Chapter 3

Psychological profiling as an investigative tool for digital forensics

Marcus K. Rogers    Purdue University, IN, USA

Abstract

Digital forensics has fallen victim to the fact that the traditional approach has focused mainly on the collection of evidence and very little time has been spent on how to effectively and efficiently examine, analyze, and arrive at a decision based on the evidence identified. Behavioral analysis has been used to support traditional criminal investigations very successfully. This chapter looks at how behavioral analysis can be modified to be used in the context of cyber criminal investigations. The weaknesses of the traditional digital forensics model are discussed and then the behavioral analysis model is presented, along with its uses and limitations. Three case studies are presented that illustrate how behavioral analysis assists in the cyber criminal investigative process.

Keywords

behavioral analysis
psychological profiling
big data
examination
Locard’s principle
It may seem odd at first to be devoting an entire chapter to the discussion of psychological profiling given that digital forensics is traditionally seen as a hard science. Digital forensics is often described as the intersection of science and technology. So what does psychology and more precisely behavioral analysis have to do with computers and technology and/or cyber criminal investigations? The answer is, “quite a lot.” If we step back and look at the constituent parts of digital forensics, we can discern that this area is looking a criminal behavior that either uses or targets technology, or is facilitated by technology (Rogers, 2003). Behavioral analysis has traditionally been a very active component of criminal investigations. Psychological profiling and investigative psychology have played and will continue to play a crucial role in understanding why certain crimes are committed, developing profiles of likely suspects, and linking crimes to specific individuals or groups (Douglas et al., 1986; Rogers, 2003).
Behavioral analysis is commonly broken down into two different camps, inductive and deductive analysis (Douglas et al., 1986). Deductive behavioral analysis or bottom-up analysis (also known as syllogistic reasoning) looks at the specific elements of a crime scene and then develops a hypothesis as to what the characteristics are of the specific suspect. A series of premises are established and as long as each premise is correct, the conclusion is considered valid as well (Turvey, 2003), think of Sherlock Holmes here. Inductive profiling (top down) works from generalized theories of offenders, usually derived from empirical research and then moves to attributing these characteristics to the current suspect (Turvey, 2003; Douglas et al., 1986). Realistically, most behavioral analysis uses a hybrid approach where generalized theories based on clinical populations form the context of the analysis, but case-specific evidence is used to inform the creation of the final “picture” or profile of the offender (Douglas et al., 1986; Turvey, 2003; Rogers, 2003). The popularized FBI’s Behavioral Analysis Unit is often used as an example of how inductive and deductive reasoning is used to establish psychological profiles of high profile cases (Douglas et al., 1986).
Based on the fact that behavioral analysis/psychological profiling has become such a media darling, it is important that we understand not only what it is, but more importantly what it is not. If we were to believe the media, profilers would be running amok single-handedly solving high-profile cases. These cases would be solved solely on the basis of the profile derived by the criminal psychologists. According to the media, one would think that behavioral analysis was analogous to being a psychic medium. Fortunately, this however is not reality. Behavioral analysis is never the sole investigative tool used to convict a suspect. It is merely one of many tools used by criminal investigators. Behavioral analysis/psychological profiling allows the investigator to limit the number of potential suspects that would need to be interviewed in relation to a specific case. It can also be used once a suspect has been identified, to assist in the interview and interrogation phase of the investigation. It can also be used in trial preparation by the prosecutor to illustrate the true psychological state of a suspect at the time of the offense (Turvey, 2003; Douglas et al., 1986).
As previously stated, behavioral analysis has a long history of use in assisting investigators across all types of criminal activities. It is also used to help determine if several criminal activities can be attributed to the same suspect. In these situations, the investigator is trying to determine if there are similar modus operandi, or similar signature behaviors. Modus operandi deals with how the activity was undertaken; for example, focusing robberies on banks near the outskirts of the city far away from any law enforcement offices. Modus operandi is related to activities that increase the likelihood of success for the criminal involved. Modus operandi is actually a learned behavior. As such, a criminal’s MO can change over time as they become a more successful mature criminal who has mastered their criminal tradecraft.
Signature behaviors, on the other hand, are not learned behaviors. In fact, these are often behaviors that the criminal may not even be aware they are displaying. Signature behaviors are often expressions of some need and/or drive the suspect is trying to satiate (Douglas et al., 1986). Thus, even if these behaviors put the suspect at a greater risk of being caught, these behaviors must be expressed in order for the criminal to find relief. An example of a signature behavior would be trophy collection, where the criminal would take some artifact belonging to the victim and in some cases display this artifact in their own personal space, so that they could look at it and relive the experience (Douglas et al., 1986).
Despite the fact that behavioral analysis has a long history of assisting in traditional criminal investigations, its use in cyber criminal investigations seems to be somewhat limited.

