VG VersionGopher™ Back to Help Index

Software Genomics, Groups, And Drift

VersionGopher™ compares software evidence from scans: hashes, versions, paths, formats, archive metadata, signing clues, and provenance. That can support drift detection for managed fleets, but it can also show generic scan similarity when the scans came from unrelated places.

Drift is for repeatable fleet scanning. Software Genomics relatedness is useful more broadly, but related scans are not automatically the same host, same fleet, or same business purpose.

Managed Fleet Drift

Best for IT shops and small businesses that periodically scan the same kind of machines with the same options. This is where VersionGopher can show what changed since the previous baseline.

workstations servers kiosks golden images

Generic Scan Similarity

Best when users upload unrelated folders, software collections, mounted shares, downloads directories, or historical evidence. The scans may share tools, packages, archives, or hashes without being a controlled drift set.

shared tools common packages same installer

Incident Response And Forensics

Helpful for finding overlap, lineage, known hashes, vulnerable software, suspicious binaries, and archive clues. It is usually not a drift workflow unless the evidence set represents a controlled repeat scan of the same image or endpoint scope.

case folders mounted images offline drives

M&A And Diligence

Useful for comparing target-company evidence, product images, inherited software, and sensitive archives. Grouping helps organize work, but a group name by itself does not prove why the scan was uploaded or whether scans should be treated as drift.

business units product lines acquisition targets

How To Use Groups For Real Drift

Groups are a sharing and organization boundary. They also give teams a practical way to keep comparable scans together. For drift, create groups whose purpose is narrow and repeatable.

Good: Accounting Workstations for the same accounting laptop image scanned monthly.
Good: Retail Kiosks for point-of-sale kiosks built from the same image and scanned with the same collector options.
Good: Linux Web Servers for a controlled server pool scanned on the same cadence.
Risky: Uploads, Evidence, or Downloads when users mix random folders, incident-response images, and one-off software collections.

A group does not make scans drift-compatible by itself. The scan target, collector options, cadence, privileges, host context, and user intent still matter.

Recommended Group Pattern For IT Teams

Use one group for each fleet slice that should behave like a baseline. Keep scan methods deterministic so the differences VersionGopher sees are likely to be real software changes.

Workstations - Finance: finance laptops or desktops with the same managed software policy.
Workstations - Engineering: developer machines, scanned separately because toolchains naturally differ.
Servers - Windows: Windows server fleet or a specific server role.
Servers - Linux Web: Linux web servers, containers, or VM templates managed together.
Golden Images: repeatable scans of base images before deployment.
Forensics - Case 2026-001: evidence organization only; interpret as similarity unless the case plan says otherwise.

How To Read Related Scans

Software Genomics looks for shared software markers. Strong overlap can mean many things: the same endpoint scanned twice, a clone, a reimage, a shared baseline, a common vendor package, an archive copied between systems, or simply a popular tool appearing in many places.

Exact or near-exact match: strong evidence of a repeat capture, clone, reimage, or stable same-host lineage, especially when host and target provenance also match.
Medium relatedness: likely shared packages, common tools, archive overlap, or product baseline similarity.
Low relatedness: useful clue for analysts, but not enough to support drift or identity conclusions.

Rules Of Thumb

Use drift language only for scans that were intentionally collected from the same managed scope.
Use similarity language for random uploads, case folders, software archives, and mixed forensic images.
Use separate groups when two fleets are supposed to be different.
Keep collector version, command-line options, privileges, and target paths as consistent as possible for drift groups.
Do not treat a group name, by itself, as proof of user intent or host identity.