Traditionally, the art of profiling applies to criminal activities that are visible to the eye and observation of the investigator. In fact, profiling involves the analysis of personal characteristics or behavioral patterns, which allows an investigator to make generalizations about a person or a crime scene. In other words, profiling employs analysis to determine whether a particular person may be engaged in a particular crime, as determined by evidence. However, unlike traditional crime scenes that are tangible and have observable evidence, cybercrimes are not as easily examined and observed—there are no physical weapons or visible signs that might contribute to the art of profiling.

With the evolution of cybercrimes, digital investigations have increased exponentially. A decade or two ago, criminals were primarily murderers, gangsters, bank robbers, burglars, and those who committed other “traditional” crimes, but this is no longer true. Now, cybercriminals are by far the most predominant type of criminal. In fact, computer crime is one of the fastest-growing types of illegal activity in both the United States and abroad.¹ According to the U.S. Department of Justice, “Cybercrime is one of the greatest threats facing our country [today], and has enormous implications for our national security, economic prosperity, and public safety.”² As technology continues to evolve, the range of threats and challenges will continue to grow.

Criminal Profiling as an Investigative Tool for Computer-Related Crimes

John Edward Douglas, former Special Agent with the Federal Bureau of Investigation (FBI), was one of the first to master and develop a criminal profiling methodology. During his career, Douglas examined hundreds of crime scenes and interviewed dozens of serial killers with the intention of creating criminal profiles of the perpetrators. Moreover, Douglas is credited for creating and managing the FBI’s Criminal Profiling Program (Behavioral Analysis Unit in Quantico, Virginia).³ But how might a criminal profiler like Douglas apply a traditional profiling approach to cybercriminals? While difficult and different, it is possible to apply an alternative investigative approach to aid in the profiling of computer-related crimes.

Many of the techniques and methodologies taught by Douglas could not be applied directly to computer-related crimes. However, his training did provide the foundation that allowed the author, Ray Yepes, to develop a methodology that could be applied in the cyber arena, and Douglas’ core methodology (Why + How = Who) is still applicable when profiling cybercriminals and cyber “crime scenes.” Determining why and how the crime was committed will facilitate the discovery of who committed the crime.

As stated previously, the traditional approach to criminal profiling is largely based on tangible evidence and observation. When dealing with cybercrimes, evidence is much less tangible. For instance, when a public prosecutor is participating in the trial of a murder case, the prosecutor can hold and show jurors the actual murder weapon that was used to commit the crime (if it was found). This technique of presenting visible, tangible evidence to the jury is very effective and can be a critical factor in determining the outcome of criminal trials. The question, then, is how does one create the same effect when dealing with digital evidence? Computer crimes are not as different from physical crimes as they may seem. By collecting and analyzing the details of digital crimes, an investigator can develop profiles of the perpetrators. To accurately do so, however, the examiner must possess a unique blend of knowledge in various disciplines, including, but not limited to, profiling techniques, technology, cybersecurity, digital forensics, and interviewing and interrogation techniques. One can be an expert in profiling techniques, but without proficient knowledge of technology and digital investigations, it would be nearly impossible to accurately profile the perpetrator of a computer-related crime.

The following case study, based on an actual case the author assisted with, may better illustrate the importance of this unique blend of knowledge. A few years ago, a large oil company was the victim of a digital breach, and, due to the magnitude and sensitivity of the occurrence, the FBI was brought in to assist with the investigation of the cyber attack, and Yepes was brought in to assist with the profiling of the investigation.

Criminal Profiling from Crime Scene Analysis

Yepes’s first task as the profiler was to narrow down the list of possible crime suspects. With this goal in mind, he needed to determine if the attack came from the outside (possible crime suspects numbering approximately 6 billion people, at the time) or from the inside (possible crime suspects numbering approximately 60,000 people), so he requested the blueprints of the entire information technology (IT) infrastructure for that particular location, including, but not limited to switches, routers, security appliances, VPN appliances, NAS, and firewalls (containing firewall rules and filters in place). One might expect a Fortune 100 company to have this information readily available, but this was not the case. This process required numerous interviews and meetings with the different stakeholders (e.g., director of infrastructure, IT security director, enterprise administrator, and others).

The next task was to dissect the attack from a technological standpoint. This required studying and analyzing the propagation technique (if any), transmission protocol, communication port, payload (purpose of the attack), replication of the attack, and packet analysis of network traffic while the attack is propagating or occurring, among other factors. For this analysis, it is highly recommended to set up a virtual honeypot in order to capture all network traffic and activity directed to and from the affected system(s) or host(s). Although honeypots were initially designed as baits for hackers to monitor their activities and hacking techniques, Yepes has used honeypots in conjunction with packet sniffers when analyzing cyber attacks such as viruses, Trojans, malware, adware, spyware, worms, and other types of attacks. The use of honeypots is a valuable source for the analysis of computer intrusions, especially when studying the levels of sophistication used by the hacker. Understanding the levels of sophistication used by the hacker is of extreme importance when profiling computer-related crimes.

Criminal Profiling from a Victim(s) Model Approach

The victim or victims play a critical role when developing criminal profiles. Who is the target of the cyber attack? Is it a large oil company known by many as the “bad guys”? Is it a Silicon Valley company known as the “Evils of Wall Street”? Is it a government agency? Is it a single individual? It is Important to understand the attack’s target before performing further analysis. For instance, if the target is a large government agency, a thorough investigator will check the news to see if the agency is the subject of a recent news media story or scandal.

