Hackers digital profiling and an alternative approach of investigation

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.


Digital profiling (DP) encompass combinations of systems and techniques to extract information and features on the perpetrators of crimes involving computer systems, analyzing the behavioral structures emerging from digital evidence from the victim and the context in which the crime is committed. According same authors, Criminal Profiling is a collection of inferences[2] about the qualities of the person responsible for committing a crime or a series of crimes. We can define like the process of investigating and examining criminal behavior in order to help identify the type of person responsible [1]

Although the criminal activities was committed using computers, the method of attack was often nontechnical. In other words DP can be considered the translation in computer field of one of the most discussed investigation technique called Criminal Profiling built up with the "Behavioral Science Unit"(BSU) by FBI in 1972.

But DP usefulness is not only related to traditional crime, like fraud or sexual crime, profiling offenders can help investigators to face terrorism and all kind of crimes

  1. From Traditional to Digital Profiling

Anyway, the DP have had no more difficulties to be adopted as appropriate investigation method. The main causes can be summaries as below:

  1. Inappropriate and incomplete documentation on this subject;
  2. Difficulties to combine the human nature to computer science;
  3. distrust manifested towards traditional criminal profiling and in general psychological investigations;

To better clarified the differences between Digital and Traditional Profiling in table 1 has been reported the main parallelisms with profiling model of Douglas, Ressler, Burgess, Hartman [2].

Profiling Phase

Traditional Profiling

Digital Profiling

Profiling Input

Data acquisition and information on the crime, snap-shots and testimony subject involved

Data related to structures and system architecture, Incident Response procedures and Computer Forensics acquisition data. Other data related to physical and infrastructure aspects.

Decision Process Model

Organization of information gained through pre-established classification schemes and questions relevant to the case

Collection and data entry in the log file analysis software and databases, data processing, categorization, creating a data model appropriate to the characteristics of computer investigation

Crime Assessment

Behavioral reconstruction of criminal and victim

Assessment of the characteristics of computer systems involved, methodologies and tools used for the crime and subsequent impact. Analysis of possible connections and sociopolitical characteristics. Extracting behavioral data RPE (Reverse Engineering Profile)

Criminal Profiling

Development of an initial profile based on information from previous steps. Comparison of each hypothesis with data on phase two. Inductive analysis and processing through historical data

Link Analysis, Data Mining, development of informatics and psychological connections


Elaboration of the profile assuming the counterparty investigation by comparison with the suspects. Any other data emerging from the phase of investigation will be used to update the profile

Rationalization and skimming of the links obtained. Deepening connections and elements of the previous phase. Processing of behavioral data and use in the investigation stage. Possible report feedback


Arrest and interrogation of the suspect

Integration of data in databases. Extracting significant behavioral data. Integration of RPE (Reverse Engineering Profiling)

Table 1. Parallelism within traditional profiling and digital profiling

The correct application of DP, as shown in the table 1, requires both technical that criminological knowledge.

Before to analyze criminal activities and use of computer science in support of investigation we can summarize in the table 2 the possible field in which Digital Profiling can be a valuable tools. The table contain just an example of possible use.

Main Area of Applicability

Possible Contribution

Incident Response

* understand the type of attack

* delimitation of investigation area

* batter exploitation of insiders threat

* data finding

* understand social engineering technique

Computer Forensics

* finalize investigation

* investigate on data hiding

* understand use of anti forensics

* password guess

Cybercrime prevention

* use of appropriate countermeasure

* tailor training program

Threat Assessment

* Define offender Corse of Actions

Crime of Insiders

* Define profile of insider

* Identified offender


* gathering of information

* exploitation

Table 2 - Main Area of Applicability of Digital Profiling

  1. Analyzing criminal activity

Data mining is a powerful tool that enables criminal investigator who may lack extensive training as data analysts to explore large database quickly and efficiently. In a Digital Profiling data mining is quite valuable and can be use to the exploration and analysis of large quantities of data to discover meaningful patterns and rules. Anyway, it is possible as well to use data mining to find association and/or discover relationships among suspect entities based in historical data while these data are unstructured (e.g e-mail, telephone conversation and text messages). The main common Data Mining techniques are as following (H. Jahankhani, Ameer Al-Nemrat)[3]:

a) Entity extraction: the process of identifying names, places, dates, and other words and phrases that establish the meaning of a body of textâ€"is critical to software systems that process large amounts of unstructured data coming from sources such as email, document files, and the Web.

