ProCoder Cafe

Python Forensics – Indicators of Compromise

Indicators of Compromise (IOCs) are defined as “pieces of forensic data, including data found in system log entries or files, that can identify potentially malicious activity on a system or network.”

By monitoring IOCs, organizations can detect attacks and take swift action to prevent such damage from occurring, or limit the damage by stopping the attack in its early stages.

There are several use cases that allow for querying forensic artifacts, such as

Finding a specific file by MD5
Searching for a specific entity physically stored in memory
A specific entry or set of entries stored in the Windows Registry

A combination of all of the above provides better results when searching for artifacts. As mentioned above, the Windows Registry provides a perfect platform for generating and maintaining IOCs, which directly aids in computational forensics.

Methodology

Look for locations in the file system, specifically those now accessing the Windows Registry.
Look for artifact sets designed by forensic tools.
Look for any signs of adverse activity.

Investigation Lifecycle

The investigation lifecycle follows IOCs, which search for specific entries in the registry.

Phase 1: Initial Evidence – Evidence of an intrusion is detected on a host or network. Responders will investigate and determine the exact solution, which is a specific forensic indicator.
Phase 2: Create IOCs for Hosts and Networks – After collecting data, create IOCs, which is easily accomplished through the Windows Registry. The flexibility of OpenIOCs provides an infinite number of permutations for creating indicators.
Phase 3: Deploy IOCs Across the Enterprise – Once the designated IOCs are created, investigators deploy these techniques with the help of the Windows Registry API.

Phase 4: Identify Suspects – Deployment of IOCs helps identify suspects in the normal way. Even other systems will be identified.

Phase 5. Collect and Analyze Evidence – Evidence against the suspect is collected and analyzed accordingly.

Phase 6. Refine and Create New IOCs – Based on their evidence, data discovered across the enterprise, and additional intelligence, the investigation team can create new IOCs and continue the refinement cycle.

The following diagram shows the various stages of the investigation lifecycle.

Python
python-basic

python3-basic-tutorials

python3-tutorial

python-tutorial

python-top-tutorials

python-ask-answer

python-operators

python-case-conversion

python-built-in-math-functions

python-math-methods

python-bool-methods

python_data_structure

python-list-methods

python-dictionary-tutorials

python-dictionary-method

python-functions-reference

python-functional-programming

python-string

python-string-alignment_methods

python-string-find-and-replace

python-string-split-and-join

python-text-processing

python-file-tutorials

python-file-methods

python-os-module

python-os-file-directory-methods

python-data-compression-module

python-random-module

python-pytest

python-json

python-pillow

python-pil

python-xlsxwriter

python_network_programming

python_web_scraping

beautiful-soup

python_forensics

python-digital-forensics

python_blockchain

python_deep_learning

python_design_patterns

logistic_regression_in_python

python-examples

python-examples-python

python-format-strings

rxpy

scipy-tutorials

seaborn-tutorials

Related Posts

Python 3 – String isalnum() Method
August 13, 2025

Pytest test execution results in XML format
August 13, 2025

Comprehensive analysis of PLT image storage in Python
August 13, 2025

Leave a ReplyCancel Reply
Your email address will not be published. Required fields are marked *
Name *

Email *

Website

Add Comment *
Save my name, email and website in this browser for the next time I comment.