Current model

Before continuing on, let us examine how current cyber criminal investigations are being conducted. Like the other forensic sciences, digital forensics/cyber criminal investigations are using a standard criminalistics approach. This approach traces its roots back at least 100 years. The traditional model focuses on the following phases: identification, preservation, collection, examination, analysis, and interpretation (Saferstein, 2014). This model has been popularized by the works of Sir Arthur Conan Doyle (Sherlock Holmes), and the various CSI shows that seem to be on every cable channel and every time slot. It is quite interesting that despite the fact that digital forensics practitioners claim to be following a traditional criminalistics approach, they are neglecting to use a very common tool: behavioral analysis.
Digital forensics seems to be very enamored with computer science and engineering principles (e.g., hash functions, memory dumps), but apparently it is unaware of traditional investigative approaches. As a result of this focus on technology (computer science and engineering), we have fallen into the trap of focusing almost exclusively on the collection of data and have paid very little attention to the examination and analysis phases. This has resulted in investigators being overwhelmed by the sheer volume of potential evidence (Meyers & Rogers, 2004; Garfinkel, 2010; Damshenas, Dehghantanha, & Mahmoud, 2014). Data storage technology has far surpassed the technology required to properly examine, analyze, and in some cases even identify the evidence (Garfinkel, 2010).

Issues

Volume of data

Gone are the good old days of using the shotgun approach to analysis and examination. In the past computer storage was much smaller; investigators literally looked at every piece of data on the computer or storage device. With hard drives commonly in the range of 1 to 2 TB, it is now physically impossible to search all of the data. Computer crime investigations must take a more nuanced and surgical approach to the examination/analysis phases. Some would argue that directed keyword searches can help to overcome data volume problem. This is a fool’s argument, since the algorithms designed for keyword searches have not progressed much farther than the days when 10 gigabyte hard drives were the norm. Keyword search algorithms also fail under the heavy load of having to search across terabytes of data, especially when more than one keyword or variations of the keyword are being searched for (Roussev & Richard, 2004). We really need to get over our historical obsession with having to look at every single piece of data that might possibly exist on the storage device (in the off chance that it may contain evidence).
This resistance to recognizing that the old ways are no longer practical, has serious implications for the legal justice system. Few if any courts are willing to wait 2 to 3 years (if not longer) for law-enforcement and/or the prosecutor to sift through all the blocks on a storage device. In fact, in some cases the courts have ruled that unreasonable delays by the prosecution are a violation of the suspect’s constitutional rights, and charges have been dropped against the suspects.
Not only is the volume of potential evidence becoming an Achilles heal, so too are the number of cases being investigated. Most investigators dealing with computer crimes are literally swamped with ongoing cases (Guarino, 2013). It is not unusual for a single investigator to have 20 to 30 cyber crime cases being actively investigated at the same time. By combining the data volume problem, the demands from the court for timely prosecution, and the workload of cyber crime investigators, we have the proverbial perfect storm.

