Computer Network Forensics Research Workshop 2005
Cyberprofiling: Offender Profiling and
Geographic Profiling of Crime on the Internet
Eur Ing Brian C. Tompsett, Angus M. Marshall and Natasha C. Semmens
Abstract— A project to combine criminological techniques of
profiling with internet abuse and computer forensic data is
outlined. The multidisciplinary approach which applies the
expertise of Lawyers, Criminologists, Computer Forensics and
Internet Specialists together is seen as a response to the explosion
of e-crimes. Future work that involves the presentation of the
results of Cyberprofiling is proposed.
Index Terms—Evidence_Collection-Storage, Legal-
Practical_Challenges
I. INTRODUCTION
I n "normal" (i.e. non-computer-related) criminal
investigations, particularly those of major or serial crime, it
has become commonplace for offender profiles and geographic
profiles to be used to predict the nature of the criminal and
their likely area of operation. These profiles are generated
from knowledge of offender behaviour and preferences
garnered from years of data gathering and analysis.
The recent EURIM-IPPR E-crime study, noted that "Crimes
involving ICT systems are now common-place" and it is
widely acknowledged that ICT has become a regular source of
evidence in a significant number of non-ICT criminal
investigations. In spite of this, however, most ICT
investigation concentrates on single incidents, using a
computer primarily as a crime scene to be considered in
isolation.
Volumes of “e-crime” are escalating to such a level that law
enforcement are finding it difficult to resource[1]. To deal with
such volumes it is important to apply criminological
techniques that have become valuable outside of e-crimes
within this sector.
It is rare for an “e-crime” investigator to seek to establish
This work is supported in part by the UK Engineering and Physical
Science Research Council within their “Think Crime” programme, and
supported in part by Computer Associates, The Office of the UK Information
Commissioner, Humberside Police, North Yorkshire Trading Standards
Digital Evidence Recovery and Internet Crime Unit (DERIC) and C.Spencer
Ltd.
B. C. Tompsett is with the Department of Computer Science, University of
Hull (phone: +44 1482 465222; fax: +44 1482 466666; e-mail:
B.C.Tompsett@dcs.hull.ac.uk).
A. M. Marshall., is with the School of Science and Technology, University
of Teesside. (e-mail: Angus.Marshall@tees.ac.uk).
N. Semmens is with the Faculty of Law, University of Sheffield (e-mail:
n.c.semmens@sheffield.ac.uk).
1
patterns of behaviour or activity which may be indicative of a
building pattern of related crimes, or even the development of
an offender's "career". Experience in “conventional” crime,
however, suggests that patterns can be found in many types of
crime, and it is the thesis of this project that such experience
can be extended into the realm of computer activity. Because
of the potential volumes of data available and the short
timescales involved, it will be essential for such profiling to be
as automated as possible in order to detect emerging patterns
early.
Most computer systems are capable of recording
considerable information about their usage and interaction
with other systems.
A desktop computer system may gather and store such basic
information as the time they were last switched on or off, who
used them, when, what for, and which programs were used.
They may also record connections to networked resources,
attempts at intrusion, virus activity and so on.
Network servers also log considerable numbers of data
about activity being performed on the network. This ranges
from the identity of machines viewing web pages, or
attempting to compromise the server software itself, to records
of every e-mail sent through the system and even transient
copies of e-mails in transit.
Although the machines gathering the data may be
geographically distant, both in real-space and in cyber-space, it
is possible that they will be observing similar patterns of
activity originating from just a few individuals, or from a few
locations. Proper collation and analysis of the data may lead to
the identification of real criminals or criminal-friendly
locations, such as compromised networks, which are
developing into threats. Such analysis is likely to uncover, not
only criminal activity directly related to the technology itself,
but also criminal activity which merely makes use of the
technology as an enabler.
This project will examine how data that is routinely
gathered by such ICT systems, can be integrated and analysed
to produce "cyber profiles" of activity and behaviour. The aim
is to provide investigators with rich sources of intelligence
information which can be used to predict and prevent criminal
activity. By incorporating data-mining and artificial
intelligence elements in the analysis, it is anticipated that the
system will be able to identify new trends and alert law
enforcement to new threats before they become a serious
problem.
 Computer Network Forensics Research Workshop 2005
II. ACADEMIC AND INDUSTRIAL CONTEXT
Forensic Computing Practitioners have begun to
acknowledge the need to adopt a more integrated approach to
their work. Historically, digital evidence was treated as having
a fixed locus and hence the source of evidence could be
defined. With the continued growth in network connectivity in
business and at home, this situation has changed and digital
evidence can appear on a digital evidence source through a
wide range of delivery vectors[2]. These mechanisms of
deposition use public and private networks as carriers and rely
on vulnerabilities in software and hardware to work. Thus, a
piece of evidence found on a machine under investigation may
have left a trail of activity on numerous systems as it moved
from source to its ultimate target.
