Laureate notes that “a clear understanding of the suspect’s behavior profiling will help an investigator to quickly identify and collect the digital evidence when the event has happened.” If we understand nothing about our perpetrator then it might be difficult to even know where to begin any sort of an investigation. In the case of network forensics we may be primarily interested in motive, skill and systems compromised. Of course, as Kilger et al point out (2004), motivations in the hacker community may be further broken down into “Money, Entertainment, Ego, Cause, Entrance to social group and Status”. However, as useful as this level of profiling may be to understanding the criminal it may not make a major difference to the case. We need to analyze the skill level of the perpetrator to have some understanding of how the crime was accomplished and whether we may need to deepen or broaden our investigation and/or possibly take some protective measures. We need to understand as much as possible and as quickly as possible what systems were compromised both to collect evidence and possibly to institute these protections.
As in all forensics, profiling in network forensics investigations can be judged as to whether “a profile is a good profile: if it catches the offender then it is good; if it fails to do so then it is not” (Pakes & Winstone, 2007, p29). However, “profilers do not solve cases on their own” (Ibid, p31). Furthermore, as Ormerod asserts (1999), “an offender profile is likely to conflict with some of the most fundamental rules of the laws of evidence such as the rules of legal relevance, opinion, hearsay, and the rules governing against prejudicial evidence.”
Ressler et al (1985) define profiling as “the process of identifying the gross psychological characteristics of offenders based on an analysis of the crimes they have committed.” They go on to stress its success with statistics that may be hard to substantiate. I don't dispute that profiling criminals has some value psychologically, sociologically and in some cases forensically. And building up a portfolio of profiles also has some value, since much human behavior is generalizable. But I would suggest that in cases of network intrusion and many other investigations involving technology that profiling the crime will probably be more immediately helpful than profiling the criminal.
Kilger, M., Arkin, O. & Stutzman, J. (2004) 'Profiling', Know Your Enemy, P505-556 [Online]. Available from: http://old.honeynet.org/book/Chp16.pdf
(Accessed: 11 July, 2010)
Laureate Education (2009) Computer Forensics Seminar for Week 6: Network Forensics I [Online]. Available from: https://elearning.uol.ohecampus.com/bbcswebdav/xid-61826_4 (Accessed: 11 July, 2010)
Ormerod, D. (1999) 'Criminal Profiling: Trial by Judge and Jury, not Criminal Psychologist', Profiling in Policy and Practice, Canter, D.V. & Allison, L.J. [Online]. Available from: http://site.ebrary.com.ezproxy.liv.ac.uk/lib/liverpool/docDetail.action?docID=10211363 (Accessed: 11 July, 2010)
Pakes, F & Winstone, J. (2007) Psychology and Crime: Understanding and Tackling Offending Behavior [Online]. Available from: http://site.ebrary.com.ezproxy.liv.ac.uk/lib/liverpool/docDetail.action?docID=10305986 (Accessed: 10 July, 2010)
Ressler, R.K., Burgess, A.W., Douglas, J.E. & Depue, R.L. (1985) 'Criminal Profiling Research on Homicide', Rape and Sexual Assault, P343-349 [Online]. Abstract available from: http://www.ncjrs.gov/App/Publications/abstract.aspx?ID=97320 (Accessed: 11 July, 2010)