The nonrandom behavior of the outputs of a random S-box can be exploited when constructing distinguishers for cryptographic primitives. Different methods of constructing samples from the outputs have been used in the literature. However, it has been unclear exactly how these methods differ and which method is optimal. We analyze four different sampling techniques. We prove that two of these sampling techniques result in dependent samples. We further show one sampling technique that is optimal in terms of error probabilities in the resulting distinguisher. However, this sampling technique is quite impractical as it requires very large storage. We further show a fourth sampling technique that is much more practical, and we prove that it is equivalent to the optimal one. We also show an improved algorithm for calculating the associated probability distributions that are required for the attack.