desc, a descriptive label that documents the context of the timestamp (e.g., Users - last_logon, File - created). This results in a timeline that not only reflects the scan time, but also any historical context embedded in the findings.

Format and Coverage

The utility supports the following input formats:

• THOR JSON v1 (default output)
• THOR JSON v2 (via –jsonv2)
• Audit-Trail Logs (verbose logs introduced in THOR 10.7 using --audit-trail)

These formats are mapped into newline-delimited JSONL files suitable for Timesketch ingestion. For audit-trail logs, both info and findings entries are supported. Events are grouped via an event_group_id to allow reconstruction of their original context.

THOR Lite Compatibility

The tool works not only with commercial THOR logs but also with THOR Lite, Nextron’s free forensic scanner. This makes it possible to evaluate the integration and timeline-based analysis workflow without a commercial license.

Resources

• THOR to Timesketch Tool on PyPI
• THOR to Timesketch Tool README
• THOR Lite – Free Version of THOR
• Timesketch Project
• Audit Trail Logging in THOR 10.7
• Blog Post: The Bicycle of the Forensic Analyst

Author

• Ion Cicala