Practical Cyber Intelligence E-Book

Table of Contents

Cover

Table of Contents

Title Page

Copyright

Dedication

About the Author

Preface

Acknowledgments

Introduction

1 Intelligence Analysis

1.1 Intelligence Life Cycle

1.2 Cyber Threat Intelligence Frameworks

1.3 Summary

Notes

2 Digital Forensics

2.1 Device Collection

2.2 Preservation

2.3 Acquisition

2.4 Processing

2.5 Analysis

2.6 Documentation and Reporting

2.7 Summary

Note

3 Disk Forensics

3.1 Acquisition

3.2 Preparation

3.3 Analysis

3.4 File and Data Carving

3.5 Summary

Notes

4 Memory Forensics

4.1 Acquisition

4.2 Analysis

4.3 Summary

Notes

5 SQLite Forensics

5.1 Analyzing

5.2 Summary

Notes

6 Windows Forensics

6.1 New Technology File System (NTFS)

6.2 Acquisition

6.3 Analysis

6.4 Evidence Location

6.5 Summary

Notes

7 macOS Forensics

7.1 File System

7.2 Security

7.3 Acquisition

7.4 Analysis

7.5 Evidence Location

7.6 Summary

Notes

8 Linux Forensics

8.1 File System

8.2 Security

8.3 Acquisition

8.4 Analysis

8.5 Evidence Location

8.6 Summary

Notes

9 iOS

9.1 File System

9.2 Security

9.3 Applications

9.4 Acquisition

9.5 iCloud

9.6 Analysis

9.7 Evidence of Location

9.8 Summary

Notes

10 Android

10.1 File Systems

10.2 Security

10.3 Application

10.4 Acquisition

10.5 Analysis

10.6 Evidence of Location

Notes

11 Network Forensics

11.1 Acquisition

11.2 Analysis

11.3 Summary

Notes

12 Malware Analysis

12.1 Acquiring Malware Samples

12.2 Handling Malware Samples

12.3 Analysis

12.4 Summary

Notes

13 OSINT

13.1 Methodology

13.2 Documentation

13.3 Securing Yourself (OPSEC)

13.4 Search Engines

13.5 Profiling

13.6 Hunt for Data

13.7 Infrastructure Mapping

13.8 Automation of OSINT Tasks

13.9 Summary

Notes

14 Case Studies

14.1 Case of “The Missing Author”

14.2 The Insider Threat

15 Ending

15.1 What’s the Next Step?

Notes

Index

End User License Agreement

List of Tables

Chapter 1

Table 1.1 Collection framework.

Table 1.2 Competing hypotheses.

Table 1.3 Estimative language.

Chapter 2

Table 2.1 Device collection method.

Table 2.2 Imaging types.

Chapter 6

Table 6.1 File system.

Table 6.2 Zone identifier.

Table 6.3 Event log type.

Table 6.4 Hibernation file size.

Table 6.5 File timestamps on Windows 10.

Table 6.6 File timestamps on Windows 11.

Table 6.7 Logon events (4624).

Table 6.8 Authentication events.

Table 6.9 Success and failed logon events.

Table 6.10 RDP event logs.

Chapter 7

Table 7.1 HFS+.

Table 7.2 APFS.

Chapter 8

Table 8.1 File system timestamp.

Chapter 11

Table 11.1 Supported file types by Wireshark (Tshark).

Table 11.2 Network classification.

Chapter 13

Table 13.1 Search operators.

List of Illustrations

Chapter 1

Figure 1.1 Timeline analysis.

Figure 1.2 Link analysis.

Figure 1.3 Cyber kill chain.

Figure 1.4 Diamond model.

Chapter 2

Figure 2.1 Dcode timestamp decoding.

Chapter 3

Figure 3.1 FTK Imager create disk.

Figure 3.2 Autopsy.

Figure 3.3 Smart metrics.

Figure 3.4 Photorec.

Chapter 4

Figure 4.1 RAM capture.

Figure 4.2 MemprocsFS.

Chapter 5

Figure 5.1 SQLite browser.

Chapter 6

Figure 6.1 MFTCMD.

