Professional Documents
Culture Documents
Natasha Garcia Capstone
Natasha Garcia Capstone
net/publication/327187114
CITATIONS READS
3 10,680
1 author:
Natasha Garcia
Utica College
2 PUBLICATIONS 3 CITATIONS
SEE PROFILE
All content following this page was uploaded by Natasha Garcia on 23 August 2018.
by
Natasha Garcia
Utica College
August 2018
Master of Science in
Cybersecurity
ProQuest Number: 10839020
All rights reserved
INFORMATION TO ALL USERS
The quality of this reproduction is dependent upon the quality of the copy submitted.
In the unlikely event that the author did not send a complete manuscript
and there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.
ProQuest 10839020
Published by ProQuest LLC (2018 ). Copyright of the Dissertation is held by the Author.
All rights reserved.
This work is protected against unauthorized copying under Title 17, United States Code
Microform Edition © ProQuest LLC.
ProQuest LLC.
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor, MI 48106 - 1346
© Copyright 2018 by Natasha Garcia
ii
Abstract
Criminal profiling and cybercrime investigations are evolving subject matters that are in their
cybercriminal has emerged as a significant topic of discussion. Through case study analysis and
exploration of potential issues, criminal profiling has gained backing as an essential tool in
has assisted with cybercriminal classification to help distinguish the petty thief from the
professional criminal hacker. This tool requires scientifically-based methodology and a secure
connection with another investigative tool: computer forensics. Cybertrail categories such as
signatures, log files, Internet cache, and file metadata provide criminal profilers the data and
insight into cybercriminal personal habits and their technological traits. Criminal profiling
continues to make substantial strides in aiding cybercrime investigations with two objectives in
cyber attacks
iii
Table of Contents
iv
References ..................................................................................................................................... 48
v
List of Illustrative Materials
vi
Statement of the Problem
America’s most dangerous weapons available to the public are the AR-15, AK-47, and
the personal computer. Unlike firearms, individuals do not need to acquire proper documentation
to purchase a laptop and a router. In 2015, 87% of households in the United States owned a
personal computer (Ryan & Lewis, 2017). Access to technology can be the “weapon of choice”
if it falls into the wrong hands. Billionaire businessman Warren Buffet has been quoted defining
cyber attacks as the “number one problem with mankind” (Oyedele, 2017, para 3). To help
combat cybercrime, investigative tools such as criminal profiling have been aiding examiners in
identifying links to other victims as well as helping identify the responsible party. Criminal
profiling is defined as “the process of investigating and examining criminal behavior in order to
Investigators try to acquire as much help as they can receive when they are trying to
identify the criminal(s) behind the computer screen. Criminal profiling, also known as offender
profiling, can help aid cyber investigations. As cybercrime has increased over the past decade,
the effectiveness of profiling a cybercriminal has surfaced as a topic of concern. The purpose of
this research was to present the leading contributions of criminal profiling in cybercrime
investigations through the analysis of influential cases, evaluation of emerging trends, and
examination of errors and lessons learned. In what ways is criminal profiling used in cybercrime
computer forensics and criminal profiling? What are potential issues associated with the
1
Justification of the Problem
Definition of cybercrime. The term “cybercrime” is a broad term that covers any
criminal activity that involves a computer or the Internet. The role of the computer can either be
the medium used to commit a crime, or it can be the target of the attack. Cybercrime can include
cyber attacks, identity theft, cyberstalking, and many others. The current challenge is
progress their strategies to battle cybercrime and decrease the current cybercrime statistics.
Along with investigators, companies can benefit from increased research regarding
profiling an intellectual property (IP) thief, for example. Studies have shown that the majority of
IP criminals are males who hold a technical position and 75% of them had authorized access to
the information they stole (Bada & Nurse, 2016). With continued research, the criminal profile
of said IP thief can continue to develop and help companies and investigators alike in both
research and the effectiveness of criminal profiling in cybercrime in its entirety. Incorporating
the disadvantages while studying the topic helps improves the matter as well. Due to the fact that
there are multiple types of cybercrime, the argument can arise that one profile of a cybercriminal
may not necessarily fit the profile of another in regard to two separate cybercrimes. Examining
the types of cybercrime to develop separate profiles can help set a foundation for investigators to
use and approve. Cybercrime is not a fad that will be decreasing over time. Cybercrime has been
considered an epidemic and will only continue to increase (Morgan, 2017). It is predicted to
triple the number of unfilled cybersecurity jobs by 2021 (Morgan, 2017). Increased research in
2
profiling cybercriminals may not be able to decrease crime on its own, but it can be used as a
Virtual crime scene. The computer and the Internet can be seen as its own virtual crime
scene. Each step taken at a physical crime scene can also be incorporated into a virtual
environment. Along with assessing the scene and collecting evidence, law enforcement also
analyzes the scene and begin to assemble the pieces. This process includes examining artifacts
from the crime scene and determining the person(s) of interest. With the information gathered,
officials now have to paint a picture of the incident that occurred and one of their main subjects
in the painting is the suspect. Who was behind the computer? What were their motives? Have
they done this before? All of these questions will try to be answered by detectives as the
investigation continues and a persona is formed. Creating this persona in a virtual scene is as
important as it is in a traditional crime scene (Bednarz, 2004). How did they choose their
target(s)? What motivated them to get involved in crime in the first place? Will they strike again?
These type of questions in an investigation with a physical crime scene can help detectives
The use of computer forensics also helps answer the first question introduced: who was
behind the computer? As careful as criminals can be, some forget that human error can
professional, tend to leave behind cyber fingerprints that can trace the crime back to them
(Holland, 2014). These fingerprints can be log files, Internet cache, signatures, and more. Log
files, for example, can be defined as the “eyewitness” in the virtual crime scene (Rogers, 2004, p.
292). These types of files not only can help examiners assemble the pieces of the investigation,
but the files also help introduce character traits and patterns regarding the way the suspect
3
carried out the crime. As research in profiling a cybercriminal improves in numbers,
investigators will be able to extract more helpful information through computer forensics that
science relating to collecting, analyzing, and presenting digital evidence from computer systems
for investigative purposes or civil proceedings (Forensic Control, 2017). Uncovering an Internet
Protocol (IP) address, a computer name, or a username could be deemed inefficient evidence
when faced with situations involving stolen sign-in credentials or areas with free Wi-Fi such as
traditional investigative methods in order to extract more from the computer forensic evidence to
Similar to the use of criminal profiling, computer forensics has a short but complex
timeline. The first description of using computer forensics to investigate and present in a
courtroom was in the book Crime by Computer, written by Donn Parker in 1976 (Pollitt, 2010).
In another book, The Cuckoo’s Egg, author Cliff Stoll noted that investigators were hesitant at
first to incorporate this reasonably new science (Pollitt, 2010). This is worth mentioning to
showcase that computer forensics had a difficult start as with criminal profiling did in the
investigative field. As with profiling, computer forensics was looked at as a plan D tool when
plans A, B, and C were not producing results. It was not until more research was done and
computer training increased that computer forensics became a helpful tool in criminal cases and
a necessity in cybercrime.
Criminal profiling and computer forensics tend to be placed in separate categories. With a
sound and organized trail, computer forensics is based off scientific methods and procedures that
4
can be repeated to produce the same results. In the realm of criminal profiling, a profile is
generated off a series of statistics, theories, and predictions (Winerman, 2004). Increasing the
research done in both computer forensics and criminal profiling can aide in creating a more
secure relationship between the two subjects and face cybercrime investigations with both
objectives in mind.
“coming-of-age” science (Rogers, 2004, p. 297). As new statistical research is introduced, the
foundation for this investigative tool continues to move towards the stable end of the spectrum.
However, profiling a cybercriminal should not be confused with digital profiling. Digital
profiling is a portion of criminal profiling that helps investigators create the persona for the
criminal in question. This process includes gathering information such as behaviors, personality
Since the 1880s, criminal profiling has used investigative psychology as its backbone for
developing character patterns. This technique has shown its value in anti-terrorism and
intelligence operations as well as organized crime cases. However, criminal profiling began prior
to the 1800s when detectives roughly created profiles of criminal as early as 38 C.E. based on
religious bias and little scientific reasoning (Turvey, 2011). To this day, people in both the
investigative and psychology worlds have yet to agree on terminology. For example, synonyms
for “criminal profiling” include “criminal investigative analysis” coined by the Federal Bureau of
profiling” have been used in research papers by forensic psychologists (Ebisike, 2007). Research
referenced in this paper may include these synonyms, however, they all referring to the same
5
investigative process. For the purpose of consistency, this paper will use the phrase “criminal
profiling.”
