The role of criminal profiling in the computer forensics process

Marc Rogers
Center for Education and Research in Information Assurance and Security (CERIAS), Purdue University
In todays increasingly complex world, we find ourselves at a rather unique societal and cultural cross roads. At no other time in history has society been so dependent on technology and its various offshoots and incarnations1. Almost every facet of our dayto-day lives is impacted to some extent by technology (e.g., email, Internet, online banking, digital music, etc.). This reliance and to some extent dependence on technology, has had a ripple effect on other less obvious areas of society (Rogers, 2001; Schneier, 2002; Schwartau, 2000). One such area is law enforcement and, more specifically, criminal investigations (Kruse and Heiser, 2002). Historically, criminal investigations relied on such concepts as physical evidence, eyewitnesses, and confessions. Today, the criminal investigator must recognize that a vast amount of evidence will be in the electronic or digital form. The crime scene may consist of a computer system or network as opposed to the traditional physical scene (Kruse and Heiser, 2002). The eyewitness of today and tomorrow may be a computer generated log file. In order to effectively deal with this fundamental change in evidence, the science of digital forensics has been developed, or more correctly is developing (Kruse and Heiser, 2002; Rogers, 2002; Sommer, 1997). While this science is arguably in its infancy, care must be taken to ensure that we do not lose sight of the goal of the investigative process, namely identifying the party or parties responsible. While developing standards for dealing with electronic or digital evidence, it is necessary that other supporting disciplines also must evolve in order to assist the investigator in this rather new realm (Casey, 2002; Palmer, 2001; Rogers, 2002). This article will examine the role that criminal profiling should play in the computer forensics process. A very brief overview of criminal profiling will be presented. The article will then discuss the role that profiling can and should play in the computer forensics process. The ultimate goal of the article is to illustrate that, although the nature of evidence may be evolving (i.e., physical document-based, to electronic and digital), we need not totally abandon traditional investigative approaches, but merely allow them to evolve. The field of criminal profiling can trace its roots back to the end of the 19th and the beginning of the 20th centuries (Petherick, 2002). The attention garnered by the infamous Jack the Ripper killings in England captured the interest of the world and the role of profiling the characteristics of the Ripper was thrust into the public limelight (Harrison, 1993). During World War II, the Allied forces became interested in profiling. The Allies attempted to develop a comprehensive profile of Adolf Hitler. The profile was to be used for his interrogation, in the event he was captured or surrendered. From these early beginnings, law enforcement began to embrace profiling as an investigative aid (Turvey, 1999). Criminal profiling can be divided into two models: inductive and deductive. Inductive profiling relies on generalizing behavioral patterns from a statistical analysis of data from convicted offenders. It is based on inductive logic and argues from the general to the specific. Inductive profiling uses the information from the offender database to

There may be an argument that the dawn of the Industrial Revolution placed society in a similar situation.

292

0167-4048/03 2003 Elsevier Ltd. All rights reserved.

Marc Rogers The role of criminal profiling in the computer forensics process

predict personality traits and behaviors of offenders in specific cases (Petherick, 2002). Deductive profiling, on the other hand, does not rely on generalities from sample groups (Turvey, 1999). It is based on deductive logic and argues from the specific to the general. The focus is on the case in question. Evidence from the case is analyzed and then used to construct a behavioral profile specific to the current case only (Turvey, 1999). Regardless of the method utilized, profiling rarely identifies the specific offender. It more accurately reduces the number of potential suspects and allows the usually limited amount of investigative resources to be used more effectively and efficiently (Douglas et al., 1998). Until quite recently, the inductive models were the most common profiling methods used. The FBI was arguably one of the first major law enforcement agencies to embrace profiling. It initially developed the Holmes organized nonsocial offenders and disorganized asocial offenders typology (Connor, 2003; Petherick, 2002). Organized offenders are characterized as being above average in intelligence, socially competent, sexually competent, high birth order status, living with a partner, prefers skilled work, having access to a car usually in good condition, may change jobs or leave town, and usually follows crime in the news media. The disorganized offender is typically below average intelligence, socially inadequate, sexually inadequate, low birth order status, lives alone, prefers unskilled work, lives or works near the crime scene, displays significant behavior change after the offence (e.g., drug or alcohol use), and has a minimal interest in the news media (OConnor, 2003). The Holmes typology or FBI model as it has now become known, has developed into Crime Scene Analysis, which incorporates six steps. These steps are: profiling inputs, decision process models, crime assessment, criminal profile, and the investigation and apprehension