Figure 6.2 Shadow Explorer.

Figure 6.3 Bitlocker.

Figure 6.4 Regedit.

Figure 6.5 Event viewer.

Figure 6.6 MemprocsFS.

Figure 6.7 Windows timeline.

Figure 6.8 Search bar.

Figure 6.9 Typed path.

Figure 6.10 Dialog box.

Figure 6.11 LNK files.

Figure 6.12 Shellbag Explorer.

Figure 6.13 Bag MRU.

Figure 6.14 Recent open.

Figure 6.15 Run dialog box.

Chapter 8

Figure 8.1 PS veracrypt.

Chapter 9

Figure 9.1 iBackupBot.

Figure 9.2 Crackm8.

Figure 9.3 ILEAPP.

Chapter 10

Figure 10.1 Android adb trust.

Figure 10.2 adb authentication.

Figure 10.3 Android backup folder.

Figure 10.4 Avilla.

Figure 10.5 Android backup.

Figure 10.6 ALEAPP.

Chapter 11

Figure 11.1 Wireshark.

Figure 11.2 Wireshark geo.

Figure 11.3 Wireshark map.

Chapter 12

Figure 12.1 Malware bazaar.

Figure 12.2 Virtual box.

Figure 12.3 Cuckoo.

Figure 12.4 Ghidra.

Chapter 13

Figure 13.1 Fake name generator example.

Figure 13.2 This person does not exist.

Figure 13.3 What my name.

Figure 13.4 Epieos.

Figure 13.5 Forgot password.

Figure 13.6 Index.

Figure 13.7 Telegram.

Figure 13.8 psbdmp.

Figure 13.9 Anonfiles.

Figure 13.10 Ip info.

Figure 13.11 Shodan.

Figure 13.12 DNS dumpster.

Figure 13.13 Way back machine.

Figure 13.14 FOCA.

Figure 13.15 Maltego.

Guide

Cover

Table of Contents

Title Page

Copyright

Dedication

About the Author

Preface

Acknowledgments

Begin Reading

Index

WILEY END USER LICENSE AGREEMENT

Pages

iii

iv

v

xviii

xix

xx

xxi

xxii

1

2

3

4

5

6

7

8

9

10

11

12

13

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

211

212

213

215

216

217

218

219

Practical Cyber Intelligence

A Hands-on Guide to Digital Forensics

Copyright © 2024 by John Wiley & Sons, Inc. All rights reserved, including rights for text and data mining and training of artificial technologies or similar technologies.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Names: Jakobsen, Adam Tilmar, author.

Title: Practical cyber intelligence : a hands-on guide to digital forensics

 / Adam Tilmar Jakobsen.

Description: Hoboken, New Jersey : Wiley, [2024] | Includes index.

Identifiers: LCCN 2024024151 (print) | LCCN 2024024152 (ebook) | ISBN

 9781394256099 (hardback) | ISBN 9781394256112 (adobe pdf) | ISBN

 9781394256105 (epub)

Subjects: LCSH: Computer crimes–Investigation. | Cyber intelligence

 (Computer security)

Classification: LCC HV8079.C65 J633 2024 (print) | LCC HV8079.C65 (ebook)

 | DDC 364.16/8–dc23/eng/20240628

LC record available at https://lccn.loc.gov/2024024151

LC ebook record available at https://lccn.loc.gov/2024024152

Cover design: WileyCover image(s): © koiguo/Getty Images

To my wife Josefine & my dog Fenris for always being there.

About the Author

My journey with computers began, as it did for many others, with playing video games. Initially, my goal was to become a game developer, which led me to obtain a master’s degree in computer science. Although that dream didn’t materialize, I instead joined the Danish army as a cyber specialist for the army intelligence within the electronic warfare division. Due to the classified nature of my work, I cannot delve into specifics; however, my job generally involved expanding the utility of cyber capabilities within operations, focusing on SIGINT, OSINT, and all-source intelligence while also supporting other departments such as HUMINT, PSYOPS, and IMGINT.

