Question

Now you may understand why you need a statistics course. As a forensics analyst, how would you use statistical flow analysis to identify a compromised host? How about to confirm or disprove data leakage? How would it be used to create a profile of an individual? Can statistical flow analysis be used to prevent either a host becoming compromised or data being leaked?

Answer 1

Statistical flow analysis can be used to identify a compromised host by analysis and search of a system's native forensic sources of evidence -- i.e., what's preserved by the operating system on its own during normal system operations. This includes the ability to run quick, targeted searches for files, processes, log entries, artifacts in memory and other evidence across systems at scale. It complements the use of a continuous event recorder and can be used to broaden the scope of an investigation and find additional leads that might not otherwise have been preserved.

To confirm or disprove data leakage products can proactively collect and analyze the sources of data cited , and compare it to structured threat intelligence (such as Indicators of Compromise), rules or other heuristics intended to detect malicious activity. The data that's been gathered is used to prove (or disprove!) the case being built by examiners. For each relevant data item, examiners will answer the basic questions about it — who created it? who edited it? how was it created? when did this all happen? — and attempt to determine how it relates to the case.

To create a profile of an individual various methods are used to identify and extract data. This step can be divided into preparation, extraction and identification. Important decisions to make at this stage are whether to deal with a system that's live (for instance, to power up a seized laptop) or dead (for instance, connecting a seized hard drive to a lab computer). Identification means determining whether individual pieces of data are relevant to the case at hand — particularly when warrants are involved, the information examiners are allowed to learn may be limited.

Yes,statistical flow analysis be used to prevent either a host becoming compromised or data being leaked by evidence collection from individual hosts of interest. As investigators identify systems that warrant further inspection, they may conduct "deep-dive" evidence collection and analysis across the entirety of a subject system's historical telemetry (if present and recorded), files on disk and memory. Most organizations prefer to perform remote, triage-level analysis of live systems in lieu of comprehensive forensic imaging wherever possible.