We had a semi-simulated data set that used real info w/swapped IDs
... It was CRAZY easy
In our data set, the vast majority of devices were burners or otherwise obfuscated, but we quickly figured out which devices were daily drivers.
If you find the daily drivers (and that becomes STUPID easy if you have access to more metadata) then you have a real-ID reference point.
From there, you can spot all the devices that are moving or communicating w/the real-ID.
From there, it's just a matter of looking at past or future connections to the real-ID.
... but it really hammers home something that I think everybody needs to take to heart:
"In a connected world, your security is only as good as the OpSec practices of the people you allow in your circle."