1

Application IOC Overview

Application-related IOCs are observable signs of compromise found in the behaviour and logs of applications running on top of an operating system. They complement host-based IOCs (which focus on the OS itself) by revealing what individual applications — web servers, databases, email clients, FTP services — are actually doing.

Anomalous activity
Unexpected outbound communication, unusual output, service defacement, strange log entries, and excessive per-process resource usage that deviates from the application's baseline.
Service interruptions
Services failing to start, stopping abruptly, or being prevented from running — possibly by malware killing security software or by a DoS condition.
Application logs
DNS, HTTP, FTP, SSH, and SQL logs each contain specific fields and status codes that can reveal attacks in progress — from SQL injection to brute-force logon attempts to vulnerability scanning.
New accounts
Accounts created outside the change management process — attackers create new admin accounts to maintain persistent access after the initial breach is discovered.
2

Anomalous Activity — Outbound Communication, Output & Defacement

Anomalous activity is any application behaviour that deviates from the established baseline — whether it's network connections that shouldn't exist, output that doesn't match the expected schema, or visible changes to web content. The first step is always determining if the anomaly is benign or malicious.

Unexpected outbound communication
Firewall or router logs showing connections going out to unknown external hosts that haven't been approved. Could indicate C2 beaconing, data exfiltration, or a newly installed rogue service. Correlate with the specific process making the connection.
Unexpected output
Web application returning results that are larger than expected (possible SQL injection dumping the full database), or displaying unformatted error messages and strange strings (application has been tampered with). Monitor database read volume and HTTP response packet sizes.
Service / website defacement
Attacker gains control of a web server and modifies the site's content — either visibly (obvious defacement for hacker credibility) or subtly (branding changes, altered product information). Restore from a known-good backup and investigate the intrusion vector.
Code injection detection: Monitor the number of database reads and examine HTTP response packet sizes. A normal query returns a small, structured response. A successful SQL injection returns an abnormally large packet — the entire table instead of a single row. Unusually large HTTP responses from database-backed pages are a strong injection IOC.
Web defacement response: (1) Take the site offline. (2) Restore from the most recent known-good backup. (3) Investigate how the attacker gained write access to the web server — look at web server logs, CMS authentication logs, and file upload endpoints. (4) Patch the vulnerability before bringing the site back online.
3

Service Interruptions — Detection & Tools

A service interruption is not automatically an attack — services fail for many reasons including hardware faults, software bugs, misconfiguration, and exhausted resources. The analyst's job is to determine whether a given interruption is malicious. Context is everything: is a security service being killed? Is a DoS attack in progress? Is the service repeatedly failing after restart attempts?

Four causes worth investigating

Security software killed
Malware frequently kills antivirus, endpoint detection, or logging agents as its first action after execution. A security service that has mysteriously stopped is a high-priority IOC.
Service process compromised
The process running the service may itself be compromised. If a system process launched the malicious service, the entire system may be compromised — not just one service.
DoS / DDoS condition
Service unavailability caused by traffic flooding or resource exhaustion from an external or internal denial-of-service attack. Check bandwidth utilisation alongside the service status.
Excessive bandwidth
A sudden traffic surge from legitimate users (Slashdot Effect) can cause service interruption without any attack. Not malicious, but still needs resolution — and can mask a concurrent attack.

Service analysis tools

Windows: Task Manager
View all running services, resource usage per service. Services tab shows status.
Windows: Services.msc
MMC snap-in showing all registered services, descriptions, startup types, and ability to start/stop/restart each.
Windows: net start
Command line. Lists all currently running services. Scriptable for automated monitoring. net start [service] / net stop [service] to control.
Windows: PowerShell
Get-Service cmdlet returns name, display name, and status (Running/Stopped) for all services. Filterable and scriptable.
Linux: systemctl
Lists and monitors startup processes and service status. systemctl status [service] shows current state and recent log entries for a specific service.
Linux: cron + ps/top
Check cron jobs for malicious scheduled restarts. ps and top monitor running processes. htop provides the richest view for Linux service analysis.
4

Application Log Analysis — DNS, HTTP, FTP, SSH, SQL

Application logs are the richest source of application-layer IOCs. Each log type uses different formats and status codes — but all follow the same analytical principle: compare observed entries against the expected baseline, and flag anything that deviates.

