Skip to content
Log in

Corroboration

Definition

The practice of confirming an observed attacker action by finding evidence of the same action in at least two independent data sources, for example, a suspicious process in EDR telemetry confirmed by a corresponding outbound connection in network flow data. Corroboration reduces the risk of acting on a single-source false positive during scoping.

Related terms

Bharatiya Sakshya Adhiniyam 2023 (BSA)
India's current evidence statute, which replaced the Indian Evidence Act 1872. Section 63 of the BSA governs electronic records and requires a...
Blast radius
The full set of systems, accounts, and data that an attacker has accessed or could access given their current level of compromise....
Declaration threshold
The criteria defined in an organisation's IR plan that a suspected event must meet before it is formally declared a confirmed incident,...
Dwell time
The period between an attacker gaining initial access and their detection. Reducing dwell time is a primary goal of threat hunting. The...
Gatekeeping
The judicial function, codified in the United States by Daubert v. Merrell Dow Pharmaceuticals (1993) and Federal Rule of Evidence 702, of...
General acceptance (Frye standard)
The admissibility rule from Frye v. United States (DC Cir. 1923) requiring a technique to be generally accepted in the relevant scientific...
Initial indicator of compromise (IoC)
The first observable artefact or event that triggers the investigation: a hash match, a suspicious process, an anomalous login, or an alert...
Lateral movement
Attacker activity after initial compromise in which the threat actor traverses from one internal system to another, typically to escalate privileges, access...
Opinion evidence
Testimony about an inference or conclusion drawn from facts, rather than direct observation. Expert opinion is a recognised exception to the general...
Voir dire (on evidence)
A preliminary hearing, conducted in the absence of the jury, at which the judge evaluates the admissibility of proposed expert evidence. The...

Explained in these topics

  • Landmark Judgments on Expert EvidenceEvidence that confirms or supports a piece of evidence from an independent source. In Indian jurisprudence, expert opinion is treated as requiring corroboratio...
  • Scoping and Confirming an IncidentThe practice of confirming an observed attacker action by finding evidence of the same action in at least two independent data sources, for example, a suspicio...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account