Gary L. Palmer[3] noted “In the near future, the collection,
fusion, and correlation of data from all of these sources and
more will be vital to investigations, both civil and criminal.”
Furthermore, successful investigation techniques and
offender patterns are not circulated widely, relying heavily on
a “water cooler culture” [4] to ensure dissemination to
colleagues. This project aims to address the problem of
intelligence gathering and sharing amongst the “cyber-crime”
community by examining the ways in which data stored by
most network-enabled devices can be used to build profiles of
“geographic” and “personal” activity.
Activities under consideration will not be restricted to the
conventional definition of “cyber-crime”, i.e. those activities
which directly attack computer systems, but will be extended
to cover all 6 categories present in the taxonomy of computer
crime [5] thus encompassing crimes which use computers and
networks as tools to aid the criminal.
Ultimately, the goal of this, and related projects, would be
to produce automated tools which are capable of filtering data
to detect not only patterns of abnormal behaviour, but also
patterns of normal behaviour. More importantly, such a system
should be capable of applying environmental criminology-type
techniques to find points of intersection between the two
behaviour types, thus producing predictions of potential
criminal activity. This work will be informed and guided by
the experience of criminologists, particularly environmental
criminologists, in the development of profiling techniques for
“conventional” crimes.
Environmental criminologists study place-based and spatial
factors of crime (criminality and victimization)[6]. By looking
at the spatial distribution of offences and offenders, they have
been able to explore relationships between the place of the
offence and the victim/offender’s habitual use of space.
Applications of Opportunity Theory[7] and Routine Activities
2
Theory[8] have resulted in the conclusion that criminals tend
not to stray from areas they know well[9]. Thus, an offence
will happen where an ‘opportunity’ for crime coincides with a
‘cognitively known area’[10].
This work has had a significant impact upon modern
policing. Police forces around the world employ specialist
crime analysts to analyse crime trends and patterns and
increasingly they are using computer software to create links
between crimes and offenders[11]. A good example of such a
system is Criminal Geographic Targeting which was
developed in 1985 by Rossmo[12]. Rossmo reversed the
approach of environmental criminology by taking the location
and characteristics of the crime and used this information to
attempt to predict where the criminal lives. Similar systems
have been developed to predict where future crimes might
occur with the aim of facilitating police resource allocation.
Through the analysis of network activity data, then, we hope
to be able to investigate the relationship between routine
online activities, criminality and victimisation. It may be
possible to develop offender and victim profiles, providing a
strong investigative tool for those involved in law enforcement
and crime prevention.
Data collection and collation on a grand scale, for the
purposes of examining and predicting human behaviour,
particularly looking for aberrant activities can raise the
spectres of privacy and legality. This project will, concurrent
with the design and prototyping of tools usable for profiling
will also examine the developing legal and regulatory
frameworks to ensure that concerns about civil liberties are
properly addressed, whilst generating forensically valid results.
Although it might be argued that much of this data
collection and analysis is already being performed (e.g. by
organisations such as DShield, the Internet Storm Centre,
Spamhaus, and various intrusion detection systems), we
believe that the activity currently in progress is limited in
scope and tends to focus on single issues only (e.g.
propagation of SPAM e-mail, detection of Denial of Service
attacks etc.) without considering how such activities reflect
development of behaviour and technologies on the part of the
originators.
III. PROGRAMME AND METHODOLOGY
Two main areas of research are required:
-- examination of existing data sources
-- establishment of new data sources
Within these, several sub-areas can be considered.
A. Existing Data Sources
Although much software is capable of logging activity, these
logs are often in different formats and provide differing levels
of detail.
 Computer Network Forensics Research Workshop 2005
Beyond organisational boundaries, the existence, scope and
extent of such logs is often unknown or unknowable.
Hence, an early research phase will be the identification of
common suitable sets of data and making appropriate
arrangements for access to such logs for the detection of crime,
even where no evidence of crime has yet been found. This will
involve consideration of protocols for the anonymisation of
data, production of tools for the integration and analysis of
disparate data sets, and whether that anonymisation still
permits the necessary profiling whilst permitting the
monitoring and storage of data to remain within legal
requirements.
B. New data sources
Not all systems perform sufficient logging or are accessible
enough to allow their data to be included in the first theme of
this project. Therefore we perceive a need for the
establishment of a network of “remote sensors” to fill the gap
created by these unobservant systems. These are likely to be
based on the current model of “honeypots” used to attract and
trap network mis-users, but will be extended to perform more
covert monitoring of activity in the systems around them. This
part of the project will require the investigation of techniques
for the remote observation of system and network activity.