(Douglas et al., 1988)2. The foundation for the analysis is still the offender dichotomy of being organized or disorganized. By exploring the crime scene, the investigator attempts to identify evidence pertinent to determining an offender modus operandi, or evidence of signature behaviors3. This evidence is used to categorize the offender into one of the two categories (i.e., organized or disorganized). It is assumed that offenders in each of the respective categories share common characteristics that the investigator can use to reduce the potential number of suspects, and help to develop an interview and interrogation strategy (Turvey, 1999). The FBIs typology has been criticized for a lack of empirical testing, and for relying so heavily on the interviews of convicted offenders in the US. The result, according to the critics, is that the typology is culturally biased to North America (Petherick, 2002). This bias makes it difficult to generalize the offender characteristics to other countries and cultures (Turvey, 1999). A further criticism focuses on the fact that there are a number of variables apart from the offenders personality traits that can affect whether a crime scene is organized or disorganized. The offenders use of drugs, alcohol, or being interrupted during the commission of the crime, can affect the scene and can result in an incorrect classification of the offender (Petherick, 2002: Turvey, 1999). Another inductive based approach is investigative psychology (IP), as developed by Canter. IP is similar to the FBI model in that it also relies heavily on statistics derived from offender databases (Canter, 1995). IP uses a five-factor model. These factors include interpersonal coherence, significance of time
2

Readers interested in a more thorough history of profiling should visit http://faculky.nwc.edu/toconnor/401/401lect01.htm. Signature behaviors are actions that were committed that were not necessary to commit the crime in question (Turvey, 1999).

293

Marc Rogers The role of criminal profiling in the computer forensics process

and place, criminal characteristics, criminal career, and forensic awareness. Canters IP is a dynamic methodology in that the database of offender characteristics is being continually updated (Canter, 1995). Using concepts from environmental psychology, Canter expanded IP to include circle theory. Circle theory, like the FBIs method, uses a dichotomous typology, but with a focus on environmental factors. Circle theory classifies the offender as either being a marauder or a commuter. Marauders usually operate within a given short distance from their home base, whereas commuters travel some distance before engaging in the criminal action (Canter, 1995). Canters method has been criticized for being too dependent on statistics and, like the FBIs model, possibly culturally biased (Petherick, 2002). Circle theory also tends to be somewhat ambiguous as to how far an offender has to stray from their home base in order to be considered a commuter as opposed to a marauder. Unlike the first two methods described, which rely on inductive logic, the third model, behavioral evidence analysis (BEA), is based on deductive logic. BEA was developed by Turvey, in order to overcome some of the shortcomings of the FBI and IP models (Turvey, 1999). As such, BEA is not based on generalization and statistical analysis derived from offender databases. Turvey felt that relying on the interviews of convicted offenders in order to accurately build a database of behaviors was inherently flawed, as the vast majority of offenders lie (Turvey, 1999). Turvey felt that is was more reliable to look at the forensic evidence and then using the criminal event, reconstruct the behavior. The BEA method has four steps and two primary phases. The two phases are the investigative phase and the trial phase. The investigative phase occurs when an event has happened, but no offender has been caught, and the second phase deals with assessing a known

