DeepDive<\/li>\n<\/ul>\n[\/et_pb_text][\/et_pb_column][et_pb_column type=”1_2″ _builder_version=”4.6.6″ _module_preset=”default”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/11\/Screenshot-2020-11-09-131236.png” title_text=”Screenshot 2020-11-09 131236″ _builder_version=”4.6.6″ _module_preset=”default”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.6.6″ _module_preset=”default”][et_pb_column type=”2_5″ _builder_version=”4.6.6″ _module_preset=”default”][et_pb_text _builder_version=”4.6.6″ _module_preset=”default”]<\/p>\n
Multi-Instance Scanning<\/h1>\n
Multi-instance scanning means that you can start multiple executables of THOR on a single workstation.<\/p>\n
This is often needed in lab environments to process mounted disk images in parallel and create separate reports for these two cases.\u00a0<\/p>\n
[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.6.6″ _module_preset=”default”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/11\/Screenshot-2020-11-11-165424.png” title_text=”Screenshot 2020-11-11 165424″ _builder_version=”4.6.6″ _module_preset=”default”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_2,1_2″ _builder_version=”4.6.6″ _module_preset=”default”][et_pb_column type=”1_2″ _builder_version=”4.6.6″ _module_preset=”default”][et_pb_text _builder_version=”4.6.6″ _module_preset=”default”]<\/p>\n
Memory Image Scanning<\/h1>\n
We provide a module named “DeepDive” that analyzes files of any size by reading big chunks of data and applying YARA rules to the chunks of data, showing YARA matches within that data with offset and matching strings \/ bytes.\u00a0<\/p>\n
It is not meant for the analysis of disk images but memory dumps, crash dumps or even PCAP files.\u00a0\u00a0<\/p>\n
[\/et_pb_text][\/et_pb_column][et_pb_column type=”1_2″ _builder_version=”4.6.6″ _module_preset=”default”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/11\/Screenshot-2020-11-11-170036.png” title_text=”Screenshot 2020-11-11 170036″ _builder_version=”4.6.6″ _module_preset=”default”][\/et_pb_image][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/11\/Screenshot-2020-11-11-170253.png” title_text=”Screenshot 2020-11-11 170253″ _builder_version=”4.6.6″ _module_preset=”default”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.6.6″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.6.6″ _module_preset=”default”][et_pb_text _builder_version=”4.6.6″ _module_preset=”default”]<\/p>\n
Dropzone Mode<\/h1>\n
The drop zone mode allows you to monitor a given folder for new files. All files dropped to that folder will be scanned and then deleted. Customers use\u00a0 text and syslog output to report back findings.<\/p>\n
The drop zone mode helps you to integrate THOR in a bigger analysis environment. We recommend dropping files in their original form with the correct filename and extension, since some of the rules make use of these meta data values.<\/p>\n
Side note: If you like the idea of a drop zone, you’ll love THOR Thunderstorm<\/a>.<\/p>\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.6.6″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.6.6″ _module_preset=”default”][et_pb_text _builder_version=”4.6.6″ _module_preset=”default”]<\/p>\n
Other Comfort Features<\/h1>\n
Other features relate to command line parameters that help you with different aspects of disk image scanning your forensic lab. We’ve added these features over the years based on a lot for feedback from DFIR specialists and BETA program users.\u00a0<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
THOR version 10.6, which is currently available as TechPreview, introduces several new features that facilitates the use of THOR in a digital forensics lab. Since not all of the features provided with the “Forensic Lab” license type are well-known, we would like to introduce all features that are unique to that special license type in this blog post.Forensic Lab License Features Multi-threaded scanning (improves scan speed significantly on multi-core systems) Multi-instance scanning (run multiple THOR processes on a single machine) Memory dump scanning (use the so-called DeepDive on dumped data, e.g. memory images) Dropzone mode (monitor folder for new files, scan them and generate events)\u00a0 Hostname replacement (replace hostname in log messages with a given string) Virtual drive mapping (Map a mounted drive e.g. S: to a virtual drive e.g. C: to allow lookups for files mentioned in analyzed entries; more info here) Multi-Threaded Scanning Multi-threaded scanning allows users on forensic workstations to make full use of the system’s CPU cores. Multi-threading isn’t available in all modules but the ones with the biggest run time:\u00a0 File Scan Registry Scan Eventlog Scan It is also available in DropZone mode, which means that dropping dropping 12 files in the monitored folder would […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[46,32],"tags":[],"class_list":["post-8887","post","type-post","status-publish","format-standard","hentry","category-newsletter","category-thor"],"yoast_head":"\n
THOR Forensic Lab License Features - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2020\/11\/11\/thor-forensic-lab-license-features\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/11\/11\/thor-forensic-lab-license-features\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/11\/11\/thor-forensic-lab-license-features\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"THOR Forensic Lab License Features\",\"datePublished\":\"2020-11-11T16:31:38+00:00\",\"dateModified\":\"2022-03-25T13:15:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/11\/11\/thor-forensic-lab-license-features\/\"},\"wordCount\":870,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"articleSection\":[\"Newsletter\",\"THOR\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/11\/11\/thor-forensic-lab-license-features\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2020\/11\/11\/thor-forensic-lab-license-features\/\",\"name\":\"THOR Forensic Lab License Features - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2020-11-11T16:31:38+00:00\",\"dateModified\":\"2022-03-25T13:15:42+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2020\/11\/11\/thor-forensic-lab-license-features\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"THOR Forensic Lab License Features - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2020\/11\/11\/thor-forensic-lab-license-features\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2020\/11\/11\/thor-forensic-lab-license-features\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2020\/11\/11\/thor-forensic-lab-license-features\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"THOR Forensic Lab License Features","datePublished":"2020-11-11T16:31:38+00:00","dateModified":"2022-03-25T13:15:42+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2020\/11\/11\/thor-forensic-lab-license-features\/"},"wordCount":870,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"articleSection":["Newsletter","THOR"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2020\/11\/11\/thor-forensic-lab-license-features\/","url":"https:\/\/www.nextron-systems.com\/2020\/11\/11\/thor-forensic-lab-license-features\/","name":"THOR Forensic Lab License Features - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2020-11-11T16:31:38+00:00","dateModified":"2022-03-25T13:15:42+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2020\/11\/11\/thor-forensic-lab-license-features\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/8887","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=8887"}],"version-history":[{"count":10,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/8887\/revisions"}],"predecessor-version":[{"id":8918,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/8887\/revisions\/8918"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=8887"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=8887"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=8887"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}