Psychological Crime Scene Analysis Cyber Crime Scenes Dr. Marcus Rogers Associate Professor Dept. of Computer Technology
Outline z z z z z z z
Learning Outcomes Quick Review What can we profile Answering the Investigative Questions Computer Criminal Taxonomy Crime Scene Analysis Elements Summary Marcus K Rogers 2004
2
Learning Outcomes z
At the end of this discussion you will be able to: • Describe the role of psychology in the investigation process; • Explain what crime scene analysis elements are; • Describe how psychology can assist with the basic investigative questions; and • Compare and contrast physical and cyber psychological crime scene analysis. Marcus K Rogers 2004
3
Review z
Forensic Psychology • Branch of psychology that deals with the legal justice system and legal proceedings
• Research focused • Jury selection • Eyewitness testimony • Equivocal death analysis • Offender profiling • Clinical • Assessments • Offender risk assessments Marcus K Rogers 2004
4
Important Principles z
Principle of Exchange (Edmund Locard, 1910) • “..when a person commits a crime something is always left at the scene of the crime that was not present when the person arrived.”
z z
Core of our personality does not change fundamentally over time Crime scene reflects the personality of the offender
Marcus K Rogers 2004
5
Psychological Profiling z
z z
“The art and science of developing a description of a criminal’s characteristics (physical, intellectual, and emotional), based on information collected at scene(s) of the crime(s).” Reduces the potential number of suspects Does not replace good old fashion police work!
Marcus K Rogers 2004
6
Psychological Profiling z
Inductive • General to the specific • Clinical • Statistical
z
Deductive • Case based • Behavior Evidence Analysis
z
Hybrid Marcus K Rogers 2004
7
Timeline Jack the Ripper Cases Dr. Thomas Bond Autopsy
1880
1890
Dr. James Brussels profiles Mad Bomber of New York
1900
Office of Strategic Services sprofiles Adolf Hitler and Other Leaders
1950
1960
Dr. James Brussels profiles the Boston Strangler
Work by Howard Teten at the San Leandro Police Dept in California.
1970
1980
Howard Teten becomes an FBI agent and initiates criminal profiling program with Pat Mullany
Large study to develop inductive criminal profile method by Howard Teten and Pat Mullany
Brent Turvey Develops BEA (Behavioral Evidence Analysis,) a deductive or intuitive
1990
David Canter begins developing Investigative Psychology, another inductive method
approach .
2000
2004
Some general articles and theories on computer criminal profiling but not specific methodologies that are widely accepted and utilized.
Source: Dean, N. (2004). Computer Criminal Typology Determination. Unpublished Masters Project. Purdue University Marcus K Rogers 2004
8
Psychological Crime Scene Analysis (PCSA) z
Important Elements • • • • •
z
Motive (Why) Modus Operandi (How) Signature Behaviors/Aspects (Who) Staging (Who did not) Victimology (To whom)
These are pieces of a jigsaw puzzle that when combined, reveal a picture of the perpetrator Marcus K Rogers 2004
9
PCSA & Cybercrime (PCSA) z z z z
Can we use traditional profiling techniques with non-traditional crimes? What questions do investigators need answered when investigating cyber crimes? Are there attacker profiles already developed? In the physical world we have identifiable crime scene(s), is/are there an analogous cyber crime scene(s)?
Marcus K Rogers 2004
10
PCSA Cases z z z z z z z
Internet Child Pornography Internet Stalkers Internet Predators Hackers Virus writers Cyber-terrorist Criminal Insiders Marcus K Rogers 2004
11
Investigative Questions z z
What questions do investigators need answered? Usually case specific • What kind of offender • Experienced/Inexperienced? • Individual/ Group? • Will they act on their threats? • What will be the best interrogation strategy? • Etc.
