This document discusses a project to apply criminological profiling techniques to analyze data from computer networks and the internet in order to profile criminal offenders and predict criminal activity. It notes that large amounts of user activity data are routinely collected by computers and networks, and analyzing this data across systems could reveal patterns of criminal behavior. The goal is to generate "cyber profiles" of activity to provide intelligence to law enforcement. By incorporating data mining and artificial intelligence, the system aims to identify new criminal trends and alert authorities proactively. The document also discusses how previous research on offender profiling and geographic profiling of real-world crimes could be extended to analyze online criminal behavior and activity.
Original Description:
WW
Original Title
Cyberprofiling Offender Profiling and Geographic Profiling of Crime on the Internet
This document discusses a project to apply criminological profiling techniques to analyze data from computer networks and the internet in order to profile criminal offenders and predict criminal activity. It notes that large amounts of user activity data are routinely collected by computers and networks, and analyzing this data across systems could reveal patterns of criminal behavior. The goal is to generate "cyber profiles" of activity to provide intelligence to law enforcement. By incorporating data mining and artificial intelligence, the system aims to identify new criminal trends and alert authorities proactively. The document also discusses how previous research on offender profiling and geographic profiling of real-world crimes could be extended to analyze online criminal behavior and activity.
This document discusses a project to apply criminological profiling techniques to analyze data from computer networks and the internet in order to profile criminal offenders and predict criminal activity. It notes that large amounts of user activity data are routinely collected by computers and networks, and analyzing this data across systems could reveal patterns of criminal behavior. The goal is to generate "cyber profiles" of activity to provide intelligence to law enforcement. By incorporating data mining and artificial intelligence, the system aims to identify new criminal trends and alert authorities proactively. The document also discusses how previous research on offender profiling and geographic profiling of real-world crimes could be extended to analyze online criminal behavior and activity.
Computer Network Forensics Research Workshop 2005 1
Cyberprofiling: Offender Profiling and
Geographic Profiling of Crime on the Internet Eur Ing Brian C. Tompsett, Angus M. Marshall and Natasha C. Semmens
patterns of behaviour or activity which may be indicative of a
Abstract— A project to combine criminological techniques of building pattern of related crimes, or even the development of profiling with internet abuse and computer forensic data is an offender's "career". Experience in “conventional” crime, outlined. The multidisciplinary approach which applies the however, suggests that patterns can be found in many types of expertise of Lawyers, Criminologists, Computer Forensics and Internet Specialists together is seen as a response to the explosion crime, and it is the thesis of this project that such experience of e-crimes. Future work that involves the presentation of the can be extended into the realm of computer activity. Because results of Cyberprofiling is proposed. of the potential volumes of data available and the short timescales involved, it will be essential for such profiling to be Index Terms—Evidence_Collection-Storage, Legal- as automated as possible in order to detect emerging patterns Practical_Challenges early. Most computer systems are capable of recording considerable information about their usage and interaction I. INTRODUCTION with other systems.
I n "normal" (i.e. non-computer-related) criminal
investigations, particularly those of major or serial crime, it has become commonplace for offender profiles and geographic A desktop computer system may gather and store such basic information as the time they were last switched on or off, who used them, when, what for, and which programs were used. profiles to be used to predict the nature of the criminal and They may also record connections to networked resources, their likely area of operation. These profiles are generated attempts at intrusion, virus activity and so on. from knowledge of offender behaviour and preferences Network servers also log considerable numbers of data garnered from years of data gathering and analysis. about activity being performed on the network. This ranges The recent EURIM-IPPR E-crime study, noted that "Crimes from the identity of machines viewing web pages, or involving ICT systems are now common-place" and it is attempting to compromise the server software itself, to records widely acknowledged that ICT has become a regular source of of every e-mail sent through the system and even transient evidence in a significant number of non-ICT criminal copies of e-mails in transit. investigations. In spite of this, however, most ICT Although the machines gathering the data may be investigation concentrates on single incidents, using a geographically distant, both in real-space and in cyber-space, it computer primarily as a crime scene to be considered in is possible that they will be observing similar patterns of isolation. activity originating from just a few individuals, or from a few Volumes of “e-crime” are escalating to such a level that law locations. Proper collation and analysis of the data may lead to enforcement are finding it difficult to resource[1]. To deal with the identification of real criminals or criminal-friendly such volumes it is important to apply criminological locations, such as compromised networks, which are techniques that have become valuable outside of e-crimes developing into threats. Such analysis is likely to uncover, not within this sector. only criminal activity directly related to the technology itself, It is rare for an “e-crime” investigator to seek to establish but also criminal activity which merely makes use of the technology as an enabler. This project will examine how data that is routinely This work is supported in part by the UK Engineering