Lack of context

The importance of context cannot be understated in digital forensics. For the most part the investigator is looking at a static picture of events. Most investigators do not work on a live system; they work on a representation of a file system that is abstracted in the form of a directory structure with the underlying files (Irons & Lallie, 2014). This view provides little if any detail as to the relationship between files, or the importance of files to the user. Yet modern operating systems have strived to make themselves look like what the user interacts with in the physical world on an everyday basis, namely the desktop. With graphical user interfaces (GUIs) the user maintains a sense of context as to what meaning the files have to them. The fact that we use a desktop to interact with the system is a direct result of this purposeful illusion of familiarity.
The lack of context extends to the timeline of the data as well. While almost every investigator looks at the time stamps on files (i.e., Modified, Accessed, Created), few would be able to intuitively identify time patterns or subtle anomalies. Yet these patterns, etc., could be crucial in focusing the investigation or eliminating suspects all together.

Accountability

Despite what is depicted on TV, standard digital forensics can only provide information regarding which account was logged in at the time of the events in question. While knowing the account can be useful, it does not necessarily translate into a positive identification of the person sitting behind the keyboard. In many cases user accounts are shared, or the system has one default account. In other cases, login passwords are easily guessed or written down where they can be read. In addition, few suspects readily admit that they are guilty even when confronted by the facts – yet another departure from the fantasy world of TV where everyone admits that they were guilty and admire the mental prowess of the investigator.
No one is saying we should throw the proverbial “baby out with the bathwater” and totally abandon how we have historically investigated these types of cases. However, it is painfully obvious that at the very least, a revised, updated, modernized, and more pragmatic approach to cyber criminal investigations is required. So let us now turn our attention to what this updated/modernized model might look like.

New model

Before launching into a discussion regarding a more modernized version of investigations that incorporates behavioral analysis, there are a few underlying assumptions that need to be examined. First, we need to agree that despite the fact that cyber criminal investigations deal with computer systems, technology, and computing devices, the core elements are analogous to other investigations focusing on the physical world. These core elements include the concepts of evidence, crime scenes, and Locard’s principle of exchange. Just as in physical investigations, investigators are interested in evidence. This holds true for cyber investigations as well, with the caveat that evidence now includes the digital as well as the physical.
Once we establish that the focus is on evidence, we next move to the concept of crime scenes. Traditional criminal investigations center their search for evidence in and around the scene that the criminal activity occurred in. Here again there is really no material difference with cyber investigations. The concept of a crime scene is equally important and in order to focus the investigation, cybercrime investigators need to identify the digital or cyber crime scene. The cyber crime scene can include the victim’s computer system, digital device, and social media page.
Locard’s principle of exchange is at the core of all criminalistics. Briefly summarized, this principle states that the suspect, victim, and crime scene will exchange physical elements that link these to the criminal act (Zatyko & Bay, n.d.). A common example is when a suspect leaves their DNA at a crime scene or having a hair from the victim on their clothing. This also holds true for cyber investigations. The difference is that the evidence now includes digital artifacts, as well as physical artifacts that are exchanged. However, the digital artifacts are often more latent (i.e., invisible without the use of technology) and/or volatile physical counterparts. Examples here could include pieces of code, pictures, text, emails, or entries in log files.
Now while we have focused on more or less tangible pieces of evidence, Locard’s principle of exchange extends into the realm of the behavioral and psychological as well. This is why behavioral analysis is an important investigative tool (Zatyko & Bay, n.d.; Douglas et al. 1986). Suspects also leave traces of their personality in the crime scenes; whether they be physical or digital crime scenes. It is therefore logical that we can extend behavioral analysis to cyber investigations (Rogers, 2003; Rogers & Seigfried-Spellar, 2014).
We must be very clear that despite the fact we are discussing psychological concepts and behavioral analysis, no claims are being made that this model represents any type of clinical diagnostic tool. This model is not intended for clinicians to diagnose someone with a psychopathology. Its intent is to serve as an investigative tool/framework in order to focus the investigation on areas that maximize the return on the investigative investment (Rogers, 2003; Rogers & Seigfried-Spellar, 2014). While many of the terms and concepts used in this model come from clinical and/or investigative psychology, its use is not intended for psychologists or sociologists. The intended user is the investigator and/or digital forensics practitioner. The new model is specifically designed to directly address several of the issues that plague the traditional model as were previously mentioned.

