There is a story that's been doing the rounds lately about malware that took control of microphones and uploaded over 600 GB of audio to its command and control. As others in the security industry have pointed out this is a great example of where we can make fairly confident guesses about the origin of the malware without even looking at the "Technical" evidence; Things like network logs, packet captures, infection vectors and reverse engineering the binaries to look for clues to trace the attacks back.

Instead, we can look at a more political angle. As a quick off the back of the envelope calculation if we had 600GB MP3 files at 128kbps¹ it would be more than 10,000 hours or over a year of audio. We can also see the computers infected were in the Ukraine, so we can say "Who would have the capacity and desire to listen to over 10,000 hours of Ukrainian conversations?"²

Sure it might not prove attribution that would stand up in a court of law to "Beyond a reasonable doubt" but it points very strongly in one direction.

I was once involved in a situation where a document had been leaked. Several people had access to that document and any of them could have leaked it, but we looked at when the document was leaked, who it was leaked to and who stood to gain from the leak. In the end, we had a pretty good idea about who had leaked the document, maybe not "beyond a reasonable doubt" level of confidence but enough that we were satisfied.

I think in a heavily technical field where some things can be boolean it's easy to overlook the more social and political aspects where things are not so definite.