(Bednarz, 2004, para. 1). This phrase should be taken as motivation to advance the subject matter
and fill in the gaps in current research. Current research has been focused on criminal profiling in
cybercriminals can range from “rookies” to professionals with differentiating motives. Research
has shown the attempt of profiling a cybercriminal but has failed to try to incorporate
characteristics for each type of crime into one outline (Bada & Nurse, 2016). However, this does
not dismiss the effectiveness of profiling a cybercriminal. Minimal research has been shown
about incorporating a different approach and showcasing different criminal profiles for a variety
exact science. This statement applies to profiling in any investigation as well. With techniques
and methods based on forms of prediction and speculation, it is difficult to prevent error when
error tends to be expected. Sometimes with a high projected rate of error, investigators steer
away from developing a relationship between computer forensics and criminal profiling when
forensics tends to have a lower statistic of error (Nelson & Garfinkel, 2015). Due to the overall
lack of research towards criminal profiling pertaining to cybercrime, patterns have not been
created about cybercriminal behavior. In turn, this could have a role in why cybercrime is
increasing and finding the criminal is decreasing (Internet Crime Complaint Center, 2017).
6
Defining the Audience
people with various backgrounds can benefit from this information. This research can
specifically benefit professionals in both the law enforcement and psychology fields. People in
law enforcement such as officers, detectives, crime scene investigators, federal special agents,
and computer forensic examiners are among the few positions in the realm of criminal justice
that can benefit from this type of research. Psychologists, forensic psychologists, criminal
profilers, criminologists, and criminal psychologists can also find this information valuable.
Although this research is aimed at cybercrime investigations, it can affect the views and
cybercriminals at local, state, and federal levels. In addition to professionals, students and
researchers who are interested in understanding criminal profiling and the effect it can have on
cybercrime investigations can also benefit from the research presented in this paper.
Literature Review
Before examining the use of criminal profiling in cybercrime investigations, there are a
couple of topics that will be outlined. It is recommended to understand the history of criminal
profiling before exploring the effect it has on cybercrime cases. Examining the background of
cybercrime as well will help marry the two topics and identify criminal profiling in cybercrime
as an important topic in today’s society. This research goes into depth regarding the role that
criminal profiling has in cybercrime investigations in both a positive and negative light.
Computer forensics plays a crucial role in combating cybercrime. The idea that there can be a
relationship between criminal profiling and computer forensics is also examined. The Literature
7
Review explores issues involved with criminal profiling in cybercrimein order to expose the
reader to arguments made by professionals and researchers in the technology, law enforcement,
and psychology fields. Lastly, the topic of dividing the persona of a cybercriminal into multiple
personas is discussed in depth that, in turn, can improve the effectiveness of criminal profiling in
cybercrime investigations.
One of the first documented practices of criminal profiling was during the Alexandrian
riots of 38 C.E. (Turvey, 2011). An anti-Semitic scholar, Apion, disclosed messages to the
Roman Emperor Caligula that accused people of the Jewish faith of being responsible for killing
and then eating Greeks during Passover. This was considered a relatively crude form of profiling
a criminal since there was no prominent, sound evidence to these accusations. Apion labeled the
criminals in question as Jews due to the fact that Greeks would go missing on or before Passover
and there would be a Jewish community nearby (Turvey, 2011). Not only is this example
recognized as one of the first practices of criminal profiling, but also one of the first forms of a
false report. It was common in the early stages of criminal profiling to see profiles created based
Two early and prominent uses of criminal profiling involved Jack the Ripper and Adolf
Hitler. In 1880, a serial killer known as Jack the Ripper murdered five women in England;
2010). The criminal behind the moniker was never identified nor captured and remains one of
England’s most infamous felons. Dr. Thomas Bond was a British surgeon asked to examine the
bodies connected to the case and deliver his expert opinion connecting how they died to who
detectives should be looking for. Based off the remains of the victims, Dr. Bond created a
8
criminal profile and thus became one of the first profilers to create a criminal profile based using
scientific evidence (Newburn, Williamson, & Wright, 2007). Dr. Bond noted during the
autopsies that the investigators should be looking for a person with medical knowledge due to
the way the victims were killed (Brown, Shell, & Cole, 2015). Dr. Bond’s profile of Jack the
Ripper included characteristics such as “middle-aged,” “neatly attired,” “loner,” and “mentally
analysis of Adolph Hitler. This analysis was requested by the Office of Strategic Services (OSS)
to help the agency predict Hitler’s future after World War II. The report used a variety of sources
including Hitler’s family physician and nephew. Langer predicted that if Hitler was faced with
the event of defeat in the war, there was a high possibility he would commit suicide due to his
psychotic behavior. Langer’s report of Adolf Hitler helped continue the use of resources to create
a foundation of criminal profiling as well as introduce the use of criminal profiling and
Howard Teten and Jack Kirsch are among the notable names in criminal profiling.
Howard Teten is best known for being the first FBI agent to provide a profile for the FBI (Kratz,
2012). A case about a young girl abducted from a Montana campsite was referred to the FBI
after a long-missing child search resulted without any answers. His profile led to an arrest that fit
the criteria Teten introduced to the investigation. Teten determined that the criminal was most
likely a young, male murder who kept body parts from his victims (Kratz, 2012). His techniques,
as well as the help of his colleagues, were incorporated and shaped the Criminal Investigative
Analysis Program (CIAP). Jack Kirsch is the name behind the creation of the FBI’s Behavioral
Science Unit (BSU). He was a significant contributor to the development of criminal profiling
9
and created the unit in 1972. Teten worked under Kirsch in the unit where both agents could
construct profiles and research cases for future profiling opportunities. Throughout the 1970s, the
BSU focused their energy on serial killer cases, especially when Theodore “Ted” Bundy came
Up to this point in the criminal profiling timeline, the investigative tool of profiling had
not been introduced in a courtroom until 1998. Special Agent Judson Ray was the first person in
the FBI’s Investigative Unit to use criminal psychological profiling in his expert testimony
(Ingram, 1998). Ray testified in the Anthoney v. State case involving a man named Kirby D.
Anthoney. Anthoney was convicted of murdering his aunt and two cousins. In this case, the
judge did not allow the actual profile to be permitted but allowed Special Agent Ray to speak
about how the defendant’s behavior echoed his guilt. Before this case, however, criminal profiles
were more accepted when they were used to defend probable cause for a search warrant (Ingram,
1998).
investigative units, John E. Douglas increased the realm of research in modern criminal profiling.
Douglas devoted twenty-five years of his life to an abundant career with the FBI’s BSU. Over
the course of his career, Special Agent Douglas interviewed over one hundred serial offenders
and aided in apprehending numerous offenders (Hutzell, n.d.). During his research, Douglas
discovered the following characteristics regarding serial killers: serial killers tend to be male,
they take souvenirs from victims to give to their significant other, and fantasy played a
significant role in the progression of a serial killer (Hutzell, n.d.). In some cases, criminals make
choices at the scene of the crime that are referred to as signature behaviors. Special Agent
10
Douglas has claimed to be the originator of this phrase (Turvey, 2011). Signature behaviors can
range from cutting up clothing found in closets to damaging or stealing cars in a garage.
fields whether or not criminal profiling will gain credibility and provide validation. In the most
recent years, criminal profiling has been receiving attention as the number of crime shows has
increased. Shows such as The X-Files, Criminal Minds, and Mindhunter have captivated
audiences and shined a light on profiling in both a positive and negative direction (Greenland,
2017).
The usage and interest in criminal profiling have also traveled abroad. Countries such as
Canada, Germany, Ireland, South Africa, New Zealand, and more have documented their use of
criminal profiling in their investigations (Snook, Cullen, Bennell, Taylor, & Gendreau, 2008). In
many of these countries, criminal justice investigators have the ability to use or deny the use of
criminal profiling techniques depending on the case. Democratic countries, however, tend to
incorporate the factor of politics when considering criminal profiling strategies. The United
States of America has the Daubert standard: criteria as to whether expert testimony should be
admissible in court or not. In countries such as Wales and England, the expert evidence does not
necessarily have to meet the criteria of the Daubert standard. According to Kocsis (2007, p. 210),
warning from the judge regarding the evidence in question (Kocsis, 2007).
specifically serial killer cases. Criminal profiling, however, has increased its use in cybercrimes
throughout the years since the development of computers and the Internet. Criminals are
11
continuing to commit crimes, but their choice in a medium is changing. The evolution of
criminal profiling will continue as the introduction of cybercrime changes researched methods
and processes that have been used for other types of crimes.
History of Cybercrime
Throughout the progression of cybercrime, the complexity of crimes and motives have
evolved as well. In the early stages of cybercrime, crimes were mostly committed by disgruntled
employees who caused physical damage to computer systems. Unhappy employees would
showcase their emotions by vandalizing the computers while causing the companies thousands of
dollars. These instances were considered the early stages of insider attacks.
