From untrusted media to trusted report, offline.
Bifrost inspects removable media in environments where connecting a networked scanner isn't an option. Here's what happens, end to end.
Building the boot media
Bifrost ships as a sealed system image — a complete operating system, scanning engines, signature databases, and rule sets, all baked into a single read-only image. Fresh images are produced through a managed pipeline on a regular cadence, pulling the latest signatures and rules. The image is written to hardware write-protected boot media and delivered to the customer. There is no over-the-wire update path, by construction.
The hardware
Bifrost runs on secure hardware — portable or fixed — sealed to operate in one role only: scanning removable media. The boot media is hardware write-protected, preventing any modification to the scanning environment. Target media — the USB drives, SD cards, or portable hard drives being inspected — is always connected through a hardware write-blocker, so nothing Bifrost does can modify the media being scanned. Nothing the operator can do puts either at risk.
The boot process
From power-on, the system takes about thirty seconds to reach the operator interface. The entire operating system loads from the sealed image into RAM. There is no persistent disk, no swap partition, no writable storage. Once booted, the system is ready to scan.
The scan pipeline
Bifrost runs a series of inspection phases in sequence. Each phase has a specific job, and each one contributes to the final report.
Mount
The target media is mounted read-only through the hardware write-blocker.
Inventory
Every file is catalogued — name, size, type, timestamps, hash.
Signature scan
Files are checked against a curated malware signature engine.
Rule-based heuristics
A YARA-rule ruleset looks for known malicious patterns, families, and techniques.
Behavioural checks
Executables are inspected for suspicious capabilities, packing, and embedded strings.
Keyword search
Content is searched for classification markers and configurable keyword sets.
Report
Findings are aggregated into a single report for review.
The report
Results appear on screen immediately and can be printed to a thermal printer for paper-trail evidence. The report lists clean files, flagged files with their reasons, and any items the operator needs to review manually.
Shutdown and sanitise
When the operator is done, the system shuts down and sanitises all RAM to ISM-0351/0352 before the device powers off. Every trace of the scan — file contents, metadata, results — is wiped. Nothing survives a power cycle. The device is ready for the next operator with a clean state, guaranteed by hardware and software together.
Limitations — what Bifrost doesn't do
Bifrost is a triage and inspection tool, not an analysis suite. It doesn't run files in a sandbox to observe behaviour. It doesn't reverse engineer unknown binaries. Because it's air-gapped, signature and rule updates come only through a fresh sealed image, not over the wire — the update cadence is measured in days, not minutes.