Marcus K Rogers 2004
12
Computer Criminal Taxonomy z
z
Taxonomy - formal method of subdividing a large group in order to stimulate scientific discussion and empirical research Computer Crime taxonomy use 2 primary factors • Motivation • Technical skill Marcus K Rogers 2004
13
Computer Criminal Taxonomy z
Categories • • • • • • • •
Novice/Tool Kit (NT) Cyber Punk (CP) Petty Thieves (PC) Virus Writers (VW) Old Guard (OG) Professional Thieves (PT) Information Warriors (IW) Political Activists (PA) Marcus K Rogers 2004
14
Computer Criminal Taxonomy z
Modified Ordered Circumplex Model • Circumplex • Method of representing complex relationships • Ordered Circumplex • Position on the circumference represents a specific ordered relationship between variables (adjacent, orthogonal, opposite etc.) • Modified • Position on both the circumference and the radius represent specific relationships
z
Good method for “eye balling” the fit of a model to the data Marcus K Rogers 2004
15
Computer Criminal Taxonomy Hacker Circumplex
PC
VW
PT
Skill Level OG
IW CP
NT
PA
Marcus K Rogers 2004
16
Psychological Crime Scene Analysis Process Collation of Case Details Identification of Salient Issues/Points
Framework/ Theory Selection Application to Unique Case Data
Development of Individual Profile Marcus K Rogers 2004
17
Psychological Crime Scene Analysis Process Collation of Case Details
Identification of Salient Issues/Points
Marcus K Rogers 2004
18
Crime Scene Analysis Elements z
What are the salient points? • Elements necessary to: • answer the investigative questions • to build the “picture” of the perpetrator
z z
Are there analogous elements between the physical and the cyber? Yes there are, BUT: • Need to know where and what to look for • Need a basic understanding of technology and the Internet
Marcus K Rogers 2004
19
Crime Scene Analysis Elements Conventiona l C r im e E l e m ents 1) Selection o f V ictim
Sel e c t ion o f Targ e t
2) Characteristics o
Charact
f V ictim
Equiva
l ent Cybe r C r im e E l e m ents
e ristics
o f Target
3) M O o f O ff ender
MO o
4) A t titude o f O ff ender to w ards the V ictim 5) O ff ende rÕs reaction to victimÕs behavior
O ff ender
6) Language used b O ff ender
O ff ender
Arti f acts
P otential
Damage Rating
7) V i o lence o ff ender
used
y the
by the
8) State that V ictim w as le f t in 9) F orensic Evidence at Scene
f o ff e nder
Attitude
O ff ender Response Escalation behavior
P ost Incident System R isk Rat ing F orensic Evidence at Scene
Na rr ative T h i s ca n b e a p e rs o n , s y s t e m , n e t w o rk or ra n ge o f address e s S y s t e m c l ass ifi ca t i o n ( b us i n ess, mili t ar y , f i n a n c i a l , acade mi c, h o m e s y s t e m , e t c.) , Secur i t y C o n t r o l s ( An t i - vi rus, fi rewa ll , IDS ) , T y pe o f s y s t e m (DB, W e b ser v er , t ra n sac t i o n ser v er, w o r k s t a t i o n ), Rece n t s i t es v i s i t ed, Pr im a r y or Sec o n dar y t arge t, Se n s i t i v i t y o f Da ta . S y s t e m e n u m era t i o n m e t h o d, t y pe o f a tt ack (D o S, scr i p t e d , R oot - k i t, s n iffi n g, d e f ace m e n t e t c. ) , war n i n gs (pre - p o s t a tt ack sca n s), T h rea t s & t au n t i n g , C h a t gr o up c o rresp o n de n ce. An y b e h a v i o rs e xh i b i t ed dur i n g t h e resp o n se esca l a t i o n pr o cess. Me s sages l e f t o n s y s t e m s, m essag e s se n t to s y s ad mi n s, c o d i n g Ņs t r i n gsÓ, l o ca t i o n o f a tt acke r too l s or fil es. I m pac t o n Av a il a b ili t y , C o n fi de n t i a li t y , a n d I n t egr i t y o f s y s t e m , n e t w o rk o r da t a , z o m b i e. M i n im a l , M o dera t e, H i gh ( n eeds to b e re i n s t a ll ed) L o g f il es, aud i t e v e n t t ra il s , e t c.
Marcus K Rogers 2004
20
PCSA - CYBER z
Identify cyber MOs and signature aspects • Link past and future crimes
z z
Identify possible staging behaviors Interview strategies • What are the hot buttons to push
z
Trial preparation • Deflecting the Trojan horse defense • Internet Addiction defense strategy
Marcus K Rogers 2004
21
PCSA - CYBER z
Focus the investigation to certain areas within the file system • Reduce the amount of unnecessary work
z z z
Provide insight into the technical ability of the suspect Provide insight into the motivation of the attacker Provide insight into the criminal career maturity • Forensic knowledge of suspect • Erasing of log files • Spoofed addresses
Marcus K Rogers 2004
22
Summary z
z
z
z z
Psychological Crime Scene Analysis is an effective investigative tool PCSA can be used with cyber investigations There are identifiable crime scene elements in cyber crime scenes as well Need to know what to look for Need to get over our “Cyber Phobia� Marcus K Rogers 2004
23
Questions/Comments
Marcus K Rogers 2004
24
Contact Information Dr. Marcus Rogers 225 Knoy Hall of Technology 494-2561 www.cyberforensics.purdue.edu rogersmk@exchange.purdue.edu