The history of maliciously disrupting the inner workings of computer systems began in
the 1960s at the Massachusetts Institute of Technology (MIT). MIT students were working with
and analyzing trains from their Tech Model Railroad Club and were curious about manipulating
the anatomy of the trains (Florida Tech, 2016). This curiosity transitioned to the urge to dissect
the computers in MIT's Artificial Intelligence Lab. These students successfully found ways to
customize and change specific functions in the computers without the need to re-engineering
them. This was considered the first steps in hacking. The term “hacking,” however, was
considered to be a positive process to the general public as it was merely a way to fix a problem
computer users, specifically users who called themselves programmers, began using computers
with malicious intent. Programmers started to create malware, or malicious software, for
commercial and personal computer systems. Beginning in 1970, programmer Kevin Mitnick
became one of the most notorious hackers in the history of the Internet. A hacker is a name given
12
to a person who gains illegal access to data through the use of a computer. Through countless
hours of hacking, Mitnick was able to infiltrate networks such as Nokia and Motorola which
As technology progressed, hackers such as Kevin Mitnick began creating complex codes,
with good and bad intentions, due to the desire to learn how complex computer systems and
networks work. The first Apple personal computer virus happened in 1982. This virus, known as
the Elk Cloner, was written by Richard Skrenta who was 15 years old at the time. The Elk Cloner
was transported via floppy disk and infected each computer it was inserted into. The virus would
copy itself and infect other floppy disks that were inserted into the same computer.
International Business Machines (IBM) Corporation's first virus, the "Brain," was in
1986. The Brain was written by two Pakistani brothers, Basit and Amjad Farooq Alvi, and was
intended to protect their medical software from copyright infringement (Elmer-Dewitt, 1988). In
the same year, system administrator Clifford Stoll created the first computer forensic tool to
catch the hacker that was infiltrating his network (Florida Tech, 2016). He created what the
cyber world refers to as a “honeypot" which lured attackers to his networkin order to catch them
1986 was also the year that the Computer Fraud and Abuse Act (CFAA) was enacted in
the United States. The CFAA made it a federal crime to illegally access a computer without
having the proper authorization to do so. With the CFAA in place, the “Morris worm” was the
first felony conviction under the act. The worm, created by Cornell student Robert Morris, was
also the first computer worm and caused $98 millions of damage to about 6,000 computers
(Florida Tech, 2016). Once society moved onto the 1990s, the Nigerian e-mail scam became an
epidemic on the Internet. This scam, known as the advance-fee scam, would ask the user for a
13
small “investment” prior to receiving a huge profit for helping the sender of the e-mail. The
sender of these e-mails was most often a “Nigerian prince.” Although advance-fee scams tend to
go unreported, the complaints that were reported lost an average of $5,000 and never received
payment from the senders (Brunton, 2013). One of the earliest FBI operations regarding
cybercrime happened in 1990 with “Operation Sundevil.” This operation lasted about two years
and involved over 150 agents. Agents were able to seize 42 computers, and about 20,000 floppy
disks that were illegally used telephone services and credit card use (Markoff, 1990).
After the turn of the century, the complexity of computer attacks started to increase, and
law enforcement began to see the increase in cybercrime. In 2000, a denial-of-service (DoS)
attack created a considerable amount of damage but resulted in a small number of consequences.
A DoS temporarily or indefinitely blocks the intended user from using their computer. The attack
in 2000 caused financial damage to companies such as Amazon, eBay, Dell, and CNN. A hacker
who was 15 at the time created 1.2 billion dollars of financial damage to the listed companies
above as well as Yahoo! and Google (Kaspersky, 2016). His motive was a reasonable fit for an
adolescent; he wanted to "show the cyberworld how cool he was" (Kaspersky, 2016, para. 13).
Although his DoS attack caused damage to these top companies, Michael Calce, also known as
MafiaBoy, was sentenced to only eight months in a Juvenile center (Gross, 2011).
Fast forward to 2010 and the world was hit by the Stuxnet virus and motives behind
cybercrime changed dramatically. Stuxnet was seen differently than previous malicious software
and has been considered the first cyber weapon (Fell, 2017). This computer worm was designed
to cause physical damage to systems used to control nuclear power in Iran. Stuxnet managed to
affect about one-fifth of the targeted systems. In 2013 NSA whistleblower Edward Snowden
came out with a statement that Israelis and the NSA’s Foreign Affairs Directorate (FAD) are the
14
ones responsible for creating the Stuxnet malware (Thomson, 2013). It has been estimated that
the virus set back the Iranian program back at least two years of progress (Fell, 2017).
The year 2016 introduced a new relationship between cybercrime and politics. In July of
that year, Democratic National Committee (DNC) e-mails were leaked and distributed to
The exposed e-mails led to the resignations of top officials and may have had a role in the
portrayal of the then presidential nominee, Donald Trump (Satter, Donn, & Day, 2017). Through
computer forensics, the persona Guccifer 2.0 was identified as part of the Main Intelligence
Directorate (GRU) agency in the Russian Federation (Price & Sheth, 2018). As this investigation
continues to this day, relationships with Russia have been affected as well as the general public’s
Centers have been established to try to combat cybercrime and decrease the amount of
damage they can cause. The Internet Crime Complaint Center (IC3) was established in 2000 and
continues to be the primary source for computer users to report crimes and submit their
information to the FBI. In 2017 alone, the center received 301,580 separate complaints with a
reported of 1.4 billion dollars in losses (FBI National Press, 2018). The top cybercrimes reported
were phishing, data breach, and non-payment or non-delivery. From 2013-2017, IC3 has the
number of complaints increase each year. The increase in cybercrime complaints is due to the
rise in cybercrime as well as the rise in awareness of the option to submit a problem directly to
the FBI. Across the world, the National Cyber Security Centre (NCSC) in England was also
founded to combat computer security threats. This center became active in 2016 and, in one year,
received 1,131 cybercrime complaints (Ismail, 2017). Both the IC3 and NCSC centers are aware
of the struggle the public is currently facing with cybercrime and also provide advice to private
15
and public sectors as to protect themselves, so users and companies do not end up filing a
Primary objective. Throughout the history of both criminal profiling and cybercrime,
there have been many uses for criminal profiling but one primary objective: identify and
understand the criminal. This is not always an easy task as the advancement in technology
creates a thicker mask for the criminal to hind behind. The purpose of criminal profiling is not to
solve a crime on its own. It attempts to provide support in assisting law enforcement and
Today’s profiling process that applies to cybercrime involves two types of approaches.
The first approach that will be discussed is deductive profiling. Deductive profiling has an
profiling to analyze evidence collected from the case. Deductive profiling incorporates theories
made at a crime scene, constructed hypotheses and observations based on the evidence, and
confirmation after an arrest is made (Godwin, 2012). This can be incorporated into cybercrime as
well.
In this example scenario, an Internet cache showcases a user accessing a local online
newspaper after he/she hacked a local business’s network. This person of interest accessed the
website up to 100 times a day. It can be inferred that the criminal has tendencies to be paranoid.
A criminal profiler may also infer that the criminal is also either unemployed or works from
home and spent his time after the crime stalking the local news websites. One of the significant
advantages of using a deductive profiling process is that it can take into account criminal
behavior as it evolves throughout the investigation (Godwin, 2012). As with many other
16
investigative tools, one of the disadvantages of deductive profiling is that it is only as reliable as
not only piece together information in one case but also help bridge gaps in other cases. A case
involving a hacker can evolve into a manhunt of a serial hacker if the investigation introduces
evidence that they are dealing with a criminal who has previously committed this type of crime.
The second criminal profiling approach that can help investigators identify links to other cases is
inductive profiling. This process uses statistical or comparative analysis to create educated
overviews that tend to be shared by criminals who commit the same type of crimes (Godwin,
2012). The previous cybercrime scenario can be analyzed with inductive profiling as well. For
example, a profiler can reach the same conclusion that the criminal suffers from paranoia and is
unemployed or works from home. This can be completed by using statistics from previous cases
to infer that the criminal may fall into the same type of pattern.
Considering the possibility of links between cybercrime investigations will also reduce
the statistic of unsolved cyber cases. When highly advanced companies are hacked such as the
2000 DoS attack of Amazon, eBay, Dell, and CNN, investigators cae ton connect each attack in
the separate companies to one hacker/hacker group due to the cybertrail hackers can leave
behind. Cybercrime cases that involve multiple victims tend to leave a cybertrail that can
accidentally connect their work with another cybercrime investigation. A cybertrail is considered
a virtual version of a signature left at a crime scene (Preuss, Furnell, & Lea, 2004). This topic
theories for cybercrime investigations. In a study with Hamid Jahankhani and Ameer Al-Nemrat,
17
they proposed that cybercriminal behavior may change too rapidly overtime to create a
framework (Kirwan & Power, 2013). However, another study that involved the analysis of
twelve hackers in Germany stated that modern hackers were found using methods from previous
years instead of using newer techniques (Kirwan & Power, 2013). It is essential to study
frameworks that have been established in order to use them as examples to create updated
profiling outlines.
The Hacking Profiling Project is one of the prominent studies that involves cybercrime
and criminal profiling. This project provided information regarding twenty hackers that the five
researchers studied such as their demographics (age and gender), socioeconomic upbringing,
psychological traits, trends and habits regarding their hacking activity, and any social
relationships they had (Chiesa, Ducci, & Ciappi, 2009). The Hacker Profiling Project organized
research into personas ranging from the “Wanna Be Lamer” to the “Military Hacker,”
categorizing each from amateur to professional (Chiesa, Ducci, & Ciappi, 2009). The profiling
framework established during this study is seen as an important step towards developing
databases of criminal profiling cybercriminals to help reduce the margin of error when creating
future profiles.