and Physical Science Research Council within their “Think Crime” programme, and gathered by such ICT systems, can be integrated and analysed supported in part by Computer Associates, The Office of the UK Information to produce "cyber profiles" of activity and behaviour. The aim Commissioner, Humberside Police, North Yorkshire Trading Standards is to provide investigators with rich sources of intelligence Digital Evidence Recovery and Internet Crime Unit (DERIC) and C.Spencer Ltd. information which can be used to predict and prevent criminal B. C. Tompsett is with the Department of Computer Science, University of activity. By incorporating data-mining and artificial Hull (phone: +44 1482 465222; fax: +44 1482 466666; e-mail: intelligence elements in the analysis, it is anticipated that the B.C.Tompsett@dcs.hull.ac.uk). A. M. Marshall., is with the School of Science and Technology, University system will be able to identify new trends and alert law of Teesside. (e-mail: Angus.Marshall@tees.ac.uk). enforcement to new threats before they become a serious N. Semmens is with the Faculty of Law, University of Sheffield (e-mail: problem. n.c.semmens@sheffield.ac.uk). Computer Network Forensics Research Workshop 2005 2
Theory[8] have resulted in the conclusion that criminals tend
not to stray from areas they know well[9]. Thus, an offence II. ACADEMIC AND INDUSTRIAL CONTEXT will happen where an ‘opportunity’ for crime coincides with a Forensic Computing Practitioners have begun to ‘cognitively known area’[10]. acknowledge the need to adopt a more integrated approach to their work. Historically, digital evidence was treated as having This work has had a significant impact upon modern a fixed locus and hence the source of evidence could be policing. Police forces around the world employ specialist defined. With the continued growth in network connectivity in crime analysts to analyse crime trends and patterns and business and at home, this situation has changed and digital increasingly they are using computer software to create links evidence can appear on a digital evidence source through a between crimes and offenders[11]. A good example of such a wide range of delivery vectors[2]. These mechanisms of system is Criminal Geographic Targeting which was deposition use public and private networks as carriers and rely developed in 1985 by Rossmo[12]. Rossmo reversed the on vulnerabilities in software and hardware to work. Thus, a approach of environmental criminology by taking the location piece of evidence found on a machine under investigation may and characteristics of the crime and used this information to have left a trail of activity on numerous systems as it moved attempt to predict where the criminal lives. Similar systems from source to its ultimate target. have been developed to predict where future crimes might occur with the aim of facilitating police resource allocation. Gary L. Palmer[3] noted “In the near future, the collection, fusion, and correlation of data from all of these sources and Through the analysis of network activity data, then, we hope more will be vital to investigations, both civil and criminal.” to be able to investigate the relationship between routine online activities, criminality and victimisation. It may be Furthermore, successful investigation techniques and possible to develop offender and victim profiles, providing a offender patterns are not circulated widely, relying heavily on strong investigative tool for those involved in law enforcement a “water cooler culture” [4] to ensure dissemination to and crime prevention. colleagues. This project aims to address the problem of intelligence gathering and sharing amongst the “cyber-crime” Data collection and collation on a grand scale, for the community by examining the ways in which data stored by purposes of examining and predicting human behaviour, most network-enabled devices can be used to build profiles of particularly looking for aberrant activities can raise the “geographic” and “personal” activity. spectres of privacy and legality. This project will, concurrent with the design and prototyping of tools usable for profiling Activities under consideration will not be restricted to the will also examine the developing legal and regulatory conventional definition of “cyber-crime”, i.e. those activities frameworks to ensure that concerns about civil liberties are which directly attack computer systems, but will be extended properly addressed, whilst generating forensically valid results. to cover all 6 categories present in the taxonomy of computer crime [5] thus encompassing crimes which use computers and Although it might be argued that much of this data networks as tools to aid the criminal. collection and analysis is already being performed (e.g. by organisations such as DShield, the Internet Storm Centre, Ultimately, the goal of this, and related projects, would be Spamhaus, and various intrusion detection systems), we to produce automated tools which are capable of filtering data believe that the activity currently in progress is limited in to detect not only patterns of abnormal behaviour, but also scope and tends to focus on single issues only (e.g. patterns of normal behaviour. More importantly, such a system propagation of SPAM e-mail, detection of Denial of Service should be capable of applying environmental criminology-type attacks etc.) without considering how such activities reflect techniques to find points of intersection between the two development of behaviour and technologies on the part of the behaviour types, thus producing predictions of potential originators. criminal activity. This work will be informed and guided by the experience of criminologists, particularly environmental III. PROGRAMME AND METHODOLOGY criminologists, in the development of profiling techniques for Two main areas of research are required: “conventional” crimes. -- examination of existing data sources -- establishment of new data sources Environmental criminologists study place-based and spatial factors of crime (criminality and victimization)[6]. By looking Within these, several sub-areas can be considered. at the spatial distribution of offences and offenders, they have A. Existing Data Sources been able to explore relationships between the place of the Although much software is capable of logging activity, these offence and the victim/offender’s habitual use of space. logs are often in different formats and provide differing levels Applications of Opportunity Theory[7] and Routine Activities of detail. Computer Network Forensics Research Workshop 2005 3
