Computer Criminal Profiling applied to Digital Investigations




Journal Title

Journal ISSN



Volume Title


De Montfort University


Thesis or dissertation

Peer reviewed


This PhD thesis aims to contribute to the Cyber Security body of knowledge and its Computer Forensic field, still in its infancy when comparing with other forensic sciences. With the advancements of computer technology and the proliferation of cyber crime, offenders making use of computers range from state-sponsored cyber squads to organized crime rings; from cyber paedophiles to crypto miners abusing third-party computer resources. Cyber crime is not only impacting the global economy in billions of dollars annually; it is also a life-threatening risk as society is increasingly dependent on critical systems like those in air traffic control, hospitals or connected cars. Achieving cyber attribution is a step towards to identify, deter and prosecute offenders in the cyberspace, a domain among the top priorities for the UK National Security Strategy. However, the rapid evolution of cyber crime may be an unprecedented challenge in the forensic science history. Attempts to keep up with this pace often result in computer forensic practices limited to technical outcomes, like user accounts or IP addresses used by the offenders. Limitations are intensified when the current cyber security skill shortage contrasts with the vastness of digital crime scenes presented by cloud providers and extensive storage capacities or with the wide range of available anonymizing mechanisms. Quite often, offenders are remaining unidentified, unpunished, and unstoppable. As these anonymising mechanisms conceal offenders from a technological perspective, it was considered that they would not offer the same level of concealment from a behavioural standpoint. Therefore, in addition to the analysis of the state-of-theart of cyber crimes and anonymising mechanisms, the literature of traditional crimes and criminal psychology was reviewed, in an attempt to known what traits of human behaviour could be revealed by the evidence at a crime scene and how to recognize them. It was identified that the subdiscipline of criminology called criminal profiling helps providing these answers. Observing its success rate and benefits as a support tool in traditional investigations, it was hypothesized that a similar outcome could be achieved while investigating cyber crimes, providing that a framework could enable digital investigators to apply criminal profiling concepts in digital investigations. 2 Before developing the framework, the scope of this thesis was delimited to a subset of cyber crimes, consisting exclusively of computer intrusions cases. Also, among potential criminal profiling benefits, the reduction of the suspect pool, case linkage and optimization of investigative efforts were included in the scope. A SSH honeypot experiment based on Cowrie was designed and deployed in a public cloud infrastructure. In its first phase, a single honeypot instance was launched, protected by username and password and accepting connection attempts from any Internet address. Users that were able to guess a valid pair of credentials, after a random number of attempts providing strong passwords, were presented to a simple file system, in which all their interactions within the system were recorded and all downloaded attack tools were isolated and securely stored for their posterior analysis. In the second phase of the experiment, the honeypot infrastructure was expanded to a honeynet with 18 (eighteen) nodes, running in a total of 6 (six) geographic regions and making it possible the analysis of additional variables like location of the “victim” system, perceived influence from directory/file structure/contents and resistance levels to password attacks. After a period of approximately 18 (eighteen) months, more than 7 million connection attempts and 12 million authentication attempts were received by the honeynet, where more than 85,000 were able to successfully log into one of the honeynet servers. Offenders were able to interact with the simulated operating systems and their files, while enabling this research to identify behavioural patterns that proved to be useful not only to group offenders, but also to enrich individual offender profiles. Among these behavioural patterns, the choice of which commands and which parameters to run, the basis of the attack on automated versus manual means, the pairs of usernames and passwords that were provided to try to break the honeypot authentication, their response once a command was not successful, their intent on using specific attack tools and the motivation behind it, any level of caution presented and, finally, preferences for naming tools, temporary files or customized ports were some of the most relevant attributes. Based on the collected data set, such attributes successfully make it possible to narrow down the pools of suspects, to link different honeypot breakins to a same offender and to optimize investigative efforts by enabling the researcher to focus the analysis in a reduced area while searching for evidence. 3 In times when cyber security skills shortage is a concerning challenge and where profiling can play a critical role, it is believed that such a structured framework for criminal profiling within cyber investigations can help to make investigation of cyber crimes quicker, cheaper and more effective.





Research Institute