As the name showcases, the Hacking Profiler Project only involved investigations
regarding hacking. Computer hacking is a portion of cybercrime and the remaining sections such
as cyberbullying, cyberstalking, or e-mail scamming, for example, were not considered. The
project’s objective was aimed to create profiles of hackers based on completed questionnaires. It
is important to note that the researchers did not base their conclusions solely on the hackers’
18
Another popular profiling guideline is the Behavioral Evidence Analysis (BEA)
victimology, assessment of crime scene, and criminal characteristics (Turvey, 2011). It has been
used by the FBI’s Behavioral Analysis Unit to add significance to obtained computer forensic
evidence as well as aid investigators with the reconstruction of the crime. Between the two
criminal profiling approaches that have been discussed so far in this paper, BEA would be
The first stage, equivocal forensic analysis, focuses on reviewing the case with a
scientific standpoint and objectively develop theories of the crime. The second stage,
victimology, assesses the traits of the victims such as their physical, lifestyle, age, and
occupation. The third stage involves the assessment of the crime scene. Investigators collect
characteristics of the crime scene, or virtual crime scene, that can help provide answers about the
victim(s) and create connections to the criminal’s decisions (Turvey, 2011). The last stage
focuses on the criminal’s characteristics. This stage uses information from the crime scene to
determine both behavioral and personality characteristics and build an outline for his/her
criminal profile.
the “repeated and persistent attempt by one individual, the stalker, to harass another individual,
the victim, using the Internet or other open networks” (Slide & Angelopoulou, 2015, p. 445). The
use of technology allows the stalker to instill fear through behaviors such as making threats or
false accusations while keeping their identity hidden. A study was introduced in 2016 by Noora
Mutawa, Joanne Bryce, Virginia Franqueira, and Andrew Marrington that analyzed twenty cases
19
of cyberstalking and divided each result they found into the BEA stages. The following was
concluded:
Victimology
o 40% of the victims ranged between 21-30 years old. 75% were female,
o The second highest used method for cyberstalking in these 20 cases was
through the use of Facebook and Twitter. Evidence showed that the
Criminal Characteristics
o The cyberstalkers that used e-mail, the highest used method, were found to
This study connected a gap between BEA and cybercrimes such as cyberstalking and
evolved the idea that BEA can provide specific direction based on behavioral characteristics of
20
Modus operandi and motive. Although there are varying frameworks and methods,
each cybercrime investigation incorporates the analysis of the modus operandi (M.O.) of the
that indicates or suggests the work of a single criminal in more than one crime” (Merriam-
Webster Staff, n.d.). This pattern reflects the criminal’s personality. For example, a
cybercriminal may use an e-mail virus to destroy data, while another cybercriminal could destroy
information through a computer’s network. Technical skills, including skills in social situations
Motive identification aids investigators in answering the question most asked by the
people working on the case and the victims: why? The most common motivating factors include
money, emotion, sexual impulses, religion/politics, and for amusement (Shinder, 2010).
Cybercriminals, whether it be a disgruntled bank employee or hacker who sells identities on the
Internet, will commit a crime with the goal of making a financial profit. Other cybercriminals
may act out because they are unable to control their love, anger, or despair. Instead, they will
turn to steal data from a company they were fired from or cyberstalk an ex-girlfriend/ex-
boyfriend.
Although sexual impulses could be categorized under emotion, they tend to be separated
due to criminals that fall into this category. Criminals such as serial rapists and child
pornographers are considered some of the most violent cybercriminals (Shinder, 2010). This
category involves cases where criminals are profiled as sex addicts who use inappropriate means
to alleviate their urges. Criminal profilers created the combination of religion and politics
religion because of the increased cases of cyberterrorists that have admitted to conducting
malicious activity for their government or religious faith. As previously mentioned, Michael
21
Calce was a computer hacker who created a DoS attack to “show the cyberworld how cool he
was” (Kaspersky, 2016, para. 13). Sometimes cybercriminals do not commit crimes malicious
intent but rather to showcase their skill set to other hackers or just out of curiosity. These
categories are only some of the most common motives behind a cybercrime, but they strive to be
Equivocal forensic analysis and computer forensics. As previously mentioned, the first
stage of BEA is equivocal forensic analysis. This step focuses on reviewing the case with a
scientific standpoint and objectively develops theories of the crime. Computer forensics is
applied during this step and includes system analysis that has been brought in for questioning by
System analysis defines the forensic analysis of the file systems found on a
cybercriminal’s or victim’s computer. This type of analysis can help examiners detect any
modified files and their content. The examination of log file entries is included as well.
Following proper protocol, file systems must be identically duplicated before analysis can begin
(Eliyahu, 2016). Computer forensic examiners then use forensic tools such as Encase or The
Sleuth Kit to assist them with extraction and analysis. Many cases include hard disks that contain
a large number of files to go through. To help eliminate the files that may be irrelevant to the
specific case, examiners will use an algorithm called the Message Digest 5 (MD5) hash
algorithm. The MD5 eradicates already known information such as system commands and
libraries. This process uses hash databases which are stored MD5 values of known files that are
deemed irrelevant to search (Kessler, 2016). The files that remain are unique to the computer in
22
Each step is carefully reported to make sure that computer forensic examiners have sound
evidence that criminal profilers can use for behavioral analysis (Eliyahu, 2016). Although the
MD5 hash algorithm helps reduce the time used for computer forensic analysis, the average time
for a computer forensic analysis is between about 4-10 days (Computer Evidence Recovery,
2015). For a cybercriminal’s profile to have a scientific viewpoint, criminal profilers have to wait
until all the computer evidence is properly analyzed and documented. This delay can give a serial
criminal more time to commit another crime (Computer Evidence Recovery, 2015).
While system analysis is performed with existing data, network analysis needs specific
qualifications to be completed. Prior to the seizure of the computer in question, there must be log
files containing incoming and outgoing network traffic. The absence of logged network traffic
If an attack on the network is detected by an installed software and lasts longer than a few
minutes without interruption, a computer forensic examiner can enable traffic regulating systems
such as a router or a gateway. These systems can be used to log the network traffic needed to
complete the analysis. The network protocol itself can also offer evidence regarding a
cybercriminal’s M.O. (Preuss et al., 2004). Studying the network protocol, however, is not
the work, it is possible that network packets can be manipulated that affect the displayed IP
address. Behavior traits and expertise can be introduced during the network analysis process that
a criminal profiler can use as they develop a profile for the investigation.
signature left at a crime scene (Preuss et al., 2004). A computer forensic examiner approaches
the computer like they would a crime scene and analyze any clues left behind by the
23
cybercriminal. The categories examiners look for that will be discussed are signatures, log files,
Similar to a signature left by a criminal at a crime scene, cybercriminals can also leave
their mark when committing a cybercrime. The most notable example was the leaked DNC e-
mails in 2016. Criminal profilers were able to create a profile with the help of computer forensic
analysis. Profilers were able to conclude that they were looking for a person or group of Russian
descent based off a few results. First, cybersecurity experts were able to find a signature left by
the hacker in Russia’s Cyrillic alphabet (Meyer, 2016). Second, through the remaining forensic
evidence, DNC’s cybersecurity firm concluded that their investigation should focus on Russian
intelligence groups due to the firm’s familiarity with Russian attacks. Both Russian proxy
groups, Advanced Persistent Threat (APT) 28 and APT 29, have infiltrated U.S. government
departments before and the forensic evidence collected has their similarities in each case (Meyer,
2016).
Log files show examiners what happened and when. They can reveal what application
was used as well. Log files tend to be seen as electronic fingerprints and when properly
managed, can be used as evidence for prosecution (Sadowski, 2010). In order to see if a
cybercriminal tried to log into a system remotely, computer forensic examiners can read the
syslogd file. Application logs can be used to confirm or deny any assumptions that may be
created during an investigation. System logs can share information regarding malware usage or
any other suspicious activity. In the realm of criminal profiling, log files help investigators gather
information to start creating a profile. These files will showcase the M.O. of the cybercriminal by
listing any Internet access, e-mail servers used, file and folder operations, etc.
24
Web browsers on the computer can contain an updated list of previously visited websites
and search queries called Internet cache. This cached data can provide information that can help
investigators and criminal profilers analyze a criminal's possible motive and M.O. For example,
investigators are trying to find out how a cybercriminal carried out a data breach and their
company. An analysis of the suspect’s Internet cache could lead to a search query of how to
perform a data breach using Ransomware and assist the investigation during the prosecution
process.