-- a prototype data repository
Beyond organisational boundaries, the existence, scope and -- prototype profiling tools extent of such logs is often unknown or unknowable. -- evaluation of profiling methods -- identification of the main legal/regulatory issues + Hence, an early research phase will be the identification of recommendations for areas that need to be re-addressed. common suitable sets of data and making appropriate -- Furthering understanding of the criminal use of arrangements for access to such logs for the detection of crime, cyberspace (link crime prevention) even where no evidence of crime has yet been found. This will -- How existing principles in real world relates to the cyber involve consideration of protocols for the anonymisation of world. data, production of tools for the integration and analysis of -- Approach to the mechanisation of routine detection of disparate data sets, and whether that anonymisation still frequently occurring but hard-to-prosecute crimes permits the necessary profiling whilst permitting the monitoring and storage of data to remain within legal It is anticipated that the profiling and data capture tools will requirements. lead to methods of detection/prediction of, not only, attacks on existing internet services, but also the establishment of new B. New data sources networks of internet servers to be used for illegal purposes. Ultimately, there will be a requirement to examine these Not all systems perform sufficient logging or are accessible servers to determine the nature of the material and activity enough to allow their data to be included in the first theme of associated with them. In order to facilitate this related sub- this project. Therefore we perceive a need for the project, which has immediate benefits to law-enforcement establishment of a network of “remote sensors” to fill the gap where such servers have already been identified created by these unobservant systems. These are likely to be based on the current model of “honeypots” used to attract and V. FUTURE WORK trap network mis-users, but will be extended to perform more covert monitoring of activity in the systems around them. This In other areas of Information Technology, where large part of the project will require the investigation of techniques volumes of data are processed and stored in order to deliver for the remote observation of system and network activity. specialist results, it often necessary that new methods of visualising the results are required. It is expected that once Cyberprofiling techniques start delivering results that are of C. Common Themes value in the detection of e-crimes, that new visualisation techniques will also need to evolve in order to communicate In support of the above two major themes, there are some those results to a non-specialist audience involved in the law common areas of underpinning research : and other associated disciplines. -- consideration of secure data communications protocols to ensure that gathered data remains valid -- development of common data storage format -- examination of minimal data capture requirements for VI. CONCLUSION successful analysis Criminal Profilers are unable to assist in the detection and -- development of secure data repository resolution of e-crimes on their own, and similar law -- initial development of prototype profiling tools using, enforcement cannot operate without additional specialist help. e.g., data mining techniques. The creation of specialist multi-disciplinary teams is essential -- examination of “conventional” profiling methods and to the creation of Criminal Profiles within the expanding sector their applicability in “cyberspace” or e-crimes. We introduce such a multidisciplinary team and -- consideration of legal constraints (e.g. Data Protection hope to demonstrate positive results when later data capture Act 1998, Regulation of Investigatory Powers Act, Computer and analysis is complete Misuse Act, Human Rights Act) REFERENCES [1] BBC News, 8 Apr 2005, http://news.bbc.co.uk/1/hi/technology/4420325.stm. [2] Marshall AM & Tompsett BC “Silicon Pathology”. Science & IV. OUTCOME AND OBJECTIVES Justice 44(1) 2004. [3] Palmer GL “Forensic Analysis in the Digital World”. International This work, then when completed, will show how the Journal of Digital Evidence 1(1) 2002. following problems can be addressed, and permit [4] Harrison W, Heuston G, Morrissey M, Aucsmith D, Mocas S & Russelle S “A Lessons Learned Repository for Computer Forensics”, Cyberprofiling to used as a tool for dealing with e-crimes: International Journal of Digital Evidence 1(3) 2002.. [5] Marshall AM & Tompsett BC “Spam’n’ Chips - a discussion of -- a way of storing, collecting and communicating data internet crime”. Science & Justice 42 (2) 2002. Computer Network Forensics Research Workshop 2005 4
[6] Bottoms, A. E. and Wiles, P. (2002) ‘Environmental Criminology’ in
Maguire, M., Morgan, R. and Reiner, R. (2002) The Oxford Handbook of Criminology, Oxford University Press pp.620-644. [7] Clarke, R. (1999) Hot Products: Understanding, Anticipating and Reducing Demand for Stolen Goods, Police Research Series No. 112, London: Home Office. [8] Cohen, L. and Felson, M. (1979) ‘Social change and crime rate trends: a routine activities approach’, American Sociological Review, 44:588-608M. Young, The Techincal Writers Handbook. Mill Valley, CA: University Science, 1989. [9] Wiles, P. and Costello, A. (2000) The ‘Road to Nowhere’: The Evidence for Travelling Criminals, Home Office Research Study no.27, London: Home Office. [10] Brantingham, P.L. and Brantingham, P.J. (1981), ‘Notes on the Geometry of Crime’ in Brantingham, P.L. and Brantingham, P.J. (Eds) Environmental Criminology, Beverly Hills Ca: Sage Publications [11] Adderley, R,W. and Musgrove, P. (2001) ‘Police crime recording and investigation systems: A user’s view’, Policing: An International Journal of Police Strategies and Management, Vol 24:1, pp.100-114. [12] Rossmo, K. (1985) ‘Place, space and police investigations: hunting serial violent criminals’ in Eck, J. and Weisburd, D. (Eds) Crime and Place, Criminal Justice Press, pp. 217-35.