After three years with the army intelligence, I joined Bluewater Shipping, a major Danish shipping company. Initially serving as a solution architect for all internally developed software, my role shifted to information security following a significant cyberattack on the company. As the sole security engineer, I was responsible for overseeing the entire operation pipeline, including defining and implementing detection rules, incident response, and much more.

Another three years passed, and I was presented with the opportunity to join the Special Crime Unit in Denmark as an IT engineer and digital forensics expert in the Department of Technology and Innovation. The primary goal in this role is to identify new methods of extracting and analyzing data from devices.

The knowledge I’ve acquired throughout my journey is an amalgamation of research, reading white papers, taking courses, and participating in Capture the Flag challenges. I would like to express my gratitude to everyone who contributes to the cybersecurity community; your work has made this book possible.

Preface

The rapid advancement of technology has created both new opportunities and new challenges for investigators. In the past, evidence of criminal activity was predominantly confined to physical items. Today, however, much of the evidence exists in digital form, dispersed across a multitude of devices and networks. This necessitates a novel approach to investigation, one that is firmly rooted in a profound understanding of the digital landscape and the methods employed to collect, preserve, and analyze digital evidence.

Cyber investigation is not a simple field, owing to its adversarial nature with challenges arising on two distinct fronts. The first involves criminals attempting to conceal their activities, resulting in a cat-and-mouse game between the examiner and the perpetrator as they develop new methods to hide their tracks. It is the examiner’s responsibility to identify innovative ways of extracting evidence from systems. The second challenge stems from the growing public awareness of privacy and the corresponding corporate response. Companies like Apple have taken significant strides to enhance user privacy, ultimately providing examiners with less data to work with.

However, this does not imply that all hope is lost. Certain trends are working in our favor, such as the increasing amount of information people post on social media, which can be utilized to map out a person’s activities. Furthermore, human nature often prioritizes convenience over security, leading to password reuse and lax security measures.

This book offers a comprehensive guide to utilizing digital forensics and OSINT in the investigative process, encompassing the latest techniques, tools, and best practices within the field. Whether you are a seasoned professional or just starting, this book will serve as an invaluable resource as you navigate the intricate world of digital forensics and investigation.

Esbjerg, 2024

Acknowledgments

I would like to thank everyone in the cybersecurity community for all the awesome work they put out on the internet; without them, this book would not be possible.

Introduction

The use of digital forensics has revolutionized the way we investigate criminal and civil cases. In the past, investigators were often limited to collecting physical evidence, but today, much of the evidence relevant to an investigation can be found in the digital realm. This includes everything from electronic communications and financial transactions to GPS data and social media activity. To be effective, investigators must have a deep understanding of the digital landscape and the methods used to collect, preserve, and analyze digital evidence. This book provides an overview of the key concepts, tools, and techniques used in digital forensics and investigates how they can be applied to the investigative process. Whether you are a law enforcement professional, an attorney, or simply interested in the topic, this book is an essential resource for anyone looking to deepen their understanding of the role of digital forensics in investigation.

Cyber forensics is the process of using forensic and investigative techniques to identify and analyze digital events. This involves collecting and analyzing digital evidence from various sources, such as computers, networks, and mobile devices, to identify perpetrators.

When discussing a cyber investigation, many people often think about high-tech crimes like ransomware, DDoS, or BEC. However, it extends beyond these examples, as it also includes traditional crimes such as theft, fraud, or assault, which can leave behind digital evidence that can be collected and analyzed. In these cases, IT is merely a component of the event. For example, a murderer can leave behind digital evidence, such as phone activity and internet browsing history. A fraudster who uses fake emails or websites to scam victims out of money will also leave behind digital evidence that can be collected and analyzed. As technology becomes increasingly integrated into our daily lives, the information that we can collect from devices, OSINT, and other sources becomes a critical part of any investigation, allowing us to map out a person’s life.

Since this book does not cover the basics of how computers work, I have made some assumptions about the reader’s knowledge. I expect them to be familiar with how a computer operates (e.g., CPU, RAM, and disk) and be comfortable interacting with both Windows and Linux operating systems. Throughout the book, you will encounter both Bash and PowerShell commands. If you are entirely new to these topics, I recommend the book Introduction to Linux - Hands-on Guide. Additionally, you should have a basic understanding of Python and know how to execute Python scripts, although I do not expect you to be a master programmer.