Core exam skill: Given a log snippet, identify what's happening, whether it's suspicious or malicious, and what the appropriate mitigation is. Work through each field methodically — IP address, method/command, path/resource, status code, user agent. The status code and the user agent are often where the attack is revealed.

HTTP status code reference

200
OK — request succeeded, resource delivered
301
Moved Permanently — redirect to new URL
302
Found / redirect — server redirects (e.g. to login page)
400
Bad Request — malformed syntax from client
401
Unauthorised — authentication required / failed
403
Forbidden — server refuses access even with credentials
404
Not Found — resource does not exist
500
Internal Server Error — server-side failure
503
Service Unavailable — overloaded or down (DDoS indicator)

DNS event logs

DNS event logs record every request to resolve a domain name to an IP address. They capture the querying user, computer, query type, domain requested, and result. For threat hunting, look for unusual record types (TXT, MX, NULL when most traffic should be A records), repeated queries to the same domain at regular intervals (beaconing IOC), and unusually long domain names (DNS tunnelling).

HTTP access logs — annotated walkthrough (signature element)

HTTP access log — three entries with analysis
# Format: [IP] [identity] [user] [timestamp] [method path version] [status] [bytes] [user-agent] # ────────────────────────────────────────────────────────────────────────────────────────────── # ENTRY 1 — authentication challenge 10.1.0.102 - - [12/Jan/2024:01:14:22 +0000] "GET /downloads/report.pdf HTTP/1.1" 401 512 user unknown (second dash), challenged for credentials "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0" Windows 10 x64 · Chrome/Safari/Edge (share same code — can't identify exactly which) # ENTRY 2 — successful authenticated download 10.1.0.102 - jason [12/Jan/2024:01:14:35 +0000] "GET /downloads/report.pdf HTTP/1.1" 200 48391 jason authenticated — 401 response accepted, file downloaded successfully # ENTRY 3 — failed access from different host 10.1.0.103 - - [12/Jan/2024:01:17:08 +0000] "GET /downloads/report.pdf HTTP/1.1" 401 512 second IP, no follow-up 200 seen — credentials rejected or not provided
HTTP access log — vulnerability scan entry (suspicious)
# Single entry — code injection attempt via query string 203.0.113.44 - - [12/Jan/2024:02:31:07 +0000] \ "GET /search?q=<script>alert('xss')</script> HTTP/1.1" 302 0 \ "Nikto/2.1.6" IP: external / unknown — investigate immediately Path: query string contains JavaScript snippet — XSS/code injection test (Nikto test #000816) Status 302: server redirected to login page — not exploited yet, but it's scanning User-agent "Nikto": web vulnerability scanner — this is automated attack reconnaissance Mitigation: install a WAF to inspect and strip malicious query strings before they reach the app

FTP access log — annotated walkthrough

FTP access log — five attempts, one success
# FTP status codes: 331 = password required, 530 = login failed, 230 = login successful 198.51.100.7 [12/Jan/2024:03:12:01] USER attacker331username sent — server says "password required" 198.51.100.7 [12/Jan/2024:03:12:02] PASS ******* 530attempt 1 — WRONG password, login failed 198.51.100.7 [12/Jan/2024:03:12:14] PASS ******* 530attempt 2 — WRONG password, login failed 198.51.100.7 [12/Jan/2024:03:12:29] PASS ******* 530attempt 3 — WRONG password, login failed 198.51.100.7 [12/Jan/2024:03:12:41] PASS ******* 530attempt 4 — WRONG password, login failed 198.51.100.7 [12/Jan/2024:03:12:58] PASS ******* 230attempt 5 — CORRECT password! login succeeded — possible brute force # Analysis: 4 failures before success from same external IP # Possible brute force OR someone who forgot their password # Mitigation: account lockout after 3 failures (15–30 min lockout period)

FTP status codes

CodeMeaningContext
331Password requiredUsername accepted — server waiting for password
530Login failedWrong credentials — multiple 530s from same IP = brute-force indicator
230Login successfulUser authenticated — file operations now permitted
226Transfer completeFile upload or download completed successfully
421Service unavailableServer too busy or shutting down — may indicate DoS

