What is an Analysis Pipeline?

The conventional security sector primarily relies on signature matching, a method that has shown diminishing effectiveness over time. Each piece of evidence requires meticulous examination, and the DRONE investigation analysis process employs the Analysis Pipeline technique for this purpose.

This technique operates in a manner that accommodates every aspect of an evidence item under scrutiny. It involves 'pushing' the item through a pipeline that consists of multiple evaluation stages. These stages are designed to determine the 'correctness' of the item.

Each pipeline is designed to analyze a specific attribute of the evidence. As a result, every process or file undergoes scrutiny through these analysis pipelines. When an issue is identified, it is categorized as a finding and assigned a 'type'—High, Medium, Low, or Matched. This methodical approach guarantees a thorough and detailed examination of each piece of evidence.

AIR version 4.13 streamlines and clarifies the display of findings by reducing the previous number of Finding categories from eight to just four through the following re-mapping:

• Dangerous & High → High

• Suspicious & Medium → Medium

• Matched → Matched

• Rare, Relevant & Low → Low

This simplification helps clarify the severity of findings, enhancing the investigative workflow.