The motivation behind writing this book is that I wanted a resource like this when I started, but all I could find were scattered pieces of information, often behind a substantial paywall. Consequently, I began creating this book not only to help myself understand but also to assist others entering the digital forensics field by providing a practical approach to digital forensics. The book covers where to collect and parse digital clues and the context different evidence can provide. Throughout this book, I aim to present a wide array of tactics, techniques, and procedures that can be used to collect information about an individual or group’s activities on a device or the internet. I have chosen to focus on free tools or services to make them accessible to everyone. While I cannot promise that this book will make you an expert, if you are new or simply interested in the field, I believe you will find the information in this book to be a good practical starting point.

The first part of this book will cover the art of intelligence. The purpose of intel is to help us bind all the different sources of information that we have collected into a cohesive and structured analysis that can be used to gain insight into a person or organization’s activities. The next part is about digital forensics, where I will cover the most common devices used by people and the methods of locating and extracting key information. Cyber forensics is an important field, as cybercrimes are becoming more common and more sophisticated. It plays a crucial role in helping protect individuals, businesses, and governments from the threat of cyberattacks and other forms of digital crime.

The final chapter will be about OSINT. This is where we will start to look at what information is available on the internet. There is a wide variety of OSINT techniques and tools that can be used to collect information from open sources on the internet. What OSINT allows you to do is take the information collected in the forensics phase and pivot to a new source to obtain additional information that can only be found on the internet.

Overall, the goal of this book is to be a valuable resource for anyone interested in learning about cyber investigation. It should provide a thorough and practical introduction to the field and serve as a valuable resource for anyone looking to enter or advance in the field of cyber investigation.

1Intelligence Analysis

Intelligence analysis is the process of using data to comprehend a situation or problem and support decision-making. It involves collecting and analyzing data from various sources, such as human intelligence, signals intelligence, open-source information, and other types of data, to provide insights and inform decision-makers. Intelligence analysts employ a range of tools and techniques, including data mining, statistical analysis, and modeling, to discern trends, patterns, and relationships within the data. They then utilize this information to formulate hypotheses, make predictions, and offer recommendations for action. Intelligence analysis is applied across numerous fields, including national security, law enforcement, and business. You might be wondering what it has to do with digital forensics. They have a lot in common; they are both about identifying the most likely hypotheses based on the available data. The thing is we would always like to be precise in forensics, but that is not always possible as the necessary data might not be available to give a precise and scientific answer. In these cases, we have to look at the available data, understand the story it is telling, and then give an estimate of what most likely has happened. This is why the first section is about the tools used in intelligence analysis.

1.1 Intelligence Life Cycle

The intelligence life cycle1 is a framework that outlines the various stages involved in the process of collecting, analyzing, and disseminating intelligence. The typical stages of the intelligence process life cycle include:

Planning and direction

Collection

Processing

Analysis

Dissemination

Evaluation and feedback

These stages are interconnected and often overlap, with the ultimate goal of the intelligence process being to deliver timely and accurate information to decision-makers, thereby enabling them to take well-informed actions.

1.1.1 Direction and Planning

This stage is the foundation of the intelligence life cycle. It is about establishing a strategy for what is needed gathering the necessary data and tackling the different cases hitting your desk. This is about identifying what question the decision maker need answered to meet their objectives. Which defines what tool and data sources are needed, to formulate an answer to the question, have been given.

1.1.2 Collection

In the collection phase, raw data is obtained from different sources that are needed to facilitate the analysis. A good idea is to implement a collection management framework.2 The job of this tool is to help manage and create structure around the numerous data sources and the information that can be obtained from each source. This is done by maintaining a data sheet that outlines all the sources available. The expected data you can retrieve from each source, and the specific questions each source can answer; I have created an example of a collection management framework for a SOC in Table 1.1.

Table 1.1 Collection framework.