SSH access log — login success and brute-force detection

SSH log + grep for failed authentication
# Example of a successful root SSH login (SSH does not have a standardised log format) Jan 12 03:14:22 server sshd[2218]: Accepted password for root from 10.1.0.5 port 22 ssh2 Jan 12 03:14:22 server sshd[2218]: pam_unix(sshd:session): session opened for user root (uid=0) UID=0 always means root — critical account, monitor logins carefully # Hunting for failed root logon attempts using egrep $ egrep 'Failed|failure' /var/log/auth.log Dec 5 21:39:01 server sshd[9811]: Failed password for root from 203.0.113.12 port 51204 ssh2 Dec 5 21:39:07 server sshd[9812]: Failed password for root from 203.0.113.12 port 51205 ssh2 Dec 5 21:39:12 server sshd[9813]: Failed password for root from 203.0.113.12 port 51206 ssh2 15 failures in 60 seconds from same IP — brute-force attack against root account Same IP: 203.0.113.12 — investigate and block; possibly a compromised host being used to pivot

SQL event logs

SQL event logs record server startup/shutdown events, database events, and individual query strings. They can reveal data breach attempts — SQL injection attacks will appear as unusual or malformed query strings, often with UNION SELECT, OR 1=1, or DROP TABLE patterns. The format varies by database vendor (MySQL, MSSQL, PostgreSQL).

SQL injection IOCs
Queries containing UNION SELECT, OR 1=1, DROP TABLE, or escaped quote characters (--). HTTP response bodies significantly larger than normal from database-backed pages. High read volume on sensitive tables.
MySQL Workbench
Audit Inspector within MySQL Workbench provides a GUI view of audit logs: record ID, timestamp, query type, connection ID, user, host IP, status, command class. Use for reviewing what specific users have queried.
Key HTTP user-agent caveat: The user-agent field identifies the browser or tool making the request — but it is trivially spoofed. Don't rely on it as the sole IOC. However, tool names like "Nikto", "sqlmap", "nmap", or "masscan" in the user-agent are still useful — automated attack tools often don't bother spoofing their agent string.
5

New Accounts — Detection Tools (Windows & Linux)

One of the first things an attacker does after gaining access is create additional accounts — especially administrator accounts — to ensure continued access even if the initial intrusion vector is closed. All account creation should go through a monitored change control process so that any rogue account is caught quickly.

Windows account analysis tools

Local Users and Groups
Windows tool for managing accounts on a standalone workstation. Lists all local accounts and groups. Any account not created through IT provisioning should be investigated. Access via Computer Management → Local Users and Groups.
Active Directory Users & Computers
Domain-level account management across the entire Windows domain. Large environments may have thousands of accounts — automated monitoring and alerting on new account creation is essential. Access via ADUC MMC snap-in.
net user / WMIC / PowerShell
Attackers often create accounts via command line rather than GUI. net user [name] [password] /add, WMIC, or PowerShell's New-LocalUser all work. Monitor for these commands in process monitoring logs (Sysmon Event ID 1).

Linux session and account management tools

who
Shows what users are currently logged in, their terminal (TTY), and login time.
w
Like who plus: remote host, idle time, current process, and execution time. More detail for threat hunting.
rwho
Like who but operates on a client-server architecture — useful in enterprise environments for querying remote hosts.
lastlog
Reads /var/log/lastlog — shows every account's username, TTY, source IP, and last login time. Identifies dormant accounts and first-time logins.
faillog
Shows authentication failures per account — count, maximum allowed, and whether the account is locked. Identifies brute-force targets.
Linux — lastlog output and grep for auth failures
# lastlog — shows last login for all accounts $ lastlog Username Port From Latest root pts/1 10.48.1.7 Wed Jul 7 14:22:01 +0000 2024 backdoor pts/3 203.0.113.44 Thu Jul 8 02:17:33 +0000 2024unknown account — created by attacker alice pts/2 10.1.0.12 Mon Jul 5 09:14:19 +0000 2024 # grep auth log for failed logins $ egrep 'Failed|failure' /var/log/auth.log | head -5 Dec 5 21:39:01 server sshd: Failed password for root from 203.0.113.44 port 51204 Dec 5 21:39:07 server sshd: Failed password for root from 203.0.113.44 port 51205 Same IP seen creating backdoor account — this host is the attack source, investigate immediately
6

Virtualization Forensics — VMs, Containers & Lost Logs

Virtualized environments introduce unique forensic challenges. Virtual machines can be spun up instantly and destroyed just as quickly (elasticity), making traditional evidence collection approaches difficult or impossible. The key is anticipating these challenges before an incident and designing the infrastructure accordingly.

