Interested in learning more about the investigative process through the use of statistical sampling? Visit - versprite.com/blog/dfir-prague-summit/ to download a demo script file and try your own sampling method at home.
numbers, 1 – 10,000 • Collection mimics a population of files • Collection also functions as a standard • Script listed in References • Generates the number file • Creates 1000 files with 500 random numbers randomly selected from the number file Demo with Numbers: Try Your Own Sampling Method
random from the list of 10,000 numbers • Notice the row that lists “77” • Only 1% of the 10k numbers end in 77 • Any two digit number may be selected and still have a 1% rate of occurrence. 33, 44, or 99 work as well as 77. Demo with Numbers
random from the generated list • Notice the “77” row again • All 24 sample files have at least one number ending in 77 • 15 out of 24 sample files – 62.5% had at least 4 numbers ending in “77” • 4 out of 500 is approximately 1% Demo with Numbers
at random • Here we compare the sample to the actual population percentages What do we make of this? Even when the occurrence rate of “interesting” files is as low as 1% the odds of detection are in our favor Demo with Numbers
versprite
ryosukeigarashi
lmi
tacck
ryuichi1208
%20(1).jpg){kind=avatar}
giftojabu1
takumiogawa
.jpeg){kind=avatar}
ostk0069
minorun365
daisuzu
isaoshimizu
oracle4engineer
sansantech
keathley
reverentgeek
hatefulcrawdad
mongodb
pauljervisheath
bluesmoon
chriscoyier
aki_iinuma
jmmastey
holman
tanoku
jonyablonski