Endpoint

Network

Firewall

AD logs

Data type

Alert

Netflow

Alerts

logs

Kill chain

Exploitation and installation

Internal recon, delivery, and C2

Internal recon, delivery, and C2

Internal recon

Pivot on

Malware sample

Packet capture

Netflow

Endpoint

Retention (days)

30

60

21

30

Your collection framework will definitely look different, but it should be able to give you a general idea. What makes this useful is that it clearly defines what data is available to you and what it can be used for. That way you do not have to rely on people’s memories to remember what sources are available, and what they can be used for. Do not underestimate the usefulness of this tool; if you are ever in a situation where you ask yourself if you have a data source that could be used to answer X questions, then you need this tool. Another usage of this tool is to identify if you have blackspots in your data sources or if you have overlaps in capabilities.

1.1.3 Processing

During the processing stage, the raw data collected transforms into a format that can be easily understood by humans or interpreted by relevant computer systems. This step is crucial for preparing the data for in-depth analysis and interpretation by intelligence analysts or automated tools.

An essential aspect of this stage is evaluating the relevance and reliability of the data gathered. Analysts need to carefully examine the data to ensure its accuracy and ascertain its importance concerning the intelligence requirement. This process may entail cross-referencing data from multiple sources to authenticate its credibility and establish its relevance.

When processing threat reports from various vendors, it can be temping to create a Rosetta stone for that translation threat actors from across different vendors. The reason cyber threat intelligence organizations do not utilize the same naming convention for threat actors is because they do not have the same collection coverage and the method in which they cluster intrusion together is different depending upon their intelligence requirements, and we do not know all the details of the adversary, and this reason why unitize their own name scheme. The reason why we should not try to cluster together actor from different vendor as it will most likely be wrong.

1.1.4 Analysis

The process of intelligence analysis3 involves breaking down a complex problem or concept into smaller, simpler parts to better understand it and draw meaningful conclusions. It is a crucial step in an investigation, where information needs to be systematically examined and evaluated to identify patterns, connections, and insights that can help shed light on the case. The objective is to transform data into actionable information.

When it comes to digital evidence, expert examiners play a critical role in data analysis, as the data can be ambiguous, taken out of context, or simply incorrect, which may lead to wrongful conclusions. A good digital forensics expert possesses the ability to understand the context around the data and use analytical judgment to make objective conclusions about the evidence. This involves employing critical thinking skills, logical reasoning, and a systematic approach to assess and evaluate information based on the available evidence.

The good thing there are a variety of tools and techniques at our disposal, including statistical analysis, network analysis, and trend analysis, among others. The choice of technique depends on the type of investigation and the data available.

1.1.4.1 Structured Analytic Techniques (SAT)

Structured analytic techniques4 are a set of tools used to help analysts systematically analyze complex information. They provide a systematic and transparent approach to analysis to reduce bias, improve the quality of the analysis, and support more effective decision-making.

Structured analytic techniques typically involve the following steps:

Define the problem or issue

: The first step is to clearly define the problem or issue that the analysis will address. This involves identifying specific questions that need to be answered and the information needed to answer those questions.

Collect and organize the information

: The next step is to collect the raw intelligence information relevant to the problem or issue. This can involve various sources, such as human agents, electronic surveillance, and open-source information. Once the information has been collected, it must be organized and prepared for analysis.

Apply structured analytic techniques

: The third step is to apply a structured analytic technique to the collected information to identify patterns, trends, and relationships. A wide variety of structured analytic techniques can be used, such as statistical analysis, network analysis, geospatial analysis, decision trees, or Bayesian analysis, to name a few.

Develop conclusions and insights

: The fourth step is to use the results of the analysis to develop insights and conclusions about the problem or issue. This can involve identifying key factors driving the situation, making predictions about future developments, or providing recommendations for action.

Document and communicate findings

: The final step in the process is to document the analysis, including the methodology used, the information sources, the results of the analysis, and the conclusions and insights that were developed. This documentation should be clear, concise, and transparent, allowing others to understand and evaluate the analysis. It is important to communicate these findings to relevant decision-makers, ensuring they have access to the information needed to make informed decisions.