b) Clustering technique: group data Items into classes with similar characteristics to maximise or minimise interclass similarity- for example, to identify suspects who conduct crimes in similar ways or distinguish among groups belonging to different gangs (Chau, Xu & Chen, 2002) [4].

c) Deviation detection: researcher deploy this technique to detect fraud, network intrusion detection, and other crime analysis that involve tracing some activities which can be appear sometimes to be abnormal.

d) Classification: finds common properties among different crime entities and organises them into predefined classes. This technique has been used to identify the source of email spamming based on the senders linguistic patterns and structural features.

e) Social network analysis: describes the roles of and interaction among nodes in a conceptual network. Investigator can use the technique to construct a network that illustrates criminal's roles, the flow of tangible and intangible goods and information (Chau, Xu & Chen, 2002) [4].

2.1 Possible tool that extracts nature, frequency, duration and severity from the database and creates digital profiles for all offenders

Use of Data Mining technique can provide investigators with a powerful tool in order to extract useful patterns from data sources. Many Authors are developing specific research in this field. An interesting research, for example is into the specification and automatic identification of activity scenarios manifested within computer logs and other transactional logs (such as system event logs, audit logs, door logs, etc).

Jonathon Abbott, Jim Bell, Andrew Clark, Olivier De Vel, George Mohay in a recent research have designed and developed a framework for scenario and attack modeling and detection which uses event abstraction to enable the specification and detection of patterns of event-based activity and a means of matching such pattern specifications against a stored event database [5].

Jeroen S. de Bruin et al. in a paper [6] have demonstrated the applicability of data mining in the field of criminal career analysis. The tool that they describe in their paper compile a criminal profile out of the four important factors describing a criminal career for each individual offender: frequency, seriousness, duration and nature. These profiles were compared on similarity for all possible pairs of criminals using a new comparison method. They have develope a specific distance measure to combine this profile difference with crime frequency and the change of criminal behavior over time to create a distance matrix that describes the amount of variation in criminal careers between all couples of perpetrators. The used method of clustering provided results that seem to represent reality well, and are clearly usable by police analysts, especially when the above is taken into account. However, the runtime of the chosen approach was not optimal yet. The clustering method was too intensive in a computational way, causing delays in the performance of the tool. In the future an approach like Progressive Multi Dimensional Scaling [7] could be more suited to the proposed task in a computative way, while maintaining the essence of career analysis.

The figure 1, an Jeroen S. de Bruin et al.[3] experiment, shows what identification could easily be coupled to the appearing clusters after examination of its members. It appears to be describing reality very well. The large cloud in the left-middle of the image contains (most of the) one-time offenders. This seems to relate to the database very well since approximately 75% of the people it contains has only one felony or misdemeanor on his or her record. The other apparent clusters also represent clear subsets of offenders. There is however a reasonably large group of un-clustered individuals.. The clustering of these individual criminal careers might be in_uenced by the large cluster of one-timers. Getting more insights into the possible existence of subgroups in this non-cluster may prove even more interesting than the results currently provided by our approach.

  1. Hackers signature and "modus operandi"

After an overview on possibility of Data Mining in helping investigators it is clear that a "pattern" of behavior of offender can be drawn. Behavior of offender, as well, can be similar to everyday, but it can also be unique to the individual in question, and occur only sporadically. From the offender's point of view, much of what they do when they are committing crime is acting normally, for them. From another point of view, they are acting out on needs and patterns developed over the life course, some of which may be abnormal needs and patterns. If there are repeated crime scenes (as with a serial or repeat offender), it is much more likely, with proper examination, that any unique behaviors, needs, and patterns will be uncovered.

Three elements link crimes in a series:

* the method of operation (modus operandi)

* ritual (signs of fantasy or psychological need)

* signature (unique combinations of behaviors)

But what we intend for Modus Operandi. Douglas & Olshaker [2] define Modus Operandi (M.O). as "what an offender has to do to accomplish a crime." MO contain at minimum the following elements:

* ensure success of the crime;

* protect identity;

* effect escape.

According to Keppel (2005), the phrase modus operandi first appeared in the literature in 1654 in a piece called "Zootmia: Because of Their Causes or Their Modus Operandi" but didn't make the leap from being a description of animal behavior to a description of human behavior until the 1800s when the term started appearing in English utilitarian literature.

In Criminology the following definition was put forward: "Modus operandi is the principle that a criminal is likely to use the same technique repeatedly, and any analysis or record of that technique used in every serious crime will provide a means of identification in a particular crime."