Phases

The behavioral analysis model is presented in a linear multiphased manner so as to assist in providing a general overview. In practice, the model is dynamic, with multiple feedback loops where data and interpretations from a latter phase require the prior phase, to be reexamined and/or reinterpreted, and the data reanalyzed. This is especially true of the pattern and timeline/visualization phase as this provides a meta-view of the evidence. This meta-view can make it necessary to modify the context of the investigation.

Classification

The first phase of this model focuses on identifying the type of case under investigation. What is meant here is whether the case involves the illegal possession of child pornography, homicide, extortion, fraud, identity theft, etc. Each of these categories has unique characteristics that affect the latter phases of this model; we will discuss this in more detail in an upcoming section.

Context analysis

Once the category of the case is determined, then it is possible to begin to understand the context of the case. The context of the case allows investigators and behavioral analysts to focus on the most likely locations of evidence on the suspects computer, computing device, or social media accounts. It can also provide insights into whether the investigator should be concerned about antiforensic techniques, such as encryption or steganography, and what level of technical sophistication the suspect might have. This ability to focus efforts on those locations that have the maximum likelihood of containing evidence relevant to the case at hand is one of the cornerstones of this model.

Collection

Once the context has been established, the behavioral analyst works with the investigator and or technician to collect evidence and store this evidence in a format that can be analyzed for patterns, linkages, and timeline analyses. While this second phase seems rather straightforward, is important to remember the issue we previously noted, namely data overload. What the behavior analyst is attempting to do is to narrow the search parameters in such a manner that only relevant evidence is collected. It is helpful at this juncture to think of the digital crime scene in terms of it being an archaeological site (Graves, 2014). What the analyst is attempting to do is to only focus on those areas of the digital crime scene (e.g., the file system) that will contain artifacts of interest. An example here is useful. If the context of the investigation is in the area of the possession of child pornography, and the suspect is believed to be a “opportunistic collector,” then it would be best to start “digging” into the file system with a specific focus on web artifacts, email correspondence, pictures, multimedia files, and peer-to-peer applications (Rogers & Seigfried-Spellar, 2014).

Statistical analysis

Once the data/evidence is collected and placed in the format that can readily be searched, then the analyst can assist investigators by interpreting any patterns or anomalies that might be present. A common task at this phase would be to conduct a frequency analysis on the web history of whatever browser or browsers the suspect had been using. This frequency analysis can reveal patterns related to preferred time of web surfing, preferred types of websites visited, preferred types of files downloaded and/or traded, and other online behaviors related to social media (Rogers & Seigfried-Spellar, 2014).These patterns can be used to develop an online behavioral profile. Given a large enough amount of data, it is possible to differentiate between users even if they are sharing an account. This is due to the fact that people’s online behaviors can be distinctive enough to almost be analogous to fingerprints.
The most common statistical tool is frequency analysis which can provide numerous investigative leads. With frequency analysis, the behavioral analyst may work with the investigator to collect information on specific websites visited (these can include social media sites as well), or number of times the suspect contacted the victim by cell phone or by social media. In a number of case web browsing history files, cookies files, search history, and cache files are the artifacts used for the analysis. As an example, if the case was to involve credit card fraud and the most frequented URLs are sites that provide information on carding IRC channels, or dark web trading sites, then this would support an opinion the person was interested in credit card fraud. Conversely, if the most frequented sites and/or searches focus on how to remove Trojan horses or RATs (remote access tools) then the context of the investigation might need to be altered. However, as is true with any statistical test or tool, the more data available, the more reliable and valid the frequency analysis will be.