Using structured analytic techniques offers several benefits to analysts and decision-makers. First, it helps to ensure a more systematic and rigorous approach to the analysis, which can help to improve the accuracy and reliability of the results. Second, it helps to reduce the impact of cognitive biases and other sources of error, which can lead to more objective and accurate conclusions. Finally, by providing a clear and transparent methodology for the analysis, structured analytic techniques can help to improve the credibility and defensibility of the analysis, making it more likely to be accepted and acted upon by decision-makers.

1.1.4.2 Timeline Analysis

Timeline analysis, or temporal analysis, involves taking all events and plotting them in sequence by date and time. This process creates a timeline reflecting the activity; an example can be seen in Figure 1.1 which can help identify patterns, trends, and relationships in the events. As time passes between the incident and the start of the analysis, the ability to create a comprehensive timeline record reduces for any live system, as its state continues to change.

A critical aspect of temporal analysis is the proper synchronization of different time sources. Whether analyzing the events of one device or multiple devices, it is essential to handle DateTime data carefully in digital evidence. DateTime data on a single device often comes in multiple time zones, such as Universal Coordinated Time (UTC) and the device’s local time settings, and sometimes more. It is also crucial to consider if applications perform any alteration on the DateTime data during the loading or saving state. This problem multiplies as more devices are added to the timeline. To accurately synchronize all pieces of digital evidence, the investigator must determine the difference in time between the digital evidence and a base timeline, known as time skew.

Figure 1.1 Timeline analysis.

Another issue is the format in which the data is saved, such as the ISO format of dd/mm/yyyy or the Unix epoch, which counts seconds since January 1, 1970. To ensure time consistency:

Detect the DateTime format and convert it to the desired format.

Identify the time zone the data is saved in and compare it to real-time for when the event happened. Analyze if the application performs any alteration on the time data (e.g., storing data in UTC and adding the time zone data for display when loaded).

Convert all DateTime data into a single time zone, allowing for easy comparison of event order. It is common to see all times normalized to UTC or the standard of the department.

Once these steps have been performed, the process of timeline analysis can begin, involving the following steps:

Develop a timeline

: Create a timeline of all the events, including the date and time of each event and a description of the event.

Identify patterns and trends

: Look for recurring events, clusters of events, or other patterns that may suggest underlying causes or implications of the events.

Develop conclusions and insights

: Use the results of the analysis to develop insights and conclusions about the underlying causes and implications of the sequence of events. This may involve identifying key factors driving events, making predictions about future developments, or providing recommendations for action.

1.1.4.3 Competing Hypotheses

The goal of competing hypotheses is to identify and evaluate all plausible explanations (hypotheses) for a given situation or event and to select the most likely explanation based on the available data.

Competing hypotheses involve the following steps:

Identify all plausible explanations for the event

: This process can involve brainstorming with other analysts, reviewing existing theories or hypotheses, or using other techniques to generate a comprehensive list of possible explanations.

Develop a hypothesis statement for each explanation

: A hypothesis statement is a concise and specific statement that describes the key elements of an explanation, which can be tested against the available evidence.

Evaluate the evidence for each explanation

: Determine which explanations are supported by the data and which are not. This evaluation can involve various techniques, such as statistical analysis, network analysis, or geospatial analysis.

Select the most likely explanation

: The final step is to select the most likely explanation based on the available evidence. This decision should be based on a thorough and systematic evaluation of the evidence and should be supported by the results of the analysis.

Table 1.2 Competing hypotheses.

Evidence

Hacker

Insider threat

Data on dark web

+

Quotes beaten by competition

+

+

Network traffic to an unknown destination

+

Consistency with evidence (+), inconsistency with evidence ().

You can use a matrix to display all the possible hypotheses and then what evidence rejects or confirms the hypothesis as shown in Table 1.2

1.1.4.4 Link Analysis

Link analysis, also known as relational analysis, is used to identify connections between entities such as people, email addresses, aliases, IP addresses, phone numbers, and more; look at Figure 1.2 for an example. This type of analysis helps to understand how different entities relate to each other. The weight or strength of the connection is determined by the number of connections between the entities.