THOR Scan Skill
Goal: produce a safe, reproducible THOR command line and minimal preflight checks.
Rules
- •Prefer THOR v10 stable unless the user explicitly wants v11 TechPreview features.
- •Always start with environment detection: OS, THOR path, license presence, and whether thor-util exists.
- •Identify if user has full THOR or THOR Lite (different binaries, different capabilities).
- •Avoid "magic flags". Explain why each non-trivial flag is used.
- •Default to focusing on forensic / lab workflows; if it's live endpoint scanning, keep it conservative.
Preflight checklist
- •List the THOR install directory first (
lsordir). This immediately tells you:- •Which THOR version you have (binary names contain "lite" for THOR Lite)
- •What binaries and tools are available
- •What license files exist
- •Verify the correct binary exists:
- •Full THOR:
thor64.exe(Windows),thor-linux-64(Linux),thor-macosx(macOS) - •THOR Lite:
thor64-lite.exe(Windows),thor-lite-linux-64(Linux),thor-lite-macos(macOS)
- •Full THOR:
- •If recommending
--labmode, check license type first:- •
grep -i forensiclab *.lic- if found,--labis available - •If not found (or THOR Lite), use alternative:
-a Filescan --intense --norescontrol --cross-platform
- •
- •Check thor-util presence for update/diagnostics/report tasks.
- •Identify scan target type:
- •live path, mounted image, memory dump, extracted dumps, SSHFS-mounted remote
- •Choose scan mode and output location; keep outputs deterministic.
- •If THOR Lite: note that lab mode and Sigma are unavailable. See THOR Lite limitations.
Important flag rules
- •Never use
--lab --intensetogether ---labalready includes intense mode - •Check license before recommending
--lab- requires Forensic Lab license - •THOR Lite has no
--lab- always use the alternative flag combination
Use these references when needed
- •Environment detection: reference/env-detection.md
- •Scan modes overview: reference/scan-modes.md
- •Forensic lab mode: reference/lab-mode.md
- •Performance and threading: reference/performance.md
- •Output and reports: reference/output-and-reporting.md
- •Signature selectors/filters: reference/signature-filtering.md
- •THOR Lite limitations: ../thor-lite/reference/limitations.md
Example templates
- •examples/windows-live-scan.md
- •examples/linux-mounted-image.md
- •examples/macos-scan.md
- •examples/memory-dump.md
- •examples/sshfs-remote-scan.md - for appliances and unsupported architectures
Output format
- •First line: one recommended command (single-line).
- •Then: short explanation of key flags.
- •Then: "If it fails" section with 2-3 likely causes and next commands to run.