Timeline analysis/visualization

Timeline analysis is an important component. The visualization of a timeline combined with a frequency analysis can be used to categorize the type of offender/suspect. It can also be used to determine a temporal pattern of the computer system or device’s usage. It many cases it is important to know what time of the day, and/or what day of the week the suspect is online and most frequently online. This is especially true in cases where there are multiple potential suspects and only one account on the device that is shared or not password protected (see Case Study #2). If timeframes can be positively identified when the suspect is definitely at home and not at home, through work records, cell tower information, or witnesses, then it is easier to create a behavioral profile of the suspect’s device usage. It may also be vital to develop a baseline of system usage behavior prior to the timeframe in question for the criminal activity (see Case Study #2). A visualization of this timeline (see Fig. 3.1) can be powerful evidence in court to either convict or exonerate a suspect.
image
Figure 3.1 Time Line: Activity by Day
The visualization of the data during this phase provides an opportunity to discover patterns or linkages that were previously missed when the evidence is looked at in somewhat of an isolated manner, as it is in the traditional model. The ability to use heat maps, charts, graphs, depictions of data clustering, etc., not only assists the analyst, but they can also be powerful tools for explaining and illustrating concepts to a judge or jury during courtroom testimony.

Decision/opinion

Once the behavioral analyst has finished the frequency analysis and timeline/visualization phases, a final report is issued. The final report often includes the answer(s) to investigative questions that were posed at the start of the analysis. In order to answer these questions, the analyst will need to craft an opinion based on the totality of the analysis (i.e., results from each of phases). The analyst may be asked to determine whether a particular theory about what occurred is possible and likely, or in the case of a known event but an unknown suspect, what traits or characteristics the suspect is likely to have. It is crucial that the analyst be able to back up their opinions with facts from the results of each phase, as opinion evidence is usually challenged by the opposing party. The opinion should not be couched in terms of absolutes or binary decisions (e.g., yes, no). The opinion should be sensitive that there are often other possible explanations or interpretations of the evidence, especially when dealing with event reconstructions. The analyst will be best served, by articulating the likelihood or probability that their interpretation and derived opinion, is the correct finding.

Limitations

No model is perfect. The behavioral analysis model is no exception. One of the largest limitations is finding a behavioral analyst who understands both psychological behavioral analysis and enough about technology to be able to communicate with the investigator and also appreciate the complexities of digital evidence. It is uncertain whether it is better to take a technical person and teach them how to conduct a behavioral analysis, or take a behavioral analyst and teach them technology. This is similar to the debate in digital forensics: who is better. Law enforcement that becomes a techie or a techie that becomes an investigator?
It may also be the case that just like in traditional investigations, not all cyber cases are conducive to being behaviorally analyzed. Examples here may include cases where automated tools were used exclusively with little or no human intervention (e.g., botnets). The behavioral analysis being discussed here relates to analyzing human behavior on a system, not system or machine behavior by itself; these are vastly different concepts.
To ensure that even subtle patterns and potential linkages can be identified, this model also requires a large amount of data. This is usually not a problem in today’s cases (as was mentioned previously). However, with the move toward cloud-based technologies, we could find ourselves with cases where very little data actually exist on the suspect’s device, it is all in the cloud (hyper distributed). The challenge will then be to adapt the model to looking at clouds and the accompanying behavioral indicators that exist with this medium and technology.

Case studies

In order to illustrate how this new model can be used to assist the investigators, some case studies are provided.