Images and file metadata have played a key role in profiling cybercriminals who partake
offenders’ hardware is confiscated for analysis, criminal profilers can extract behavior traits from
the images that are extracted and its metadata. In 2015, there was a notable study of 15 cases
involving SEIC that studied the analysis of computer forensics and applied it towards behavioral
evidence analysis (Mutawa, Bryce, Franqueira, & Marrington, 2015). From the study,
researchers concluded that the majority of the cybercriminals were employed and had no prior
arrests (Mutawa et al., 2015). There were several learned characteristics about the way the
cybercriminals stored the images of children once computer forensic examiners located the
evidence on their computers. 93% of the cybercriminals hid their possession of SEIC through
“basic methods” such as deleting the files into their recycling bin and deleting any peer-to-peer
networking software (Mutawa et al., 2015). This could imply that the cybercriminals did not
have the technical skill set to hide their files or they were confident enough that they would not
Another behavioral characteristic was the sufficient interest in other paraphilic themes
along with SEIC. 80% of the cybercriminals had between 40-100 images of other paraphilic
25
themes (Mutawa et al., 2015). These images included themes such as bestiality. The correlation
between the SEIC images and the timestamps (e.g., the date created, last modified, last opened)
indicates that the user showed interest in viewing the contents of the file(s) and the known theme
they had. Computer forensic examiners noted that the images on each computer were not
organized and they did not find any evidence of shared folders. From this information,
researchers concluded that the cybercriminals were motivated by sexual impulses and not sharing
social networking sites such as Facebook and Twitter to uncover forensic evidence. Computer
forensic tools enable examiners to collect metadata from suspected cybercriminals such as
timestamps of posts or blog entries, IP addresses, and other information that ordinary users
cannot see (Wright, 2012). Criminal profilers can use this information as well as public
information the user displays to add to a cybercriminal’s profile. For a cybercriminal who wishes
to commit a crime for financial gain, they tend to do so with online fraud schemes using a
Facebook profile and post a link to a fake fundraising page to collect money. Online sexual
predators who use social media to attract children have been found to have a presence already
online and understood how to navigate sites such as Twitter and communication apps like
as well as technological traits when using the computer and Internet. Through the mentioned
signatures, social media posts, and Internet cache, the following can be detected in the
cybercriminal’s writing: nicknames, any pattern of typing mistakes, particular phrases, and
writing style from uncovered text files. Some of these characteristics such as typing mistakes and
26
writing style can be incorporated when a criminal profiler develops the potential education level
in a cybercriminal profile. The number of grammatical errors and faulty sentence structure has
shown to indicate levels of either high school dropout, high school graduate, college-educated, or
upper-level education (Law Teacher, 2013). This was the case with the B.T.K. killer in 2004.
Dennis Rader was found guilty of murdering ten people over the course of 30 years. Although he
is not categorized as a cybercriminal, Rader was infamously known for using technology to stay
in contact with officials through taunting poems, puzzles, clues, and documents (Precision
Computer Investigations, 2010). Throughout the 30 years of unsolved cases, criminal profilers
predicted that they were looking for a middle-aged man with a low level of education due to his
writing quality in the materials he sent to law enforcement. The breakthrough was when the
police received a floppy disk from Rader that included a Microsoft Word document with the
grammatical errors and phrases that matched prior documents. Computer forensic examiners
analyzed the disk and noticed there was a deleted document that listed the name Dennis as the
creator and the location of where the document was last modified (Precision Computer
Investigations, 2010).
research and the effectiveness of criminal profiling in cybercrime in its entirety. Because there
are multiple types of cybercrime, the argument can arise that one profile of a cybercriminal may
not necessarily fit the profile of another. The cybercrime of hacking has subcategories that divide
hackers by their M.O., motivation, and personal characteristics. Internals and phishers are other
examples of categories of cybercriminals that will be discussed. The goal is to examine the types
27
of cybercrime to develop separate profiles and help set a foundation for investigators to use and
approve upon.
Hackers. One of the first efforts to create a profile of the hacker was from Bill Landreth
in 1985. Landreth developed a system to classify hackers based off their activities. He developed
the following five categories: novice, student, tourist, crasher, and thief (Landreth, 1985).
Another famous criminologist, Richard C. Hollinger, studied university students who were the
primary population of criminal computer activity at the time (Hollinger, 1988). Hollinger
concluded that the students individually fit into three categories: pirates, browsers, and crackers
(malicious hackers). In 1998, Donn Parker concluded from a study of hackers that
cybercriminals could fit into were seven substantial criminal profiles: pranksters, hacksters,
malicious hackers, personal problem solvers, career criminals, extreme advocates, and
malcontents (Parker, 1998). Through the combination of the previous research conducted on
hackers, Marcus Rogers (2006) created an updated hacker taxonomy that includes nine
distinctive categories. These categories are novices, cyber-punks, internals, petty thieves, virus
writers, old guard hackers, professional criminals, and information warriors (Rogers, 2006).
The novice category includes hackers that are in the early stages of developing their
computer and programming skills. Novices are new to coding and rely heavily on written work
about software and hacking tools, and they conduct their network attacks. The novice category
also includes the younger generation, roughly ages 13-18, who admire crime that includes illegal
computer activity. The majority of the people in this category are motivated by the thrill that can
come from infiltrating a system and bragging rights (Rogers, 2006). To be accepted into the
hacking community, novices tend to feel the need to showcase their skills and build a type of
hacking “resume” and brag about the systems they have hacked so far. In criminal profiling,
28
these types of behavior have been seen in youth gangs where members must prove themselves to
become members of adult gangs (Chu, Daffern, Thomas, Ang, & Long, 2014). The previously
A step-up from the novice hacker is the cyber-punk. This category encompasses the
people who have a few years of computer skills and are able to write some code without the need
for literature or tutorials. Cyber-punks obtain a sense of high when engaging in malicious
activities such as spamming unsuspecting users, vandalizing web pages, or participating in credit
card or identity theft. The majority of these hackers are motivated by the opportunity to receive
media attention for their actions. They tend to choose high profile companies and people to
attract more attention (Rogers, 2006). Once they are caught, security companies will hire these
hackers for their expertise. Kevin Mitnick, a computer security consultant who was previously
discussed as the hacker who infiltrated Nokia and Motorola, would be found in this category.
Internals make up the greatest risks out of all the categories; even though they are the
least publicized category (Rogers, 2006). It has been argued that internals should not be
considered hackers and are a category of cybercrime of its own. This category will be discussed
later as a separate crime and its corresponding criminal profile. The next category, the petty
thieves, use hacking to further their other criminal activities. Petty thieves are less interested in
fame and more interested in how to increase the amount in their bank accounts (Rogers, 2006).
The old guard category shares the same interests as the novice category. While focusing
on the thrill of the intellectual challenge that comes with hacking, old guards rarely hack a
system with criminal intent (Rogers, 2006). These individuals have well-developed technical
skills and are usually the writers of the code and scripts that the novices and cyber-punks use.
29
Old guards believe in helping each other strive in the hacking community, and they will post
their scripts for others to use for free. The primary motivations for old guards rely on ongoing
curiosity for computer systems and the need for intellectual challenges (Rogers, 2006).
The virus writer category was created as a placeholder by Rogers (2006). At the time of
his research, there was little information about the behavioral traits and motivation for a person
who writes viruses. He did indicate that virus writers tend to be individuals in their late twenties
who are able to professionally write scripts and code. Virus writers hack with malicious intent
(Rogers, 2006).
The professional criminals are individuals who have created a cybercriminal enterprise
and strive to increase it with each online activity. Money motivates people in this category.
Professional criminals try to develop their skills to keep up with technological advances and, in
turn, increase their revenue. Similar to petty thieves, professional criminals they do not want
attention or fame for their work (Rogers, 2006). This group is comprised of mature individuals
with a mature level of computer skills. To receive revenue for their work, professional criminals
join organized criminal groups and charge for each job they complete (Rogers, 2006).
The information warfare hackers are those who not only conduct attacks but also defend
against them. This category includes the practice of both conventional and unconventional state-
sponsored warfare (Rogers, 2006). Information warfare hackers are deemed to be highly trained
in cybersecurity and have many years of experience. This group is motivated by the need to
defend their country (Rogers, 2006). They have no issue with obtaining expensive hardware and
software to get their jobs done and tend to specialize in industrial espionage.
Internals. History has shown that the most cost-effective group has been internal
personnel who attack their own company. The internal group is predominantly made up of
30
resentful employees or ex-employees who seek revenge and use their access privileges to attack
their own company's computer or network systems (Keeney et al., 2005). This group has been
argued to be the most dangerous since these individuals tend to already be system administrators
or information technology professionals (Rogers, 2006). Revenge motivates people who conduct
internal attacks. They feel they have been wrongfully fired or not appreciated for their efforts at
the company. Researchers Dr. Maria Bada and Dr. Jason Nurse (2016) created an illustration,
Figure 1, based on statistics found during a study at Carnegie Mellon (Moore et al., 2011).
31
In 2011, a study was conducted by members of the CERT program at Carnegie Mellon
University that involved 48 internal threats cases to determine the traits for a criminal profile
(Moore et al., 2011). The most notable traits found regarding an internal cybercriminal include
their gender, age, and the information they stole from the company. According to the study
(Moore et al., 2011), the majority of the internal cybercriminals were males around the age of 37.
86% of the individuals involved with internal attacks stole data that they created or worked while
employed by the company (Moore et al., 2011). An internal cybercriminal that takes the data
they stole and gives it to a competing company was found motivated by sabotage and the
possibility of a job opportunity at an opposing company as a reward (Rogers, 2006; Moore et al.,
2011).
