Hypothesis testing
Definition
In digital forensics, the practice of forming a specific, falsifiable proposition about what occurred (such as 'the attacker used account X to exfiltrate data between 02:00 and 04:00 UTC') and then searching the evidence specifically to confirm or refute it. Prevents confirmation bias from driving the analysis.
Related terms
- Chain of custody
- The documented chronological record of who collected, handled, transferred, and examined a piece of evidence. For digital evidence, chain of custody includes...
- Link analysis
- A graph-based analytical technique that maps entities (IP addresses, domains, accounts, phone numbers, wallets) as nodes and relationships (communications, ownership, transactions) as...
- NetFlow
- A network protocol (originally Cisco, now standardised as IPFIX under RFC 7011) that records metadata about IP traffic flows: source and destination...
- SIEM (Security Information and Event Management)
- A platform that aggregates log and event data from systems, networks, and applications across an environment, correlates events against detection rules, generates...
- Timeline reconstruction
- The process of ordering digital events from multiple sources into a single chronological account. Requires normalising all timestamps to a common reference...
Explained in
- Cyber Investigation Tools and Analytical WorkflowIn digital forensics, the practice of forming a specific, falsifiable proposition about what occurred (such as 'the attacker used account X to exfiltrate data...