Digital forensics analysis is the easy part of an investigation. That is not to say that the work of digital forensics is simple, but rather recovering electronic data is a rote routine of data carving and visual inspection of data. Interpreting the data requires a different type of effort to put together a story of what happened ‘on the computer’. As important an analysis is to determine computer use, it is just as important to identify the user or users and attribute computer activity to each user. An investigation without an identified suspect is a case that remains open and unsolved..sometimes for years or forever.
In many investigations (civil and criminal), identifying the computer user is obvious through confessions or by process of elimination. Proving a specific person was at the keyboard is barely a consideration since the person either admitted control of the device or was caught red-handed and the examiner can focus more on the user activity on the computer devices rather than spending time identifying the user.
However, simply accepting the suspect’s identity without further investigation into other aspects of the suspect’s identity may sell the investigation short. Whether the suspect is known or unknown, compiling a complete identity of the suspect adds important information that is beneficial to a case, such as motives, intentions, and identification of more crimes. The most important point is that a physical person that has been identified, or even arrested, does not give a complete identity of that person. It is only the physical identity. Investigators should strive to compile a complete identity that includes digital identities.
So what’s in it for you?
Building a case against a suspect requires more than just finding evidence. A case needs evidence to point to a suspect as well as showing motive and opportunity. Providing evidence of every identified persona of a suspect paints a picture of the suspect, to include intent, desires, motive, behaviors, and overall character to add to the supporting evidence. In short, you get a better case.
The Complete Identity
A physical identity (aka biometric identity) and digital identity comprises the complete identity of a person. Biometrical features of a person, such as fingerprints and eye color, are bound to the physical identity and typically permanent to the person depending on the feature. Although eye color can be temporarily changed with color contacts and hair can be temporarily dyed to a different color, the majority of physical features cannot be changed without drastic injury or surgery.
Internet users create digital trails of use and subsequently (and without intention) create digital personas based on their unique computer use. The normal, everyday use of the Internet creates a digital identity that is based on Internet surfing habits (the Websites visited), communications made online through forums, chats, e-mails, blog posts and comments, and through the accounts created for online services to include online shopping.
Compiling the digital identity and physical identity may seem like an obvious and easy task, but assembling the identities is not so simple. In an ideal case, a suspect has a single physical identity and a single digital identity, but in reality, a person may have multiple physical personas tied to a single physical identity and multiple digital personas. Some personas may be intentional while others unintentional. For example, a criminal wanting to travel in a name other than his true name may create or purchase a fake driver’s license. As he goes about using the fake or stolen driver’s license, he creates a persona under the false name. Although this persona is not truly a ‘physical’ identity, as it is not biometrically tied to a physical body, it is part of his physical identity as he uses the false name as if it were his true name.
One example of a digital identity is the accumulation of normal Internet and computer use. A person’s computer use is generally a reflection of that person’s personality, desires, and intentions. The unique activity of one device is typically replicated across devices under that person’s control. For instance, given a new computer, a user will configure it by personal preference by arranging icons, colors, sounds, and folder structure to save. When the user has an additional computer, both computers will have a very similar order of computer activity when used over time and will even look the same, such as the placement of desktop icons and wallpaper choice. Configurations of the computers will likely be similar, if not exact for some items, and Internet use will most certainly mirror each other by bookmarks and frequently visited Websites. Merely comparing the type of computer use and configuration between two or more devices can give an indication that the same person used all of the devices.
Adding to the complexity of finding both digital and physical identity of a suspect is that of multiple aspects of both types of identity. A person leading a double life may have two spouses and two jobs with one being a false identity. This person is physically tied to both identities, even if the false identity contains no true information. Leading a double life is an extreme example of a fake physical identity, and examples that are more common include using a fake ID to make consumer purchases, or using fake names to register at hotels. The depth of a fake physical identity depends upon the person’s intention and resources. Types of physical identifiers are seen in the following figure.
Digital identities, being far easier to create, generally mean that any one person can have multiple, or even hundreds, of fake digital identities. A harassment suspect may have dozens of online identities that he uses to harass a single victim or victims through repeated e-mails from different e-mail accounts created to appear as different people. In any investigation, treat each digital identity as its own identity that will be tied to a physical person at some point in the investigation. Each identity gives information about a person based on the fake identity, whether the only information is the username of an e-mail or a completely falsified social networking account.
An example of having multiple digital identities is that of one fake identity used to create specific online accounts and a different fake identity used to create other specific online accounts. In this manner, a person is simply trying to distance himself from something (such as registering for a pornographic Website) by using a fake digital identity while using a different fake identity to distance himself from other aspects of his online life. An investigator who can identify the fake accounts adds to the case by showing the intentionally hidden aspects of a personality, motive, or intention of the real person based on the real person’s actions under the fake digital identities. A pedophile whose physical identity has no ties to pedophilia may appear innocent until fake digital personas are found and tied to his physical identity.
Of note is that each person has a true physical identity and a true digital identity. Typically, the true digital identity shows the real information, such as a real name, and is easily tied to the physical person. However, every identity and persona (real and fake, digital and physical) should be compiled together to show the complete identity of a person. False information is just as important as the true information to build a complete picture of a suspect.
A great example of tying a physical identity to a false persona is in the Silk Road case where the creator of Silk Road (Ross Ulbricht) used his public e-mail/forum (rThis email address is being protected from spambots. You need JavaScript enabled to view it.) account on the open Internet to market the Silk Road. One simple post eventually tied his legitimate physical identity to a secret, false, and criminal persona on the Dark Web site, the Silk Road.
Identifying the digital identity becomes easier as Big Data continues to grow exponentially through massive data collection by government and corporations. Social media sites contribute to identifying digital identities as the connectivity between sites exists through single usernames, using the same e-mail address across online accounts, and algorithms created to ‘find’ friends based on relationships and Internet use. The digital identity is the sum of all electronic information of a person. Corporations have been compiling digital identities of consumers in order to focus on advertising efforts. Investigators should focus on compiling digital identities of suspects to determine motive and opportunity.
Any investigation benefits by compiling the complete identity of suspects. Whether the identities contain true information about a suspect is not as relevant as tying the identities and personas to a person. Motives and intentions are clearer with a complete picture of a person in both the physical and digital worlds.
Now that you know the ‘why’, become competent in the ‘how’ in each investigation with thorough research to find the connection between each identity in order to place your suspect at the keyboard. Digital forensic skills are necessary and important, but solid cases usually need some old fashioned, gumshoe detective work too.