forensicate.cloud

Open Source Resources for Forensics in the Cloud

EC2 DFIR Workshop

Lab 13: Search for Known Indicators of Compromise

GOAL:

Determine if there are any known IOCs in the file system.

SUMMARY OF STEPS:

Install Loki
Run Loki & Examine Output

Step 1: Install Loki

Loki is an IOC scanner written in python that runs without issue on the SIFT Workstation, but has to be installed separately. To install it use the following commands:

cd /tmp
pip uninstall -y yara-python  # need to recompile yara to fix hashing error
git clone --recursive https://github.com/VirusTotal/yara-python
cd yara-python && python setup.py build && python setup.py install
cd ~
wget https://github.com/Neo23x0/Loki/archive/v0.29.1.tar.gz
tar -xzvf v0.29.1.tar.gz
cd Loki-*
pip install -r requirements.txt

VIDEO: Lab 13 Step 1 - Install Loki

Step 2: Run Loki & Examine Output

Run Loki and have it scan the attached evidence. Checkout the cool output:

cd ~/Loki-*
python loki.py -p /mnt/linux_mount/

Save the output and open it:

cp loki-siftworkstation.log /cases  # save the output log
grep -E "Alert|Notice|FILE|SCORE|SUBSCORE|DESC" \
   /cases/loki-siftworkstation.log

Research any findings

VIDEO: Lab 13 Step 2 - Run Loki & Examine Output