Case study 1 – shaken baby death

The first case study provides an example of the use of the model in a shaken baby death case. The backstory for the case is as follows. The EMT were called to a residence where an 8-month-old baby was found not breathing. The baby was rushed to the hospital and was DOA. The autopsy revealed evidence that the baby had been physically abused and beaten over a period of time. The state police began their investigation and as is the norm, the victim’s mother and live-in boyfriend were placed under suspicion. The computer system in the apartment and the cell phones were seized and processed for potential evidence. The interview of the baby’s mother and boyfriend resulted in mixed stories, with the boyfriend denying he was home at the time when the coroner placed the final beating that killed the baby had occurred. The mother was uncooperative as well. Investigators collected and analyzed the typical types of data: Internet History, web searches, social media, cell tower data, etc. Unfortunately, the boyfriend and mother shared a single user account on the Windows-based computer.
The behavioral analyst was asked to develop an investigative profile based on the computer system usage in order to determine, if possible, who was home at the time of the death and just prior. The analyst was able to create a behavior baseline for each of the two users based on the fact that artifacts on the system predated when the boyfriend met and moved in with the mother, and work and class records for the mother which positively identified blocks of time that the mother was not in the apartment.
A frequency analysis was conducted that showed the most frequent time of the day that the boyfriend was on the system and the same for the mother. It was also determined what days of the week were the most active by the user and the types of sites visited (e.g., Adult porn, gaming sites, baby shower gifts, careers, bank accounts) and/or terms searched for. It was noted that based on the behavioral profiles created, the boyfriend had been actively searching the Internet for information on what happens if you “stomped” on your baby’s stomach (which is the final injury that resulted in the baby’s death). A detailed report correlating all of the findings with a timeline that visually depicted the Internet activity and damage to the baby by the user (i.e., boyfriend, mother) was compiled (see Fig. 3.1). This information was provided to the defense counsel for the boyfriend by the prosecutor. The boyfriend took a plea deal and admitted to the offense.

Case study 2 – arson homicide

The second case study involves an arson homicide case. The back story is as follows. An insurance company suspected that a house fire that resulted in the death of man (the policy owner) had been a deliberate arson. Through the work of their investigator and the arson investigation unit of the local police agency, they determined that the fire was deliberately set and accused the wife of the deceased and his son of setting the fire that accidentally killed the policy holder.
The insurance company hired their own digital forensics professional to examine several computer systems and as a result of this investigation, they concluded that the son was home when the fire was set and that the policy holder was in bed sleeping. They arrived at this conclusion based on some Internet artifacts related to an adult porn site that they claimed only the son knew the password for and since this website was being viewed at the time just prior to the fire, the son was present at the house and not away as he claimed.
The local prosecutor’s office filed homicide charges against the son. It soon became clear that the insurance investigator had missed key pieces of evidence and had made unsubstantiated assumptions. The defense counsel hired a behavioral analyst to look at all of the digital evidence. The analyst looked at several years’ worth of Internet artifacts and through a timeline and frequency analysis of web behaviors, it was determined that the adult website had been visited by the policy holder on several occasions when cell tower data proved the son was not home. The web behavioral profiles of the son and the father were constructed and it was shown that, at best, it was inconclusive who was on the computer prior to the fire, and in all likelihood it was actually the policy holder.
A report was authored and presented to the prosecutor’s office. The charges against the son were dropped. Unfortunately, in this case, it took almost 5 years from the time the son was originally charged to the time a behavioral analyst was asked to analyze the data and the charges were dropped against the son.

Case study 3 – possession of child porn

The third case study involves determining the motivation behind the suspect’s online activities. The back story for the case is as follows. A law enforcement officer was arrested for possessing child pornography. The officer was accused of visiting numerous child porn websites over the past several years and of downloading numerous pictures. The officer’s defense was that he claimed to be conducting an investigation of child porn sites on his own time and that he had reported some of his findings to the National Center for Missing and Exploited Children (NCMEC). The prosecutor believed that the officer was involved in child pornography and may actually be a contact offender.
The behavioral analyst was asked to review 7 years’ worth of Internet web histories and to determine if the suspect’s online behavior was consistent with someone conducting an unauthorized investigation, or whether it was more consistent with someone who was a pedophile. The analyst conducted a frequency analysis of the millions of log entries. These log entries were classified on the basis of whether they were related to adult porn, bestiality, child porn, or neutral (see Fig. 3.2).
image
Figure 3.2 Frequency Analysis of Website Categories
It was determined that the suspect visited websites that contained child pornography pictures of underage (teenage) boys more frequently than any of the other categories. A timeline analysis indicated that despite the claims that the officer was conducting an investigation almost no reports were made in the 7 years in question and the few reports that were made, did not correspond to times immediately following the most numerous visits to the child porn sites (see Fig. 3.3). The analyst determined that the online behavior was not consistent with someone conducting an investigation. The analyst concluded that the behavior was more consistent with an individual with a sexual deviance – online paraphilia, and that the individual preferred young (adolescent) teenage boys (Hebophilia). The prosecutor presented the findings to the defense, and the suspect accepted a plea bargain and was incarcerated.
image
Figure 3.3 Timeline: 7 Years Analysis