Process & memory analysis
Use VM Introspection (VMI) tools installed in the hypervisor to retrieve memory pages from running VMs. Tools: WinDbg, GDB. Alternatively, capture saved state files (created when a VM is suspended) and load them into Volatility for full memory analysis — just like a live capture.
Persistent data acquisition
A VM's virtual hard drive is already a file on the host — no physical hardware to remove. Simply make a forensically sound copy of the virtual disk image (VMDK for VMware, VHD/VHDX for Hyper-V, VDI for VirtualBox). Hash before and after. Shut down the VM, not the host.
File carving deleted VMs
VM hosts use proprietary file systems (VMware = VMFS, not NTFS). This makes standard disk analysis harder. File carving can reconstruct deleted VM disk images from fragments across the host file system — though files may be spread across multiple partial VM images.
Lost system logs
The biggest virtualisation forensic risk: elastic VMs spin up and are destroyed when no longer needed. When a VM is destroyed, its local event logs are destroyed too. Solution: Configure all VMs to forward logs to a centralised remote syslog server from the moment they launch — before any incident occurs.
The lost logs problem is architectural, not reactive: You cannot recover logs from a destroyed VM after the fact. Remote log forwarding must be configured as part of the VM template or infrastructure-as-code provisioning. If VMs are being destroyed and rebuilt elastically without remote logging, your forensic capability is zero for those instances.
VM saved state files (also called snapshots or suspend files) are one of the most powerful tools in VM forensics. When a hypervisor suspends a VM, it writes the entire contents of RAM to a file on the host. That file can be loaded directly into Volatility or Memoryze and analysed exactly like a live memory dump — without ever needing to install agents on the VM itself.
7

Mobile Device Forensics — Extraction Methods & Carrier Logs

Mobile devices in enterprise environments connect to corporate networks via VPN — making a compromised mobile device a potential entry point into the corporate network. Mobile forensics is required when a device is suspected of being the intrusion vector or when it contains evidence of a compromise.

Unique challenges of mobile forensics

Soldered flash memory
Mobile storage is soldered to the system board — you can't remove it like a laptop hard drive. Law enforcement can use off-chip methods (desoldering), but most analysts must use debug ports or software tools instead.
Default encryption
All modern iOS and Android devices encrypt their storage by default. Without the device passcode or a zero-day exploit, the data is inaccessible even if the storage is imaged.
Fifth Amendment (US)
In the US, suspects cannot be compelled to provide device passcodes — this is a Fifth Amendment right. Biometric unlock (fingerprint/face) may have different legal treatment in some jurisdictions, but courts have generally upheld PIN protection.
Remote wipe risk
A device in custody can be remotely wiped by its owner if it has a network connection. Always place mobile devices in a Faraday bag immediately on collection to block cellular, WiFi, and Bluetooth signals — preventing remote wipe commands from reaching the device.

Four extraction methods

Manual extraction
Physically scroll through the device's screen — contacts, call logs, maps history, messages. Requires device to be unlocked. Must be filmed continuously to prove no changes were introduced by the examiner.
Logical extraction
Use vendor-supplied utilities to extract data. iOS: iCloud backup (requires Apple ID credentials). Android: ADB (Android Debug Bridge) over the device's debug interface. Only extracts data the OS exposes — not deleted files.
File system extraction
Copy all accessible unencrypted files — similar to imaging a PC. Mobile devices store data in SQLite databases (contacts, messages, call logs, app data). Requires an SQLite database browser tool to read. Deeper than logical but not as deep as physical.
Call data (SIM) extraction
Extract data stored on the SIM card: outgoing calls, SMS/text messages, contacts stored on SIM. Limited data set but potentially valuable — some information survives even if the device itself is factory reset.