C. Common Themes
In support of the above two major themes, there are some
common areas of underpinning research :
-- consideration of secure data communications protocols to
ensure that gathered data remains valid
-- development of common data storage format
-- examination of minimal data capture requirements for
successful analysis
-- development of secure data repository
-- initial development of prototype profiling tools using,
e.g., data mining techniques.
-- examination of “conventional” profiling methods and
their applicability in “cyberspace”
-- consideration of legal constraints (e.g. Data Protection
Act 1998, Regulation of Investigatory Powers Act, Computer
Misuse Act, Human Rights Act)
IV. OUTCOME AND OBJECTIVES
This work, then when completed, will show how the
following problems can be addressed, and permit
Cyberprofiling to used as a tool for dealing with e-crimes:
-- a way of storing, collecting and communicating data
3
-- a prototype data repository
-- prototype profiling tools
-- evaluation of profiling methods
-- identification of the main legal/regulatory issues +
recommendations for areas that need to be re-addressed.
-- Furthering understanding of the criminal use of
cyberspace (link crime prevention)
-- How existing principles in real world relates to the cyber
world.
-- Approach to the mechanisation of routine detection of
frequently occurring but hard-to-prosecute crimes
It is anticipated that the profiling and data capture tools will
lead to methods of detection/prediction of, not only, attacks on
existing internet services, but also the establishment of new
networks of internet servers to be used for illegal purposes.
Ultimately, there will be a requirement to examine these
servers to determine the nature of the material and activity
associated with them. In order to facilitate this related sub-
project, which has immediate benefits to law-enforcement
where such servers have already been identified
V. FUTURE WORK
In other areas of Information Technology, where large
volumes of data are processed and stored in order to deliver
specialist results, it often necessary that new methods of
visualising the results are required. It is expected that once
Cyberprofiling techniques start delivering results that are of
value in the detection of e-crimes, that new visualisation
techniques will also need to evolve in order to communicate
those results to a non-specialist audience involved in the law
and other associated disciplines.
VI. CONCLUSION
Criminal Profilers are unable to assist in the detection and
resolution of e-crimes on their own, and similar law
enforcement cannot operate without additional specialist help.
The creation of specialist multi-disciplinary teams is essential
to the creation of Criminal Profiles within the expanding sector
or e-crimes. We introduce such a multidisciplinary team and
hope to demonstrate positive results when later data capture
and analysis is complete
REFERENCES
[1] BBC News, 8 Apr 2005,
http://news.bbc.co.uk/1/hi/technology/4420325.stm.
[2] Marshall AM & Tompsett BC “Silicon Pathology”. Science &
Justice 44(1) 2004.
[3] Palmer GL “Forensic Analysis in the Digital World”. International
Journal of Digital Evidence 1(1) 2002.
[4] Harrison W, Heuston G, Morrissey M, Aucsmith D, Mocas S &
Russelle S “A Lessons Learned Repository for Computer Forensics”,
International Journal of Digital Evidence 1(3) 2002..
[5] Marshall AM & Tompsett BC “Spam’n’ Chips - a discussion of
internet crime”. Science & Justice 42 (2) 2002.
 Computer Network Forensics Research Workshop 2005 4

[6] Bottoms, A. E. and Wiles, P. (2002) ‘Environmental Criminology’ in

Maguire, M., Morgan, R. and Reiner, R. (2002) The Oxford Handbook
of Criminology, Oxford University Press pp.620-644.
[7] Clarke, R. (1999) Hot Products: Understanding, Anticipating and
Reducing Demand for Stolen Goods, Police Research Series No.
112, London: Home Office.
[8] Cohen, L. and Felson, M. (1979) ‘Social change and crime rate
trends: a routine activities approach’, American Sociological
Review, 44:588-608M. Young, The Techincal Writers Handbook.
Mill Valley, CA: University Science, 1989.
[9] Wiles, P. and Costello, A. (2000) The ‘Road to Nowhere’: The
Evidence for Travelling Criminals, Home Office Research Study
no.27, London: Home Office.
[10] Brantingham, P.L. and Brantingham, P.J. (1981), ‘Notes on the
Geometry of Crime’ in Brantingham, P.L. and Brantingham, P.J.
(Eds) Environmental Criminology, Beverly Hills Ca: Sage
Publications
[11] Adderley, R,W. and Musgrove, P. (2001) ‘Police crime recording
and investigation systems: A user’s view’, Policing: An
International Journal of Police Strategies and Management, Vol
24:1, pp.100-114.
[12] Rossmo, K. (1985) ‘Place, space and police investigations: hunting
serial violent criminals’ in Eck, J. and Weisburd, D. (Eds) Crime and
Place, Criminal Justice Press, pp. 217-35.