This definition can be applied to cybercrime as well and It is possible identified ritual and signature elements as for traditional crime.

Ritual is behavior that exceeds the means necessary to commit the crime. By definition, it is a subtype of signature sometimes called "ritual signature." According to this definition and The Crime Classification Manual (Douglas et al. 1992) ritual can be apply to cybercrime with not more difficulties even if more of hackers behavior can be ritual. On the other hand, criminology signature concept batter fit hackers world.

In general, signature is a combination of behaviors. Douglas & Olshaker define it as "something the offender has to do to fulfill himself emotionally ... it is not needed to successfully accomplish a crime, but it may be the reason he undertakes the particular crime in the first place."[8]

Signature, in a hacker behavior, is a sort of "trademark" and reflects a compulsion on the part of criminals to go beyond just committing the crime to "express themselves" in some way that reflects their personality.

In a defacing attack, for instance, this aspect is more evident than in others because the acting of hack is visible to everyone.

Anyway the motivations, actions, and modus operandi of traditional crime respect to cybercrime are different. For example, it appears that as of 2009, we have entered a new era where organized cybercriminals can now operate identity theft resale operations as well as be contracted with to engage in proxy cyberwar.

3.1 Modus operandi of classic hack

The approach to hacking as multi-stage process lead to individuate three main phases according to the bestseller Hacking Exposed (now in its 6th edition 2010). These stages are: casing, scanning, and enumeration. It is not the aim of this paper to describe each of these stages but same considerations can be arisen. For example, the time of action that can change from for 48/72 hours of constantly working in a network intrusion to a lengthy period of time like pedophiles process of attack.

3.2 New anatomy of hacking

According to Richard Stiennon of ITHarvest, Inc., hackers have found ways to streamline the efficiency of the classic or cookbook methodology. In particular, the most recent development has been the use of viruses and trojans as part of the modus operandi. The figure 1 and 2, according the author, shows as the modus operandi of hackers has change in the last few years.

The difference is that the "new" method uses a virus or trojan that is either custom-made or off-the-shelf and has the same effect as if someone had infiltrated the target and installed a keystroke logger on somebody's computer. The new method is considered easier than the old method.

This last process best suited to new content of WWW, where the programming language have become more sophisticated and dynamic and have arisen in the new meeting place like Networked Virtual Environment (NVEs).

  1. Conclusions

This paper is to be intended as a first approach to the issue of the Digital Profiling. Here It was decided to only give a hint to the potential and the possible development of this method giving notes on a sector that is currently not yet enough depth. There are still many divergent views on the validity of profiling method in the forensic cybercrime. One thing is clear, this area that is neither technical nor purely forensic deserves further development and deepening.


[1] Brent Turvey - Criminal Profiling, Third Edition: An Introduction to Behavioral Evidence Analysis, Third Edition, Elsevier 2008 pag. 753

[2] J. Douglas, A. Burgess, A. Burgess, R. Ressler - Crime Classification Manual - Jossey-Bass Publishers 1992

[3] Global e-security: 4th International Conference, ICGeS 2008, London, UK June 2008, Springer

[4] Proceedings of the 2002 annual national conference on Digital government research 2002, Los Angeles, California May 19 - 22, 2002

[5] Jonathon Abbott, Jim Bell, Andrew Clark, Olivier De Vel, George Mohay "Automated Recognition of Event Scenarios for Digital Forensics, Information Security Institute

[6] Jeroen S. de Bruin, Tim K. Cocx, Walter A. Kosters, Jeroen F. J. Laros and Joost N. Kok, Data Mining Approaches to Criminal Career Analysis, Proceedings of the Sixth International Conference on Data Mining (ICDM'06), 2006

[7] M. Williams and T. Muzner. Steerable, progressive multidimensional scaling. In Proceedings of the IEEE Symposium on Information Visualization (INFOVIS'04), pages 57.64. IEEE, 2004.

[8] ] John E. Douglas,Mark Olshaker, Obsession: the FBI's legendary profiler probes the psyches of killers, rapists, and stalkers and their victims and tells how to fight back, Scribner, 1998, page 83

[2] Inference: a particular type of conclusion based on evidence and reasoning

[3] Jeroen S. de Bruin, Tim K. Cocx, Walter A. Kosters, Jeroen F. J. Laros and Joost N. Kok, Data Mining Approaches to Criminal Career Analysis, Proceedings of the Sixth International Conference on Data Mining (ICDM'06), 2006, pag. 6