Conclusions

The digital forensics investigator’s job is not going to get simpler. The majority (if not all) of today’s cases have some evidence that is digital in nature. The relatively low cost of storage and the popularity of the cloud have led to an explosion in the amount of potential evidence that the investigator has to sift through for even the most mundane types of cases. Yet despite this increase in data and the “ubiquitousness” of digital evidence, digital forensics seems to be stuck in the past when there was a manageable amount of storage to hunt through for evidence. This old shotgun approach of just search everything is no longer possible even with our automated tools. As was indicated in this chapter, we either need a new investigative model, or at the very least we need to buttress the one we currently use. By incorporating behavioral analysis into the digital forensics framework, in a similar fashion as to how it is used with traditional investigations, we can better capture the context of the events in question, focus the investigation, and answer questions that can be extrapolated from the data. Furthermore, the introduction of the behavioral analysis is a much needed step in the direction of digital forensics incorporating concepts from data analytics to assist with the volume and variety of data, that is present in all cases.
As was illustrated in the case studies, behavioral analysis combined with traditional digital forensics techniques greatly benefits the investigators, can reduce the overall time to conduct the investigation, and places static one-dimensional data into a larger more dynamic context that can change the meaning of the evidence. If digital forensics ascribes to truly be about the discovery of the truth, as is the canon for all of the forensic sciences, then behavioral analysis needs to be part of most if not all investigations.

References

Damshenas M, Dehghantanha A, Mahmoud R. A survey on digital forensics trends. International Journal of Cyber-Security and Digital Forensics. 2014;3(4):126.

Douglas JE, et al. Criminal profiling from crime scene analysis. Behavioral Sciences the Law. 1986;4(4):122.

Garfinkel SL. Digital forensics research: the next 10 years. Digital Investigation. 2010;7:S64S73.

Graves, M. (2014). Digital archaeology: the art and science of digital forensics. Upper Saddle River: Addison Wesley Professional.

Guarino, A. (2013). Digital Forensics as a Big Data Challenge. pp. 1–8. Available at: http://www.studioag.pro/wp-content/uploads/2013/10/DigitalForensicsBigData.pdf Accessed September 15.09.15.

Irons A, Lallie H. Digital forensics to intelligent forensics. Future Internet. 2014;6(3):584596.

Meyers M, Rogers MK. Computer forensics: the need for standardization and certification. International Journal of Digital Evidence. 2004;3(2):111.

Rogers M. The role of criminal profiling in the computer forensics process. Computers & Security. 2003;22(4):292298.

Rogers MK, Seigfried-Spellar K. Using Internet artifacts to profile a child pornography suspect. Journal of Digital Forensics, Security and Law. 2014;9(1):110.

Roussev, V., & Richard, G. G., III. (2004). Breaking the performance wall: the case for distributed digital forensics. Paper presented at the Digital Forensics Research Workshop, Baltimore, MD.

Saferstein, R. (2014). Criminalistics: an introduction to forensic science (11th ed.). New York.

Turvey B. Criminal profiling: an introduction to behavioral evidence analysis. Boston, MA: Academic Press; 2003.

Zatyko, K., & Bay, J. The digital forensics cyber exchange principle. http://www.forensicmag.comarticlesdigital-forensics-cyber-exchange-principle. Available at: http://www.forensicmag.com/articles/2011/12/digital-forensics-cyber-exchange-principle Accessed 15.09.15.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.118.142.56