Mobile forensics tools

Cellebrite UFED
Universal Forensic Extraction Device
Standalone hardware device — plug the phone in, and it performs a forensically sound image and allows analysis from the same unit. Supports smartphones, older feature phones, cloud data and metadata. Also available as laptop software (UFED Touch). Industry standard for law enforcement.
MPE+ (Mobile Phone Examiner Plus)
AccessData (FTK developer)
Mobile forensics tool from the creators of FTK. Effectively the mobile-specific version of FTK — same analytical capabilities applied to smartphones and tablets.
EnCase Portable
Guidance Software (EnCase developer)
Mobile device forensics tool from the creators of EnCase. Same evidence quality and chain of custody standards as desktop EnCase, adapted for mobile devices.

Carrier-provided logs (law enforcement only)

Mobile carriers retain records of device activity that can be subpoenaed with a valid warrant. This is only available to law enforcement — corporate security teams cannot obtain these. Note that retention periods are short and PII is subject to privacy law deletion requirements — request data quickly once the investigation begins.

Call details
Inbound and outbound call records — phone numbers, timestamps, duration.
SMS / MMS
Text message content (SMS) and images sent via MMS. May be stored by carrier for a limited period.
IP / browsing
IP addresses connected to over the cellular data connection. What websites were accessed from the device's cellular connection.
Geolocation
Cell tower data showing where the device was at specific times — triangulation can provide approximate location even without GPS.
Mobile OS forensics note: iOS is Unix-based. Android is Linux-based. Windows Mobile is Windows-based. Many mobile forensic techniques mirror desktop forensics on the same OS family. SQLite databases are the primary data format on both iOS and Android — they store contacts, messages, call logs, browser history, and app data.

Exam

Quick Reference Cheat Sheet

Anomalous activity
Unexpected outbound comms (C2/beacon). Unexpected output: large HTTP responses (SQL injection) or error strings (tampering). Defacement: attacker altered web content — restore from backup, patch intrusion vector. Monitor database read volume + HTTP response size for code injection.
Service interruptions
Not always an attack — but investigate: security software killed (malware IOC), compromised service process, DoS/DDoS condition, excessive bandwidth. Windows: Task Manager, Services.msc, net start, Get-Service. Linux: systemctl, cron, ps, top.
HTTP log reading
Fields: IP → identity → user → timestamp → method+path → status → bytes → user-agent. 200=OK, 301/302=redirect, 401=auth required, 403=forbidden, 404=not found, 503=unavailable. 4xx=client error, 5xx=server error. "Nikto"/"sqlmap" in user-agent = scanner attack.
FTP log reading
331=password required, 530=login failed, 230=login success. Multiple 530s from same IP = brute force. One IP, 4 failures, then 230 = possible guessing (or forgot password). Mitigation: account lockout after 3 failures with 15–30 minute lockout period.
SSH log reading
Not standardised format. UID=0 always means root. Hunt with: egrep 'Failed|failure' /var/log/auth.log. Multiple failures from same IP = brute force. Note source IP — it may be a compromised host being used to pivot.
DNS / SQL logs
DNS: TXT/MX/NULL record queries (uncommon) = exfil/C2. Repeated queries to same domain = beaconing. Long domain names = DNS tunnelling. SQL: queries with UNION SELECT, OR 1=1, DROP TABLE = injection attempt. Large response from DB query = data dump.
New account detection
Windows: Local Users and Groups (standalone), ADUC (domain). Attackers also create via CLI: net user /add, WMIC, PowerShell New-LocalUser. Linux: who, w, rwho (current sessions), lastlog (last login per account), faillog (authentication failures). egrep auth.log.
Virtualisation forensics
VMI = memory from hypervisor. Saved state files = suspend snapshots (analyse with Volatility). Virtual disk = already a file (copy forensically — VMDK/VHD/VDI). VMFS ≠ NTFS → carving harder. CRITICAL: configure remote log forwarding BEFORE incidents — destroyed VMs take their logs with them.
Mobile forensics
Soldered memory + default encryption. Faraday bag = block remote wipe. 4 extraction: manual (scroll screen), logical (ADB/iCloud), file system (SQLite DBs), SIM (calls/SMS/contacts). Tools: Cellebrite UFED, MPE+ (AccessData), EnCase Portable. Carrier logs = law enforcement + warrant only.
Log mitigation patterns
HTTP code injection → install WAF. FTP brute force → account lockout policy. SSH brute force → fail2ban, key-based auth, block source IP. SQL injection → parameterised queries, WAF, input validation. Defacement → restore backup, patch upload/auth vulnerability. DNS tunnelling → inspect DNS packet sizes and record types.