1. Introduction

THOR log files are designed to provide as much information on a detected object as possible. However, the THOR scanner is designed to evaluate an object offline without any further data sources aside from the local signature sets. Many log messages must be evaluated by an analyst that has access to other data sources and platforms.

This document is meant for analysts with the task to analyze THOR log files. Each chapter contains guidelines to process messages of a certain module. Please see chapter 5 for a complete overview of tools to evaluate the events generated by THOR.