are inherent to the human being. Risk appetite, attack inhibitors? They are too.
Since technology is therefore just a means to commit a crime, we should revisit
some useful approaches to dealing with traditional crimes and analyse whether
they could be of help while dealing with cybercrimes as well. When all types
of crimes or offensives share some features like human motivations, human
traits expressed through behaviour evidence in a crime scene, signature aspects
(just to name a few) we should mention for sure the scientific discipline of
Criminal Profiling. The study of the criminal behaviour and its manifestation in a
crime scene has been explored for more than a century by the discipline, which
infers a set of traits of the perpetrator or group of perpetrators of a crime by
the examination of the criminal evidence available.
resources available, knowledge, motivations, whereabouts and so on, depending
on the evidence available and depending on which conclusions we could reach
about them. Then, this profile becomes a valuable additional tool to assist
investigations with at least a 77% rate of success according to a research done
in the 90's (Theodore H. Blau). With these encouraging numbers, and knowing
that cybercrimes share some roots with traditional crimes, the idea is to apply
the same concepts to digital investigations. According to the literature, the main
objectives that can be achieved by applying profiling on investigations are:
· Linking cases that seem to be distinct.
· Helping define strategies of interrogation.
· Optimising investigative resources (e.g., "let's focus on where we have
have a profile of a cyber offender in hand, we are able to develop better
countermeasures against their attacks. This is especially important when we are
dealing with advanced offenders, like APT.
offenders to hide themselves behind computer attacks, is that profiling can be a
broad tool as well. Recalling the Locard Exchange Principle, the offender always
leaves traces in the crime scene. And some of them can be of behavioural
nature. Depending on the level of interaction an attacker has in a digital offence
(e.g. a manual attack vs. an automated attack or a single web defacement VS
an attack that involves a huge team of skilled offenders and many interactions
network traffic, social networks, chat networks, file systems of compromised
machines, e-mail messages, defaced websites, instant messaging.
that we can explore and work on.
for during the investigation to help populate our mindmap:
· Identifying motivation [revenge, curiosity, challenge, profit, to be part of
dispute between individuals or hacking groups, profit, cyber terror,
hacktivism, cyber warfare, etc.]
· Performing authorship analysis on spear phishing e-mail content, social
errors, preferred programming functions, sophistication, etc.)
(Tom Parker has conducted very good research on this topic.)
in which activities are more intense, evidence of planning actions, etc.
message here is: we know that there are a multitude of means and technologies
that are being (and will be) used by offenders on the perpetuation of their
actions. But we need to know that there is a multitude of means to catch them
as well.
currently works at a Brazilian bank. In the last ten years he has been involved
with penetration testing, vulnerability assessments, incident response and
digital investigations for some of the biggest Brazilian companies. Nowadays,
he is pursuing his PhD degree at the Cyber Security Centre of De Montfort
University, exploring the ins and outs of criminal profiling applied to digital
investigations.