Feature Ideas

It would be awesome, if we could scan forensic images (like E01 or AFF4) directly with the THOR scanner and the --lab command switch. Currently, we mount the image with Arsenal or FTK, but the performance is not so great. Reading the image format natively would make scanning a lot easier (pipelining, error proof, reduce dependencies, etc). Love to hear your comments!

The number of small and micro services on ARM64 is growing and currently I am not able to scan those Servers with Thor, which i really would apreciate. I gather the amount of work to provide an ARM64 version should not be too high.

Currently. there are two options available for vtmode: limited (default) and full. As I understand it: Limited does hash lookups only. Full also uploads samples. There is no option in between. I would like to be able to upload samples to VT, but unfortunately, for my org, many scans result in lookups of files with confidential data. For this reason, I suggest implementing a version of "full" that I will call "safe": Check the file extension against a list of extensions that usually don't contain confidential data, if the extension is in the list, upload the file, if the extension is not in the list, check the hash only. Here's a subset of a list Microsoft uses for this purpose: .bat, .scr, .dll, and .exe. I suggest also adding scripts like .ps1, .vbs, .js, and many others. I also suggest parameterizing the allowed sample extension list so that it can be modified by orgs. This behavior could be modeled after what Microsoft Defender Antivirus does for "safe" sample submissions: https://learn.microsoft.com/en-us/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission

Collect memory region or/and samples of detections via Process/File System detections.

Add option to change group scan settings during "copy failed assets" as the wrong settings might be the root cause for the failure. Therefore, it would be beneficial if one could change settings during the duplication process of failed assets/scans

The Module Autoruns has two keys called IMAGE_PATH and ARGUMENTS. The IMAGE_PATH should contain the path of the program that is run and the key ARGUMENTS key should contain the arguments. e.g If the RUN key in HKLM contains the following entry: C:\Program Files\Teams Installer\Teams.exe --checkInstall --source=default(there are no qoutes) Then the value for IMAGE_PATH is set to C:\Program and the value for ARGUMENTS is set to Files\Teams Installer\Teams.exe --checkInstall --source=default This bug also leads to the problem that no hashes are calculated and the value for EXIST_1 is always no As i assume the string is simply split at the first occurence of a whitespace, this behavior needs to be modified

Events generated by the Module Eventlog have a field called Entry. This field contains some part of the original Event that contains the matched string/IOC and some further parts from the Eventlog entry. Right now it seems that the entry from the Eventlog that will be displayed in the Event in the Analysis Cockpit is based on the position of the matched String and some parts after the matched String. This has a few drawbacks: The Event is only shown partially and hence it is often not possible to analyze the Events only based on the entry in the analysis cockpit In some cases an Event from the Eventlog might contain multiple IOCs at different places. This leads to multiple generated Events in the Analysis Cockpit, while originally describing the same event. Currently, my only idea to "fix" this issue is to include the full event from the Eventlog inside the Event in the Analysis Cockpit.

It should possible to map not only drives names but also paths in virtual mapping. e.g. .\thor64.exe --lab --path G:[root]\ --virtual-map G:[root]:C Currently, it only supports drives: .\thor64.exe --lab --path G:\ --virtual-map G:C See documentation: https://thor-manual.nextron-systems.com/en/latest/usage/special-scan-modes.html?highlight=virtual-map#virtual-drive-mapping