Criminal Profiling from a Motivational Model Approach

It is also important to understand the psychology and purpose of the intrusion. To analyze the motivation, an investigator might ask what was compromised. How was the information compromised? What is the estimated value of the information compromised? Was the attack intended to destroy or steal information? What type of information (e.g., credit card numbers, intellectual property, or trading or merger information) was compromised? This information is critical to the profile of a perpetrator. For instance, corporate espionage intrusions are usually done by sophisticated perpetrators; they will typically possess a much higher education than perpetrators who attempt to hack into the credit card records of an online store. The maturity levels and ages of the different types of hackers will also usually differ accordingly. A similar approach applies to the determination of the crime; when information is destroyed or the intent is to cause downtime to a target, the perpetrators are usually not sophisticated in nature. These are typical ego-driven young hackers who use tools or methodologies designed by someone else. This type of cybercriminal would know how to use the tools effectively, but would not know how to develop or engineer such tools.

As Yepes was reviewing the payload and execution of this particular attack (“how”), he noticed that the attack transmitted itself using TCP protocol over port 4445 (not the actual port number), but a review of the firewall rules make it clear that port 4445 was closed to all inbound and outbound traffic in the firewall. This finding revealed that the attack came from the inside and not the outside world, thus ruling out approximately 6 billion possible crime suspects. Without the technical knowledge to understand firewalls, ports, and the related protocols, Yepes would not have been able to narrow the target pool.

Next, he examined some of the systems that were among the first to be infected. Through packet analysis and careful examination of the log records for the intrusion detection applications, the investigators were able to determine the building where the intrusion was first logged and detected—a large complex located in Texas, which housed about 1,200 employees. Knowing where the cyber attack originated was a good start, but there was still a large pool of possible suspects.

Yepes still needed to figure out “why.” While reviewing the payload and source code, he learned very helpful information: several million dollars had been transferred to accounts located overseas (in China, India, South Korea, Philippines, and Russia) during the attack. Immediately, one would assume that the cybercrime was money-driven; however, further analysis revealed that these accounts were not associated to a common group, network, or recipient, which generally indicates that the event was an orchestrated felony by a crime ring. However, the attack originated from the inside, most likely ruling out orchestration by a group. So why would an individual steal money from a company, yet not benefit from the stolen money? Was he dealing with a disgruntled employee that just wanted to harm his or her employer? Further examination of the source code revealed that its programming logic was very sophisticated, suggesting that the criminal was someone with a mathematical background and, possibly, an advanced science degree. This finding prompted Yepes to narrow his list of suspects to seven IT and analytical personnel who had been written up by human resources, passed by for recent promotions, or received lowered performance bonuses, and who had physical access to the server room where the attack originated.

The investigators interviewed this select group, and, based on information gathered in these interviews, expanded their list of suspects to include four additional individuals. After completing the first set of interviews, all 11 interviewees were ruled out. As an example, one particular individual (an accountant) was ruled out immediately because the interrogation determined that this individual did not possess the knowledge to orchestrate such attack.

A week into the investigation, things came to a deadlock. The “why” and the “how” had been determined, but the “who” remained unknown, so it was decided to carry out a second round of interviews. This time, the pool was expanded to include all 19 IT and science personnel located in the building.

Two days later, after the second round of interviews, the investigation was back to square one. The decision was made to end the investigation due to the resources and manpower allocated to it. As the investigators were packing their equipment, Yepes walked by the office of the accountant and noticed a peculiar electronic device (a binary clock) on his desk. Yepes was puzzled because not many people can read binary clocks, and the accountant was one of the interviewees ruled out immediately because it was felt he did not have the necessary IT knowledge to be the perpetrator. Playing dumb, Yepes asked the accountant what the device was, and the accountant identified it as a binary clock. It was important for Yepes to determine if the accountant knew how to read or interpret a binary clock, so he continued the line of inquiry, and asked the accountant how it worked. Sure enough, he went on to explain in great detail how it worked. At this point, Yepes knew the accountant had downplayed his technical knowledge during the interviews. Immediately, Yepes approached the agent in charge of the investigation and shared the new information. The accountant was brought back into the conference room for a third interview, and, one hour and nine minutes later, the investigators had his full written confession.

The above case study exposes the importance of an examiner’s knowledge in various disciplines to accurately profile the perpetrator of a digital crime. One can be an expert in profiling, but without an advanced understanding of the technology involved, it would be nearly impossible to accurately profile a cybercriminal. ♦

Notes:

¹ INTERPOL, “Cybercrime,” http://www.interpol.int/Crime-areas/Cybercrime/Cybercrime (accessed January 15, 2016).
² U.S. Department of Justice, Offices of the United States Attorneys, “Cyber Crime,” http://www.justice.gov/usao/priority-areas/cyber-crime (accessed January 15, 2016).
³ Ilene Olsen, “Criminal Profiler; John Douglas Recalls Career with FBI,” Powell Tribune, April 23, 2015, http://www.powelltribune.com/news/item/13573-criminal-profiler-john-douglas-recalls-career-with-fbi (accessed January 15, 2016).

Please cite as

Ray Yepes, “The Art of Profiling in a Digital World,” The Police Chief 83 (February 2016): web only.