Does behavioural evidence analysis work for forensics ?

Add to my custom PDF

Behavioural Evidence Analysis Applied to Digital Forensics: An Empirical Analysis of Child Pornography Cases using P2P Networks

Peer-to-peer (P2P) file sharing networks have created opportunities for the easy sharing of wide range of digital content. Unfortunately this has included Sexually Exploitative Imagery of Children (SEIC) or child pornography. As law enforcement agencies develop innovative investigative techniques to deal with the computer-facilitation of crimes, some more traditional techniques can also be leveraged in the digital realm. Among these, Behavioural Evidence Analysis (BEA) is a common practice in conventional criminal investigations. Studies have only recently included BEA to examine digital evidence. Along with the technical examination of digital evidence, it is important to learn as much as possible about the individuals behind an offence, the victim(s) and the dynamics of a crime. BEA can assist the investigator, forensic practitioners and prosecutors in producing a more accurate and complete reconstruction of the crime.

Mutawa et al. set out to examine the utility of BEA in investigating criminal cases that involve the possession and dissemination of SEIC through P2P networks, and to increase the understanding of the benefits of BEA in the interpretation of digital evidence. BEA has been very useful in conventional criminal investigations such as homicides, sex offences and rape, but has not been explicitly used to investigate SEIC cases.

The study was conducted with archival digital evidence from fifteen cases of SEIC offences made available by the Dubai Police. The authors used a deductive approach to analyze the individual cases separately and apply BEA strategies to the examination of each case. The authors examined and analyzed the suspect’s digital devices, attempting to reconstruct the suspect’s activities in obtaining and sharing SEIC. The analysis of files on the computer (e.g. Internet history files, recently accessed files, time stamps, deleted files) revealed indicators of suspicious activity, signature behaviours and psychological characteristics of the suspect.

Whereas conventional criminal offences often have common characteristics and behaviours, this study finds that computer-facilitated SEIC offenders did not share a common demographic profile. While this study suggests that it is not possible to construct a single profile of SEIC offenders, the results do suggest a type of offenders who are mainly viewers, downloaders and sharers of SEIC through P2P file sharing networks.

Using BEA to investigate computer-facilitated crimes can:

  • Assist the investigator in assessing the reliability of digital evidence and the strength of conclusions
  • Produce a more detailed reconstruction of evidence that can inform sentencing and prosecution in court
  • Assist in mapping and understanding offending behaviour and the dynamics of offences

For example, the location of SEIC files can indicate offender intentions. If a suspect has hidden or categorized SEIC files, this can indicate active participation in the offence.

Utilizing BEA in cases of SEIC offences can better equip forensic practitioners and prosecutors to take advantage of a behavioural interpretation of evidence. This technique can establish a bridge between the behavioural and technical aspects of digital evidence by enabling a more detailed reconstruction of evidence that can inform sentencing and prosecution.

Applying Behavioural Evidence Analysis (BEA) to digital evidence can help investigators to understand offender characteristics and authenticate digital evidence.