Open Source Resources for Forensics in the Cloud

EC2 DFIR Workshop

Lab 13: Search for Known Indicators of Compromise


Determine if there are any known IOCs in the file system.


  1. Install Loki
  2. Run Loki & Examine Output

Step 1: Install Loki

Loki is an IOC scanner written in python that runs without issue on the SIFT Workstation, but has to be installed separately. To install it use the following commands:

cd /tmp
pip uninstall -y yara-python  # need to recompile yara to fix hashing error
git clone --recursive
cd yara-python && python build && python install
cd ~
tar -xzvf v0.29.1.tar.gz
cd Loki-*
pip install -r requirements.txt

VIDEO: Lab 13 Step 1 - Install Loki

Step 2: Run Loki & Examine Output

Run Loki and have it scan the attached evidence. Checkout the cool output:

cd ~/Loki-*
python -p /mnt/linux_mount/

Save the output and open it:

cp loki-siftworkstation.log /cases  # save the output log
grep -E "Alert|Notice|FILE|SCORE|SUBSCORE|DESC" \

Research any findings

VIDEO: Lab 13 Step 2 - Run Loki & Examine Output