If I Were an Investigative Profiler for a Day
Recently, I had the honor of putting together a talk for the FBI’s Cyber Behavioral Analysis Center that included methods for profiling human behavior on iPhones and Androids. When considering what to write and where to start, I first had to humanize these devices. What makes them speak to us during an investigation? What helps us determine if they are lying or avoiding a truth?
For me, it was simple. Location Artifacts, Connections, Health Data and Putting the Pieces in Place.
For location artifacts, most people think about navigation and searching for directions. While those artifacts may be helpful, they really don’t give us the bang for our buck like some other gems that hide on these smartphones. Consider third-party applications. They can think for you. They can even offer you suggestions.
Guess what? When a suggestion is made, the application knows where you are! And it knows where you may be going. Now, these location artifacts are special because the user doesn’t know they exist.
I use an example I created years ago for my SANS course. I took a simple photo and created a journal entry for it. My iPhone offered to include the location. I opted out because I didn’t want my home address to be in the SANS student data. Guess what? It’s still there and it’s hiding. The journal entry, when viewed in Hex, revels the truth: my location, the time and the weather on that day. All when this photo was taken. Just imagine if this were a missing child instead of simple tomatoes.
Connections are interesting because they tie together a user to a group or specific people. Leveraging what someone posts publicly on social media can be helpful in profiling that person, learning their interests and tying them to potential crimes. I use myself here because I enjoy pointing out that everyone does this. A simple Tweet shows that I was in Hawaii and going skydiving. The next is a Facebook post about my location, that I was working there and who I was with.
While this can be used to put someone at a crime scene, it can also be used to target you! During my talk I discussed how “stalkable” we can be. It’s creepy, yet super-helpful in forensic investigations.
Look at my LinkedIn profile – it shows where I went to college, where I currently work and more! What about your friends on social media? What about people you frequently travel with?
This leads me to health data. The best-kept secret of them all. Health knows everything about that user. It knows height, weight, sex, organ donor, medical conditions and more. Health provides us with heart rate, exercise habits, friendships and you guessed it – locations. Below is a sampling of my workout data that I shared in my lecture. With this simple sampling, you can place me at different locations for a specific time period.
During this research, Sarah Edwards and I even acted out forensic scenarios to help investigators solve murder investigations. Below is an example of my heart rate for the day. The spike to 177 is when I was dragging my husband’s body – yes, it was for important research! This spike in my activity could be tied to his time of death, which is why I attempted to recreate just that scenario for a detective needing assistance.
Putting the Pieces in Place
Ever wonder how easy it is to tie this all together? It’s simple when you have a tool that supports showing connections, locations and similarities among devices. Cellebrite Pathfinder enables the investigative profiler to search for people in common and people who have been in the same locations.
Let’s say you are profiling a case where the suspect abducts women from grocery store parking lots. You could select to “profile” the phone based on parking lots, shopping carts, store signs and more. You can save these profiles and later apply the data to other investigations!
This is the part that really resonated with me. Imagine working a case and something jumps out at you or reminds you of an artifact in a case you worked years ago (a photo of a car, a random sign in a picture or a hotel room image)– with Cellebrite Pathfinder you can link it all together and even identify these commonalities that you may accidentally overlook!
No tool is perfect, and the analytics tools rely on the parsing tool to be accurate, but they are getting us so much further than we were able to before. We need to solve these cases before they become cold and this approach can help accomplish that. Digital Intelligence is helping us to solve the investigations of the past and driving our efforts for the future.