What is an Analysis Pipeline?

The conventional security sector primarily relies on signature matching, a method that has shown diminishing effectiveness over time. Each piece of evidence requires meticulous examination, and the DRONE investigation analysis process employs the Analysis Pipeline technique for this purpose.

This technique operates in a manner that accommodates every aspect of an evidence item under scrutiny. It involves 'pushing' the item through a pipeline that consists of multiple evaluation stages. These stages are designed to determine the 'correctness' of the item.

Each pipeline is tasked with analyzing a particular attribute of the evidence. Consequently, every process or file that undergoes the analysis pipeline is eventually released as a finding, complete with an assigned score. This approach ensures a comprehensive and detailed examination of each piece of evidence.

Verdict Categories Definition:

• Dangerous - provided automatically by DRONE

• Matched - if a specific keyword is provided, DRONE will tag those findings as matched

• Suspicious- findings that are marked as suspicious warns the analyst to pay high attention to them

• Relevant - findings that analysts should pay attention to them since they are marked as relevant to the investigation

• Rare - findings that are not dangerous or suspicious but may be of interest to the investigation

If DRONE cannot put a verdict on a finding, then it will still score the evidence item based on its attributes.