Phishers. One of the primary objectives of phishing attacks is to steal identities online to
gain access to finances. To accomplish this goal, phishers trick users by creating fake e-mails
and pretending to be a reputable company, so users feel comfortable to disclose their credentials.
Phishers send thousands of e-mails, and similar to the activity of fishing, they wait to see if any
“fish” take their fake e-mail bate (Zelkowitz, 2007). Once they have a computer user’s
information, phishers attempt to impersonate the user online and begin their cybercrime spree.
This category of cybercriminals incorporates their highly developed social engineering skills and
interest in financial gain to conduct their malicious activity (Gajek & Ahmad-Reza, 2008). The
majority of phishers prefer to carry out their crime in a team setting than individually in order to
Phishers generally share three different motives for obtaining user’s information online.
Most phishers use the personal information they acquire to commit fraud such as government
agency scams or charity donation fraud (Rebovich, Allen, & Platt, 2015). Phishers can use the
32
information given such as Social Security numbers, birth certificates, and other personal
information. The second highest reason for phishing is strictly for money. When cybercriminals
obtain access to credit card numbers and bank account credentials, they can either use that
information themselves to online shop or sell the information on the dark web to other users
(Rebovich et al., 2015). The third most popular reason for phishing involves submitting false
claims to the Internal Revenue Service (IRS). Phishers tend to target the elderly and steal their
Figure 2 summarizes the findings from the variety of researchers discussed thus far. This
figure displays the research found regarding various cybercriminals, corresponding notable traits,
and their motives (Keeney et al., 2005; Moore et al., 2011; Mutawa et al., 2016; Mutawa et al.,
33
• Individuals in their late • Malicious intent
twenties
Virus Writer • Able to professionally write
scripts and code
The purpose of this research was to present the leading contributions of criminal profiling
trends, and examination of errors and lessons learned. The Literature Review helped answer the
computer forensics and criminal profiling? What are potential issues associated with the
34
The Literature Review was designed to examine the use of criminal profiling by first
establishing a timeline for both criminal profiling and cybercrime investigations to set a
foundation. Once this was outlined, the goal was to understand the role criminal profiling has in
cybercrime investigations and explore the relationship between computer forensics and criminal
profiling. Finally, a variety of criminal profiles for various cybercrimes were presented. Potential
issues that can evolve when combining criminal profiling and cybercrime investigations were
discussed throughout the Literature Review to introduce to the reader the negative aspects to
consider.
Sources of the gathered research were chosen based on author credibility and the quality
of the studies done in cybercrime investigations. The sources found ranged from news articles,
scholarly articles, academic textbooks, and crime reports. News articles from the Boston Globe
and The New York Times reported current cybercrime events and provided insight into the history
of cybercrime and criminal profiling. Scholarly articles and crime reports presented theories of
behavioral traits for serial cybercriminals based on a series of criminal cases. The information
found in the academic textbooks introduced definitions and explained found principles in both
criminal profiling and computer forensics. The combination of these sources opens the floor for
The purpose of criminal profiling is not to solve a case without the use of evidence. Its primary
goal is to identify and attempt to understand the criminal(s) involved. The two main approaches
to creating a cybercriminal profile include deductive and inductive profiling. Through the use of
the two profiling methods, investigators can use criminal profiling to establish connections
35
between cases, create a profiling framework, analyze M.O., and develop a possible motive. To
begin creating a profile, criminal profilers use deductive profiling to analyze the collected
evidence to use as their base for profiling theories. If the investigation contains reliable evidence
such as computer files or code signatures, there is a smaller margin of error for the developing
criminal profile during the investigation. The second criminal profiling approach, inductive
profiling, helps create an acceptable amount of scientific background to create the foundation of
a cybercriminal profile.
The practice of profiling a cybercriminal has the capability of helping investigators not
only piece to together information in one case, but to also help fill in gaps in other cases.
Connecting cybercriminals to other cybercrimes are directly related to the statistic of unsolved
cyber cases. To lower this statistic, criminals who take to the Internet to commit their crimes
should be analyzed akin to serial murders. For example, it is common for cybercriminals to work
in groups to commit their crimes such as identity theft. These groups continue to attack computer
users from months to years until they are caught, similar to serial murders, or they move onto
other types of cybercrimes. It is recommended that criminal profilers spend an equal amount of
time, or even more, on a criminal profile after the case is complete. Once a cybercriminal is
convicted, it is the criminal profiler’s job to work with investigators and study the developed
Criminal profiling is used to create profiling frameworks to use them as examples and
create updated profiling outlines as technology and cybercriminals advance. One of the most
prominent projects discussed in the Literature Review section was the Hacking Profiling Project.
Although it was recognized nine years ago, the profiling framework established during this study
has been a stepping stone towards developing new databases of criminal profiling cybercriminals
36
for investigators to refer to. This project was unique because it took the criminal profiling
process a step further. The researchers combined their theories based on the hackers' crimes and
methods with a questionnaire for each studied hacker. The Hacking Project used the approach of
Another notable framework is the BEA guidelines. The BEA framework has been used
by the FBI’s Behavioral Analysis Unit to add substance to obtained computer forensic evidence
as well as aid investigators with the reconstruction of cybercrimes. The studies previously
discussed such as the 2016 study focused on cyberstalking, help evolve the idea that BEA can
provide specific direction based on behavioral characteristics of both the victim and the
cybercriminal (Mutawa et al., 2016). The Hacking Project framework and the BEA profiling
guidelines are keen examples of investigators using the tool of criminal profiling in cybercrime
investigations.
Criminal profiling is also used to analyze the M.O. and motive of the cybercriminal in
question. Identifying a cybercriminal’s M.O. helps answer the question: how? The analysis of
one’s motive helps answer the question: why? Criminal profiling helps separate a cybercriminal
who wants to make a profit by stealing identities with another cybercriminal who steals data
from a company for revenge. In this example, these two cybercriminals have varying motives
and methods of committing a crime. Placing cybercriminals into different categories allows
investigators and criminal profilers to distinguish M.O. and possible motives in each case. Figure
2 displayed the research found regarding various cybercriminals, corresponding notable traits,
and their motives (Keeney et al., 2005; Moore et al., 2011; Mutawa et al., 2016; Mutawa et al.,
2015; Rebovich et al., 2015; Rogers, 2006). Society believes that all cybercriminals commit their
crimes with malicious intent. Figure 2 outlines the other reasons that have motivated
37
cybercriminals such as showcasing their skill set to other hackers or just out of curiosity. These
categories are only some of the most common motives behind a cybercrime. They strive to be
complement one another. Criminal profiling can assist computer forensic examiners in
improving efficiency. In turn, computer forensics can help criminal profilers when scientific
integrity is questioned. Equivocal forensic analysis in the BEA framework aids criminal profilers
in focusing their effort on reviewing a case with a scientific standpoint and objectively
developing theories of the cybercrime. Computer forensics is applied during this step and
includes system analysis of the computer that has been brought in for questioning by
investigators. To help keep the integrity of the evidence that criminal profilers base their
methods on, forensic examiners create a duplicate of the system they are working on to make
The quicker criminal profilers can study the evidence from a case, the quicker they can
create a profile to share with investigators and the public to find the suspect. To help expedite the
analysis of the system, examiners use MD5 hash algorithms to eliminate files that may be
deemed irrelevant to a specific case. The files that remain are unique to the computer in question,
and the analysis can continue in an efficient manner. If the case includes multiple hard drives
that contain thousands of files, criminal profilers can suggest a starting point for examiners. For
example, in cases of cyberstalking, e-mail is the highest used method. Computer forensic
examiners can begin their search through e-mail logs to find evidence rather than starting with
38
network analysis which would be used for involved malware cases. Throughout system analyses
and network analyses, each step is carefully reported to make sure that computer forensic
examiners have sound evidence that criminal profilers can use for behavioral analysis.
A computer forensic examiner approaches the computer like they would a crime scene
and analyze any clues left behind by the cybercriminal. The categories examiners look for that
were discussed in the Literature Review includes signatures, log files, Internet cache, images, file
metadata, and social networking sites. Signatures in a virtual crime scene are similar to
signatures in a physical crime scene. As criminal profilers collect traits and tendencies, patterns
start to form, and connections to other cases begin to develop. In the 2016 DNC e-mail case,
matched another instance when APT 28 and 29 attacked United States systems (Meyer, 2016).
Log files are the eyewitnesses of the virtual crime scene. These files can reveal what
happened, when, and how. In regard to criminal profiling, log files help investigators gather
information to start creating a profile. Log files help strengthen the relationship between
computer forensics and criminal profiling. These files showcase the M.O. of the cybercriminal
by listing any Internet access, e-mail servers used, and any file and folder operations. These
technological traits when using the computer and Internet. Whether it is through the analysis of
online writing style, signature, or file metadata, computer forensics harmonizes with criminal
39
What are potential issues associated with the discipline of criminal profiling in cyber
investigations?