event with a known offender (i.e., there is a suspect). The first step is to collect as much information about the event as possible. Turvey terms this step as equivocal forensic analysis, as the evidence at this stage could have more than one meaning. Step two involves a detailed, indepth analysis of the victim. Turvey argues that the victim should be profiled and analyzed as much as the offender. The why, how, where, when and who of the victim relates directly to characteristics of the offender (Turvey, 1999). The third step is known as crime scene characteristics. The focus here is on unique, distinguishing features of the scene that are correlated with the offenders behavioral decisions (Turvey, 1999). The fourth and last step is called offender characteristics. This step combines what has been collected in the preceding phases, resulting in a determination of the offenders probable behavioral and personality characteristics (Turvey, 1999). On the surface, the lack of a North American statistical reference group should allow BEA to be more cross-culturally applicable. BEA has been criticized for being difficult to master. Profilers here need an eclectic background in the forensic sciences, such as crime scene analysis, criminology, and psychology (Rogers, 2001). The case for claiming that criminal profiling should play an active, albeit a supporting role in computer forensics is straightforward. The success rate of criminal profiling in assisting traditional investigations has been estimated in some studies as being 77% (Blau, 1994). There is no empirical reason to believe that it will not be equally effective in computer-related investigations. As Sommer (1997) stated, computer forensics deals with evidence from computers. As such, this evidence must be sufficiently reliable to be admissible in a court of law. Computer forensics incorporates several phases: identification of evidence, collection,

294

Marc Rogers The role of criminal profiling in the computer forensics process

preservation, analysis, and testimony. These phases are identical to the phases of a regular investigation (Kruse and Heiser, 2002). What is unique is the fact that, unlike other types of physical evidence, electronic or digital evidence is volatile and therefore easily contaminated or destroyed (Casey, 2002). The crime scene, namely the computer, is also distinctive to computer forensics. Unlike traditional crime scenes, the evidence may only exist in the cyber-world of the computer itself, a network, or the network of networks, the Internet. The computer itself may be the only true witness to the event. In this case, reliable, accurate, and as true as possible representations of the various log and audit trails need to be created and validated. Despite the uniqueness of certain aspects of the computer forensic process, the basic investigative methods and goals are consistent with other more traditional investigations (e.g., bank robberies, homicides, etc.) (Casey, 2002). At the end of the day, the investigator wants the trail of evidence to identify the offender. Unfortunately, with the computer forensics, the trail will often times end in the ability to identify the computer system used to perpetrate the offense (unknown offender and known offense), or conclusive evidence that a particular system was indeed used in the offense (known offender and known offense). It can be substantially more difficult to place a person behind the keyboard of that system (Rogers, 2002). Generally, there are two types of computer forensic investigations. Type 1 is where there has been some incident but the identity of the offender is unknown (e.g., malicious code attack, hacking incident, etc.). Type 2 is when the both the offender and the incident are known (e.g., child porn investigation). Criminal profiling can be used with both categories. As with traditional criminal investigations, profiling can be used to assist in the development of an investigative strategy, to

narrow the list of potential suspects, and to develop an interview/interrogation strategy (Casey, 1999). During the initial stages of a computer forensics investigation the investigator is often left in the situation of trying to find the proverbial needle in a haystack. The sheer size of hard drives and other storage media today make it extremely difficult and time consuming to partake in a fishing expedition (Kruse and Heiser, 2002). The investigator needs to focus on specific evidence and key indicators of suspicious activity (e.g., specific key word searches, Internet history files etc.). Developing a profile of the offender can help focus the search. During the initial examination, data relating to the offenders modus operandi (MO), signature behaviors, and motivation, should become evident. Computer criminals tend to rely on the pseudo-anonymous nature of the Internet and technology in order to obfuscate their true identities. Fortunately, this obfuscation does not extend to motivations, MO, and signature behaviors. Most computer criminals tend to have a distinctive approach to their activities. This approach or MO is often developed over a period of time and follows a maturation process [e.g., evolving from running other peoples attack scripts, to writing and compiling their own code (Rogers, 2002)]. In many cases, the offender will leave other artifacts relevant to understanding their behavioral make-up. These artifacts are referred to as signature behaviors. The signature behaviors are distinct from the MO and reflect more personalized characteristics that are not really required for the commission of the act (e.g., signing files or code with personalized nicknames) (Rogers, 2002; Turvey, 1999). Research indicates that computer criminals like traditional criminals are motivated to commit their offenses for very similar reasons. The list of motivating factors includes greed, revenge, anger, perversion, politics, and a desire for power (Rogers, 2001).

