Interested in learning more about the investigative process through the use of statistical sampling? Visit - versprite.com/blog/dfir-prague-summit/ to download a demo script file and try your own sampling method at home.
numbers, 1 – 10,000 • Collection mimics a population of files • Collection also functions as a standard • Script listed in References • Generates the number file • Creates 1000 files with 500 random numbers randomly selected from the number file Demo with Numbers: Try Your Own Sampling Method
random from the list of 10,000 numbers • Notice the row that lists “77” • Only 1% of the 10k numbers end in 77 • Any two digit number may be selected and still have a 1% rate of occurrence. 33, 44, or 99 work as well as 77. Demo with Numbers
random from the generated list • Notice the “77” row again • All 24 sample files have at least one number ending in 77 • 15 out of 24 sample files – 62.5% had at least 4 numbers ending in “77” • 4 out of 500 is approximately 1% Demo with Numbers
at random • Here we compare the sample to the actual population percentages What do we make of this? Even when the occurrence rate of “interesting” files is as low as 1% the odds of detection are in our favor Demo with Numbers
versprite
emiki
kimuson
lycorptech_jp
icck
yamamotoyuta
devops_vtj
nrryuya
ohmori_yusuke
kanzaki
sansan33
oguri
glaforge
orderedlist
tammyeverts
eileencodes
cassininazir
bkeepers
chriscoyier
caitiem20
geoffreycrofte
trishagee
honnibal
moore