One of the most talked about topics regarding criminal profiling is its validity in cyber
investigations. Criminal profiling cannot hold its own in an investigation. In the courtroom, profiles
introduced by criminal profilers are rarely admitted. In countries such as Wales and England, if evidence
has "general acceptance in the scientific community,” it is allowed in court with a warning (2007, p.
210). If evidence is introduced under questionable techniques, the judge will warn the jury about the
expert’s testimony prior to proceeding. Criminal profiling is seen as a tool in cybercrime investigations.
Sharing the profile of a cybercriminal to investigators could possibly lead the investigators down
the wrong path. If a criminal profiler is adamant about linking a cybercriminal to other cases, they might
spend time and resources linking similar profiles. Although one case is looking for a technological male
in his late 30s that is wanted in an e-mail scam, does not necessarily mean that he is the same
technological male in his late 30s responsible for a million-dollar data breach. At times, profiles are too
vague to play an aggressive role in solving other cybercrime cases, and it is best to connect cases using
relationship. If there is an issue with the evidence from the forensic analysis, this will have an
effect on the developed profile of the cybercriminal. As with many other investigative tools, the
method of deductive profiling is only as reliable as the evidence it is based upon. During forensic
analysis, the network protocol can offer evidence regarding a cybercriminal’s M.O. An issue can
arise if the cybercriminal has a technological background or finds a tool to manipulate the
displayed IP address. Computer forensics was not an accepted tool for cybercrimes until more
40
research was conducted and computer training increased. Criminal profiling could follow the
same path and can continue facing issues until there is an increase in research and training. The
lack of motivation to develop the use of criminal profiling in cybercrime investigations can also
become a potential issue. Proposals have been made that cybercriminal behavior may change too
One of the first issues that arose when criminal profiling was being incorporated in
cybercrime was that one profile of a cybercriminal might not necessarily fit the profile of an
other regarding two separate cybercrimes. To create the criminal profile categories for
cybercriminals committed their crime, but to find out the exact reason, profilers have to go to the
source and ask the criminal. However, if there is a lack of cooperation from charged
disadvantages while studying the topic of criminal profiling in cybercrime investigations helps
guide further research and, in turn, eliminate the mentioned potential issues.
There is a variety of research material available that discover the multiple ways criminal
profiling is used in cybercrime investigations. These studies offer confirmation that criminal
profiling has a place in investigating cybercrimes and is seen in a favorable light. Rather than
examining if criminal profiling should be used in cybercrime investigations, this study focused
on the ways criminal profiling is used to identify a cybercriminal as well as what kind of
relationship exists between computer forensics and criminal profiling. This research was
designed to combine the studies that have already been done regarding the use of criminal
41
During the research process, there was one study’s conclusion that other researchers
might not necessarily agree with. One of the case studies in the Literature Review section
involved cyberstalking cases from Dubai, United Arab Emirates (Mutawa et al., 2016). This
study concluded both physical and behavioral traits that were most abundant from the
cyberstalking cases that were examined. The results of this study may only showcase the traits of
a cyberstalker in the United Arab Emirates. Researchers could pose the argument that different
results would emerge if the study were done in the United States of America.
Through the combination of the science of criminal profiling and computer forensics with
the research on the different types of cybercrime, this helps explain the positive aspects that
criminal profiling is used in cybercrime investigations and the potential issues that may evolve
from it. As discussed in other studies, the validity of criminal profiling is continuously
questioned. The continuation of research is necessary to allow criminal profiling in the relatively
Limitations arose as research was conducted for this study. The topic of criminal
profiling is still a developing matter in cybercrime investigations. There were a few sources
found that were granted access in their respected countries to local law enforcement case files.
This allowed them to conduct their research and share behavioral trait patterns. There was a lack
of research that used case files to back their proposed motives and behavior traits for the
presented cybercriminal categories. Early studies focused their attention and resources on
hackers and how they operate. It was not until other crimes such as online identity theft gained
public attention that researchers looked into studying other cybercriminal profile possibilities.
The majority of scholarly articles focused on one significant cybercrime. While researching, the
42
number of articles that discussed multiple cybercrimes and the corresponding criminal profiles
was minimal.
Every topic in cybersecurity provides room for growth and opportunity for
continuously changing. The only way to keep up with the pace of these changes is to put forth
continuous research and efforts to understand ongoing advancements. In the case of criminal
profiling in the realm of cybercrime investigations, the most crucial recommendations fall into
Research Exposure
counterparts in the academic community and help give back to their field. Whether it is through
any academic level can, in turn, increase future research and allow room for improvement on the
professionals who gather to share their work products. This effort can aid in the organization of
research and bring together professionals from the International Society of Forensic Computer
of Cybercrime Prevention (IACP), and the Society for Police and Criminal Psychology (SPCP).
forums, and newsletters to help establish a well-developed area for research to flourish. The
suggested name for such an organization would be the Criminal Profiling and Cybercrime
43
Bringing interdisciplinary professionals together to share research increases the chance
for international research to be shared in the United States as well. It is essential for criminal
profilers to study how other countries incorporate criminal profiling in their cybercrime
investigations. One of the case studies in the Literature Review section involved cyberstalking
cases from Dubai, United Arab Emirates (Mutawa et al., 2016). As previously discussed,
countries such as Canada, Germany, Ireland, South Africa, and New Zealand, have documented
their use of criminal profiling in their investigations (Snook, Cullen, Bennell, Taylor, &
Gendreau, 2008). Researching the different uses of criminal profiling techniques in different
countries is needed to adequately examine the dynamics of cybercrime, as well as offender and
victim traits.
Education
In any field, constant training is critical to keep up with the advances from research and
experimentation. Cybercriminals are new study subjects for criminal profilers, and that can come
courses and training should increase over time along with a significant emphasis on research
exposure.
programs can be included in criminology, criminal justice, digital forensics, and psychology. The
curriculum can incorporate criminal profiling in cybercrime investigations through case study
analysis and presentations by experienced guest lecturers. Along with courses, internal training
sessions are recommended for both psychologists and law enforcement-related professionals.
These internal training sessions can include presentations, webinars, and workshops. As more
professionals learn about the use of criminal profiling in cybercrime investigations, the more its
44
use can be widespread. This training recommendation may lead to a lower margin-of-error when
New Research Question 1: What New Categories Should Be Implemented to Better Study
Cybercriminals?
There were designated categories introduced in this paper regarding the characteristics
that correspond with a type of cybercrime. These categories include internal attackers,
cyberstalkers, professional criminal hackers, and others. It should be noted that these categories
are not a permanent framework to divide cybercriminals based on their traits. As cybercrimes
evolve, the categories should evolve as well. New categories should arise as emerging research
on the topic increases. For example, researchers should examine a category of cybercriminals
who use the Internet to attack mobile phones and create a category based on found computing
and behavioral traits. Researchers should also ask themselves when creating new categories if
any current categories are obsolete as well. Based on new data, there may be a category that is
not as common to have a specific category anymore or are too closely related to another type of
cybercriminal.
New Research Question 2: How Do Virus Writers Vary from Other Cybercriminals from a
In the research field, little data has been collected on hackers who write viruses to attack
computer users and companies. In the last three years, viruses continue to be one of the leading
causes of computer attacks, and there is not enough evidence to state that virus use will be
decreasing anytime soon (FBI National Press, 2018). Computer forensic examiners can take the
lead in generating more research as to what computer traits are associated with virus hackers.
45
Once virus cases are studied and presented, criminal profilers can go forth and add information
they may have discovered while investigating cases involving a computer virus writer. To keep
virus writers as a separate classification, there must be substantial evidence traits, including
computer traits as well as physical or behavioral traits. Further research should also include
New Research Question 3: What Cybercrime Prevention Measures and Programs Can Be
Throughout the search for case studies, scholarly articles, and other sources of
information, there was only a handful that mentioned the use of criminal profiling in the fight to
prevent cybercrime. Professionals that are experienced with criminal profiling in cybercrime
investigation have the tools needed to add valuable information for cybercrime prevention
programs. Future research can include updating current prevention programs with criminal
profiling insight or creating new cybercrime prevention processes. As experts from the law
enforcement and psychology fields work together, the future of criminal profiling will prove to
Conclusion
The purpose of this research paper was to present the prominent contributions of criminal
emerging trends, and examination of errors and lessons learned. The purpose of criminal
profiling is not to solve a case without the use of evidence. Its primary goal is to identify and
criminal profiler's job to work with investigators and study the developed criminal profile to
make a possible connection to other created profiles. Criminal profiling is also used to analyze
46
the M.O. and motive of the cybercriminal in question. Criminal profiling helps separate the traits
realm of cybercrime investigations. With the help of computer forensics, criminal profilers can
defend their data when scientific integrity is questioned. In turn, criminal profiling can assist
computer forensic examiners in improving efficiency. Log files are the eyewitnesses of the
virtual crime scene. Cybertrail categories, such as the log files, introduce criminal profilers to
cybercriminal personal habits as well as technological traits, when using the computer and
Internet.