295

Marc Rogers The role of criminal profiling in the computer forensics process

Turvey (1999) developed general motivating typologies for Internet-related criminal activity. This typology was based on a similar typology created for serial rape investigations. The five general typologies were: power assurance, anger retaliation, sadistic, opportunistic, and profit. It should be noted that these typologies as they relate to Internet behaviors have not been empirically tested. The FBI has made early attempts at developing cyber-criminal profiles. The FBIs Computer Crime Adversarial Matrix makes sweeping generalizations about the attributes of computer attackers and is primarily based on stereotypes (Icove et al., 1995). The matrix is based on four broad general characteristics: organizational, operational, behavioral, and resource. The matrix uses three primary categories of offenders with each subdivided into two classes: crackers (groups, individuals), criminals (espionage, fraud/abuse), and vandals (strangers, users). The matrix has not been overly successful in practice due to its broad generalizations and lack of any real theoretical or empirical foundation for the four groups of characteristics (Turvey, 1999). Armed with a better understanding of the possible motivation, MO, and signatures, the investigator should be able to derive specific search criterion for the media analysis (e.g., key words to search for, possible location of residue, and history files). A precise key word search of words or expressions relevant to the investigation is often the first step in the media analysis phase (Casey, 2002). A search of all the allocated, unallocated, and ambient data areas (e.g., swap space, slack space, and deleted files) often provides the investigator with a better picture of the areas to focus on and a chronology of events (e.g., modified. accessed, creation or change times of files). An offender profile also will allow the investigator to reduce the potential suspect space and focus their attention on a certain

subset of suspects (i.e., virus writers, hacktivists, cyber-terrorists etc.). At the most basic level the profile should be able to identify the offender as someone that is skilled or unskilled, and the probable motivation of the attack. The profile should further provide the investigator with advice on what particular areas of the Internet to focus on when searching for supporting or corroborating evidence (e.g., IRC chat channels, hacker/cracker sites, and newsgroups). In many instances, the computer being forensically examined is in fact the victim system (i.e., known offense, unknown offender). This allows the investigator the unique opportunity to analyze the characteristics of the victim (i.e., victimology). The victim system can be examined to determine if there was anything unique that made it an attractive target (Shinder, 2002). The unique indicators would encompass such things as the type of data stored, operating system, applications running on the system, interconnections with other systems or networks, Internet sites recently visited (Web, FTP, IRC etc.), and any IT security counter measures (e.g., firewalls, antivirus etc.). If the offense is in relation to a personal attack (i.e., stalking, porn, defamation), then characteristics and habits of the individual using or owning the system should be studied in order to develop a reliable profile (Turvey, 1999). As Shinder (2002) indicated, cyber-victimology is effective for predicting what people, personality types, and systems are likely to become victims, for creating a more complete offender profile, and for building traps to bait offenders (i.e. honeynets). Once an offender has been identified, an interview/interrogation process is usually initiated. As with traditional offenders, it is important that the interviewers are well prepared, and use appropriate interviewing techniques. Traditionally, offender profiles have been used to find weak points in the offenders

296

Marc Rogers The role of criminal profiling in the computer forensics process

psychological armor (OConnor, 2003). These weaknesses are then capitalized upon by the interviewer to hopefully arrive at the truth. Recent research suggests that individuals who engage in deviant computer behavior share some common personality traits, and given the proper encouragement, show a willingness to discuss and brag about their exploits (Shaw et al., 1999; Rogers, 2001). The common traits include an over-exaggerated sense of self worth, loose ethical boundaries, and a strong need for affirmation. Developing a reliable offender profile for the case at hand, should increase the efficacy of the interview process with computer criminals. The choice of which profiling method to use is controversial. On the surface, however, it appears that deductive profiling is more suited to computer-related cases. In fact, Turvey (1999) devotes an entire chapter to the topic of criminal behavior on the Internet. He argues that, in the case of dealing with unique or specific crimes such as computer crime, using generalities such as those inherent in inductivebased profiling methods is of limited use. Since computer criminal investigations and computer forensics is a relatively new phenomena, the volume of raw data to support large databases and reliable statistical extrapolations does not currently exist (Rogers, 2001). With the advent of the Internet, geographical borders are becoming meaningless. Using an inductive profiling method such as the FBI or IP method, which is arguably culturally biased, does not make practical sense. Deductive profiling methods (e.g., BEA), unlike the FBI or IP methods, do not rely on a large offender database or on statistical analysis of previously convicted offenders and should be less culturally biased. Although computer forensics is thought of as a new and emerging field within the forensic sciences, many of the fundamentals are based on traditional scientific goals (e.g., auditability, and replicability of findings) (Palmer, 2001).

