DAP.LIVE as an Investigative Research Tool
By Mark Robertshaw
Introduction
One of the key features of the DAP.LIVE system is an ability to query and manipulate data sets in a flexible manner using simple on-system tools. This facilitates the adhoc and repeatable exploration of data ideal for investigative work and research. In this article we will look at a specific example demonstrating how we can leverage the analytic tools to drill into a data set.
Example Investigation
For the purpose of this example we are interested in finding a set of currently registered domain names which relate to our test brand “cappuccino”. We are interested in finding domains which are exact matches to our brand along with domains containing our brand. Having obtained these domains for each one we will use other data we have on the DAP to discover whether they have been used for Phishing or Malware attacks and look to assign them a threat score.
Using the DAP to perform our investigation
We start by searching for the Live Domains data package and clicking through to Create Query.
We then use the filter tool to initially limit our dataset to just those domains containing our brand using an open wildcard search - this will include exact matches as well.
As we may well want to give more threat weighting to domains which are exact matches and prefixes of our brand it is helpful to indicate the type of match which we can do using the formula tool to provide a conditional expression as shown below
We can now use the Join tool to augment our query with the built in Domain Quick Score data package to evaluate Phishing, Malware, Scam, Spam and Web Scores for each of the domains we have found matching our brand. This would produce the following wide data set.
To complete our analysis we need to derive a combined threat score taking account of the match type and the various component scores. We do this by creating an advanced formula as follows giving equal weight to the scores and increasing weight to closer matches.
The resulting data set contains a combined threat score which can be used to rank the domains according to their likely involvement in different types of abuse.
We could now save this query to return to at a later stage or use the built in snapshotting functionality within DAP.LIVE to study changes to the threat score for matching domains over a period of time.
Conclusion
DAP.LIVE provides powerful on-system tools for investigating data and performing analysis. The availability of a wide range of data on the platform allows for effective comparison and scoring to be performed and to rapidly create ad-hoc investigations according to user need.