When searching for the evidence you need, understanding how people think can be helpful. A powerful tool available to the forensic investigator is the ability to understand motives—that is, the reasons a suspect committed a crime. Understanding how criminals think makes it possible for you to discover, analyze, and reconstruct the events leading to a crime.
According to experts, criminal behavior often emerges from a combination of environmental, psychological, and biological factors. Certain characteristics (such as short attention span, lack of impulse control, and poor home life) may predict future criminal behavior. Although most crimes are committed by young men in their teens and twenties, this is not always true where computer crimes are concerned.
So, what motivates criminal activity?
Financial Gain Many cybercriminals are motivated by financial gain. Identity theft, theft of trade secrets, credit card fraud, medical insurance fraud, and extortion are generally motivated by greed. In the United States, the poor economy owing to the recession that started in 2008 has been blamed for increases in criminal offenses.
Anger or Revenge Anger, jealousy, and resentment are powerful motives. Disgruntled or dishonest employees as well as former employees, saboteurs, and extortionists often commit crimes of revenge. Revenge is also often cited as a motive in cyberbullying. For example, Lori Drew, a Missouri mother, was convicted in a landmark cyberbullying case. Prosecutors said that Drew’s actions were motivated by a desire to humiliate 13-year-old Megan Meier for saying “mean things” about Drew’s teenage daughter. Meier committed suicide shortly after a cyberbullying incident.
Power Activists may want to force a course of action that suits their agenda. To accomplish this, they may deliberately cause damage—for example, by mounting a denial of service (DoS) attack—simply to garner attention or notoriety. DoS attacks can completely shut down and paralyze a network. High-profile sites are frequently targets for DoS attacks. Nation-states and terrorists may try to weaken the economy or digital infrastructure of a country in order to render its defenses less effective against physical attacks. In December 2009, a sophisticated, coordinated cyberattack was launched against 34 companies, including powerhouses such as Google, Adobe, and Northrup Grumman. Two independent, anonymous sources pointed to China as the source for these attacks.
Addiction, Curiosity, Boredom, Thrill-Seeking, Intellectual Gain, and Recognition Many people who create viruses or worms are highly intelligent and are simply seeking an intellectual challenge. Other hackers who have committed computer intrusions report they were motivated by a desire to test a computer’s security. Still others report that they were interested in earning a reputation for their skills and becoming well known. Regardless of the motivation, these activities are still illegal and may cause immeasurable damage to the systems they affect.
Sexual Impulses Active and passive pedophiles, serial rapists, and serial killers might commit cybercrimes.
Psychiatric Illness Personality disorders such as schizophrenia, bipolar disorder, aggression, and depression can motivate a person to hide their illness online, where they can interact without physical contact. Personality theorists have suggested that cyber criminals exhibit characteristics of psychiatric illnesses such as narcissism and antisocial personality disorder.
signature analysis
Technique that uses a filter to analyze both the header and the contents of the datagram, usually referred to as the packet payload.
When searching for data, forensic investigators must realize that users who want to store data and hide its actual content from others may do so in many ways. One of the most common methods is to hide data by changing the filename and the extension associated with a file so that it doesn’t look suspicious. Although it can be difficult to determine if an original filename has been changed, most forensic software can detect a change made to the file extension. An altered file extension is detectable through a method called signature analysis. Although searching for text strings is the main method for obtaining digital evidence, using various types of forensic software, you can search on the evidence and perform signature analysis at the same time. Basically, signature analysis computes any hash value discrepancies between a file’s extension and the file’s header. When these two do not match, it’s generally an indication that you should analyze the file in more detail. For example, those seeking to hide child pornography might change the extensions of such pictures from .jpg to .txt in an attempt to hide the content. Signature analysis can be used to identify such files.