Computer forensics is used as an investigative tool in order to allow the investigator to determine what has occurred, when it occurred, where it occurred, why it might have occurred, and hopefully who is responsible. These outcomes are no different from the goals of traditional criminal investigations. The use of criminal profiling can greatly assist the investigator in developing investigative and media search strategies, reducing the number of possible suspects, and effectively interviewing identified suspects (Rogers, 2002; Turvey, 1999). As more and more criminal behavior becomes linked to technology and the Internet, more evidence will move into the realm of the digital or electronic world. This evolution of evidence means that investigative strategies also must evolve in order to be applicable today and in the not so distant future. It is predicted that criminal profiling will continue to be an effective investigative tool and will surely undergo modifications and growth as it matures into the age of advanced technology and cyberspace.

References
Blau, T.H., 1994. Psychological services for law enforcement. New York: John Wiley. Canter, D., 1995. Criminal shadows: Inside the mind of the serial killer. London: Harper Collins. Casey, E., 2000. Digital evidence and computer crime. New York: Academic Press. Casey, E., 2002. Handbook of Computer Crime Investigation. New York: Academic Press. Douglas, J., Resler, R., Burgess, A. and Hartman, C., 1986. Criminal profiling from crime scene analysis. Behavioral Sciences and the Law, Vol. 4, 1986, pp. 401-421. Harrison, S., 1993. The diary of Jack the Ripper: The chilling confessions of James Maybrick. London: Smith Gryphon. Kruse, W.J. and Heiser, J.G., 2002. Computer forensics incident response essentials. New York: Addison Wesley. Palmer, G., 2001. A road map for digital forensic research. Report from the first Digital Forensic Research Workgroup, Utica, New York, 8 August 2001. Petherick, W., 2002. Criminal profiling: How it got started and how it is used. Retrieved 24 October 2002 from http:// www.crimelibrary.com/criminology/criminalprofiling2. OConnor, T., 2003. History of profiling. Retrieved 17 February 2003 from http://faculty.ncwc.edu/toconnor. Rogers, M.K., 2001. A social learning theory and moral disengagement analysis of criminal computer behavior: An exploratory study. Unpublished doctoral dissertation, University of Manitoba, Winnipeg, Manitoba, Canada.

297

Marc Rogers The role of criminal profiling in the computer forensics process

Rogers, M.K., 2002. Computer forensics: Steps toward defining a common body of knowledge. Paper presented at the Information Protection Association of Manitoba conference, Winnipeg, Manitoba, Canada. Schneier, B., 2002. Secrets and lies: Digital security in a networked world. Toronto: Wiley & Sons. Shinder, D.L., 2002. Scene of the cybercrime: Computer forensics handbook. Rockland MA: Syngress. Shaw, E., Ruby, K. and Post, J., 1988. The insider threat to information systems: The psychology of the dangerous insider. Security Awareness Bulletin, Vol. 2, 1988, pp. 1-10.

Schwartau, W., 2000. Cybershock: Surviving hackers, phreakers, identity thieves, internet terrorists and weapons of mass destruction. New York: Thundermouth Press. Sommer, P., 1997. Computer Forensics: An introduction. Retrieved 10 April 2003 from http://www.virtualcity.co.uk/vcaforens.htm. Turvey, B., 1999. Criminal profiling: An introduction to behavioral evidence analysis. New York: Academic Press.

298