One of the most talked about topics regarding criminal profiling is its validity in cyber
investigations. Criminal profiling cannot hold its own in an investigation because criminal
the topic of criminal profiling in cybercrime investigations helps guide further research and, in
turn, eliminates the aforementioned potential risks. The continuation of research is necessary to
47
References
Bada, M., & Nurse, J. (2016, April 18). Profiling the cybercriminal. Global Cyber Security
capacity/content/profiling-cybercriminal
Bednarz, A. (2004, November 29). Profiling cybercriminals: A promising but immature science.
wan/profiling-cybercriminals--a-promising-but-immature-science.html
Brown, J., Shell, Y., & Cole, T. (2015). Forensic psychology: Theory, research, policy and
Brunton, F. (2013, May 19). The long, weird history of the Nigerian e-mail scam. Boston Globe.
Chiesa, R., Ducci, S., & Silvio, C. (2009). Profiling hackers: real data, real experiences, wrong
myths and the hackers profiling project (HPP). Virus Bulletin Conference. Geneva:
Chu, C., Daffern, M., Thomas, S., Ang, Y., & Long, M. (2014). Criminal attitudes and
Computer Evidence Recovery. (2015). How long does a forensic exam take? Retrieved from
http://www.computerpi.com/resources/how-long-does-a-forensic-exam-take/
http://digitalforensicsmagazine.com/index.php?option=com_content&view=article&id=5
39
48
Dyson, S. (2013). Origins of the psychological profiling of political leaders: The US office of
strategic services and Adolf Hitler, intelligence and national security. Intelligence and
Ebisike, N. (2007). The use of offender profiling evidence in criminal cases. Theses and
Dissertations, 23.
Eliyahu, T. (2016, March 20). Practical guide to USB forensics. eForensics Magazine. Retrieved
from https://eforensicsmag.com/usb_forensics/
Elmer-Dewitt, P. (1988, September 26). Technology: You must be punished. Time. Retrieved
from https://time.com
Europol. (2014). The cyberpsychology of Internet facilitated organised crime. Retrieved from
https://www.europol.europa.eu/iocta/2014/appendix-3.html
FBI National Press. (2018, May 07). FBI releases the IC3 2017 Internet crime report and calls
releases/fbi-releases-the-ic3-2017-internet-crime-report-and-calls-for-increased-public-
awareness
Fell, J. (2017, March 13). Hacking through the years: A brief history of cyber crime. Engineering
through-the-years-a-brief-history-of-cyber-crime/
Florida Tech. (2016, August 17). A brief history of cyber crime. Retrieved from
https://www.floridatechonline.com/blog/information-technology/a-brief-history-of-cyber-
crime/
https://forensiccontrol.com/resources/beginners-guide-computer-forensics/
49
Gajek, S., & Ahmad-Reza, S. (2008). A forensic framework for tracing phishers. The Future of
Greenland, B. (2017, October 11). Mindhunter: 5 Other Shows about Criminal Profilers. Set the
about-criminal-profilers/
Gross, D. (2011, August 15). 'Mafiaboy' breaks silence, paints 'portrait of a hacker.' CNN.
https://www.history.com/topics/british-history/jack-the-ripper#section_2
Holland, J. (2014, December 18). Managing a cyber crime scene. FCW. Retrieved from
https://fcw.com/articles/2014/12/18/managing-a-cyber-crime-scene.aspx
https://faculty.frostburg.edu/mbradley/psyography/douglas.html
INDRA. (2015, January 12). Profiles of cyber-criminals and cyber-attackers. Cyber Road.
project.eu/m/filer_public/2016/05/02/d44_profiles_of_cyber_criminals_and_cyber_attack
ers.pdf
Ingram, S. (1998). If the Profile Fits: Admitting Criminal Psychological Profiles into Evidence in
50
Internet Crime Complaint Center. (2017, June 22). 2016 Internet crime report. Retrieved from
https://pdf.ic3.gov/2016_IC3Report.pdf
Ismail, N. (2017, October 03). 1,000+ cyber incidents reported to NCSC in first year of
cyber-incidents-reported-ncsc-123468868/
Kaspersky, E. (2016, December 6). A brief history of DDoS attacks. AO Kaspersky Lab.
Keeney, M., Kowalski, E., Cappelli, D., Moore, A., Shimeall, T., & Rogers, S. (2005). Insider
Mellon Software Engineering Institute. U.S. Secret Service and CERT Coordination
Center.
Kessler, G (2016, December 31). The impact of MD5 file hash collisions on digital forensic
Kirwan, G., & Power, A. (2013). Cybercrime: The psychology of online offenders. Cambridge
University Press.
Kocsis, R. (2007). Criminal profiling: International theory, research, and practice. Humana
Press.
Kratz, D. (2012, April 17). Do you know who was the first profiler in the FBI? Profiles of
Landreth, B. (1985). Out of the inner circle: A hacker's guide to computer security. Microsoft
Press.
https://www.lawteacher.net/free-law-essays/criminology/criminal-profiling.php#citethis
51
Markoff, J. (1990, June 03). Drive to counter computer crime aims at invaders. The New York
Times, p. 1001001.
webster.com/dictionary/modus%20operandi
Meyer, J. (2016, July 25). Why experts are sure Russia hacked the DNC emails. NBC News.
hacked-dnc-emails-n616486
Moore, A., Capelli, D., Caron, T., Shaw, E., Spooner, D., & Trzeciak, R. (2011). A preliminary
Engineering Institute.
Morgan, S. (2017, June 6). Cybersecurity labor crunch to hit 3.5 million unfilled jobs by 2021.
labor-crunch-to-hit-35-million-unfilled-jobs-by-2021.html
Mutawa, N., Bryce, J., Franqueira, V., & Marrington, A. (2015). Behavioural evidence analysis
applied to digital forensics: An empirical analysis of child pornography cases using P2P
Toulouse: IEEE.
Mutawa, N., Bryce, J., Franqueira, V., & Marrington, A. (2016). Forensic investigation of
Nelson, A., & Garfinkel, S. (2015). Measuring systematic and random error in digital forensics.
52
Newburn, T., Williamson, T., & Wright, A. (2007). Handbook of criminal investigation. Willan
Publishing.
Oyedele, A. (2017, May 6). BUFFETT: This is 'the number one problem with mankind.'
cybersecurity-berkshire-hathaway-meeting-2017-5
Parker, D. (1998). Fighting computer crime: A new framework for protecting information. New
Precision Computer Investigations. (2010, April 14). How computer forensics solved the BTK
https://precisioncomputerinvestigations.wordpress.com/2010/04/14/how-computer-
forensics-solved-the-btk-killer-case/
Preuss, J., Furnell, S., & Lea, S. (2004). Research in progress short paper: The adoption of
criminal profiling for computer crime. EICAR 2004 Conference CD-rom: Best Paper
Price, R., & Sheth, S. (2018, March 22). DNC hacker 'Guccifer 2.0' was reportedly confirmed as
a Russian agent after forgetting to conceal his identity online. Business Insider. Retrieved
from http://www.businessinsider.com/dnc-hacker-guccifer-confirmed-as-russian-agent-
after-forgetting-to-conceal-identity-2018-3
Rebovich, D., Allen, K., & Platt, J. (2015). The new face of identity theft: An analysis of federal
case data for the years 2008 through 2013. Center for Identity Management and
53
Rogers, M. (2004, May). The role of criminal profiling in the computer forensics process.
Ryan, C., & Lewis, J. M. (2017, September). Computer and Internet use in the United States:
https://www.census.gov/content/dam/Census/library/publications/2017/acs/acs-37.pdf
Sadowski, G. (2010, November 08). Using logs for forensics after a data breach. Network World.
for-forensics-after-a-data-breach.html
Satter, R., Donn, J., & Day, C. (2017, November 04). Inside story: How Russians hacked the
https://www.usnews.com/news/world/articles/2017-11-03/inside-story-how-russians-
hacked-the-democrats-emails
Shimeall, T. (2016, September 16). Traffic analysis for network security: Two approaches for
https://insights.sei.cmu.edu/sei_blog/2016/09/traffic-analysis-for-network-security-two-
approaches-for-going-beyond-network-flow-data.html
Shinder, D. (2010, July 19). Profiling and categorizing cybercriminals. Tech Republic. Retrieved
from https://www.techrepublic.com/blog/it-security/profiling-and-categorizing-
cybercriminals/
54
Silde, A., & Angelopoulou, O. (2014). A digital forensics profiling methodology for the
Snook, B., Cullen, R., Bennell, C., Taylor, P., & Gendreau, P. (2008, October 01). The criminal
Snow, G. (2010, July 28). The FBI’s efforts to combat cyber crime on social networking site.
combat-cyber-crime-on-social-networking-sites
Thomson, I. (2013, July 08). Snowden: US and Israel did create Stuxnet attack code. The
https://www.theregister.co.uk/2013/07/08/snowden_us_israel_stuxnet/
Winerman, L. (2004, July). Criminal profiling: the reality behind the myth. American
http://www.apa.org/monitor/julaug04/criminal.aspx
Wright, B. (2012, December 20). Social media and the changing role of investigators. Forensic
and-changing-role-investigators
Zelkowitz, M. (2007). Advances in computers (1st Edition ed., Vol. 70). Academic Press.
55